[OE-core] [ROCKO][PATCH 07/27] binutls: Security fix for CVE-2017-14939
Armin Kuster
akuster808 at gmail.com
Wed Aug 8 15:35:02 UTC 2018
From: Armin Kuster <akuster at mvista.com>
Affects: <= 2.29.1
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 +
.../binutils/binutils/CVE-2017-14939.patch | 56 ++++++++++++++++++++++
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 8e92b92..c0ad94c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -42,6 +42,7 @@ SRC_URI = "\
file://CVE-2017-14933_p2.patch \
file://CVE-2017-14934.patch \
file://CVE-2017-14938.patch \
+ file://CVE-2017-14939.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch
new file mode 100644
index 0000000..d1e4c3e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch
@@ -0,0 +1,56 @@
+From 515f23e63c0074ab531bc954f84ca40c6281a724 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra at gmail.com>
+Date: Sun, 24 Sep 2017 14:36:16 +0930
+Subject: [PATCH] PR22169, heap-based buffer overflow in read_1_byte
+
+The .debug_line header length field doesn't include the length field
+itself, ie. it's the size of the rest of .debug_line.
+
+ PR 22169
+ * dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14939
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/dwarf2.c | 7 ++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -2084,12 +2084,13 @@ decode_line_info (struct comp_unit *unit
+ offset_size = 8;
+ }
+
+- if (unit->line_offset + lh.total_length > stash->dwarf_line_size)
++ if (lh.total_length > (size_t) (line_end - line_ptr))
+ {
+ _bfd_error_handler
+ /* xgettext: c-format */
+- (_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"),
+- lh.total_length, stash->dwarf_line_size - unit->line_offset);
++ (_("Dwarf Error: Line info data is bigger (%#Lx)"
++ " than the space remaining in the section (%#lx)"),
++ lh.total_length, (unsigned long) (line_end - line_ptr));
+ bfd_set_error (bfd_error_bad_value);
+ return NULL;
+ }
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,9 @@
+ 2017-09-24 Alan Modra <amodra at gmail.com>
++
++ PR 22169
++ * dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
++
++2017-09-24 Alan Modra <amodra at gmail.com>
+
+ PR 22166
+ * elf.c (_bfd_elf_slurp_version_tables): Test sh_info on
--
2.7.4
More information about the Openembedded-core
mailing list