[OE-core] [ROCKO][PATCH 05/12] Binutils: Security fix for CVE-2018-10535

Armin Kuster akuster808 at gmail.com
Wed Aug 8 21:54:12 UTC 2018 

From: Armin Kuster <akuster at mvista.com>

Affects: <= 2.30

Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2018-10535.patch         | 63 ++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index ab61745..4d9983b 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -68,6 +68,7 @@ SRC_URI = "\
      file://CVE-2018-10372.patch \
      file://CVE-2018-10373.patch \
      file://CVE-2018-10534.patch \
+     file://CVE-2018-10535.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch
new file mode 100644
index 0000000..29b8343
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch
@@ -0,0 +1,63 @@
+From db0c309f4011ca94a4abc8458e27f3734dab92ac Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Tue, 24 Apr 2018 16:57:04 +0100
+Subject: [PATCH] Fix an illegal memory access when trying to copy an ELF
+ binary with corrupt section symbols.
+
+	PR 23113
+	* elf.c (ignore_section_sym): Check for the output_section pointer
+	being NULL before dereferencing it.
+
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-10535
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ bfd/ChangeLog | 4 ++++
+ bfd/elf.c     | 9 ++++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -3994,15 +3994,22 @@ ignore_section_sym (bfd *abfd, asymbol *
+ {
+   elf_symbol_type *type_ptr;
+ 
++  if (sym == NULL)
++    return FALSE;
++
+   if ((sym->flags & BSF_SECTION_SYM) == 0)
+     return FALSE;
+ 
++  if (sym->section == NULL)
++    return TRUE;
++
+   type_ptr = elf_symbol_from (abfd, sym);
+   return ((type_ptr != NULL
+ 	   && type_ptr->internal_elf_sym.st_shndx != 0
+ 	   && bfd_is_abs_section (sym->section))
+ 	  || !(sym->section->owner == abfd
+-	       || (sym->section->output_section->owner == abfd
++	       || (sym->section->output_section != NULL
++		   && sym->section->output_section->owner == abfd
+ 		   && sym->section->output_offset == 0)
+ 	       || bfd_is_abs_section (sym->section)));
+ }
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,10 @@
+ 2018-04-24  Nick Clifton  <nickc at redhat.com>
++ 
++       PR 23113
++       * elf.c (ignore_section_sym): Check for the output_section pointer
++       being NULL before dereferencing it.
++
++2018-04-24  Nick Clifton  <nickc at redhat.com>
+ 
+        PR 23110
+        * peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Check for
-- 
2.7.4

More information about the Openembedded-core mailing list