system/binutils: fix CVE-2018-19931 and CVE-2018-19932

3 files changed, 87 insertions, 2 deletions

diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD
index 4cd3901ec..67f81db9d 100644
--- a/system/binutils/APKBUILD
+++ b/system/binutils/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org>
 pkgname=binutils
 pkgver=2.31.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Tools necessary to build programs"
 url="http://www.gnu.org/software/binutils/"
 depends=""
@@ -16,6 +16,8 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-libs"
 [ "${CARCH}" != "ppc" ] || options='!check'
 source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
 	binutils-ld-fix-static-linking.patch
+	CVE-2018-19931.patch
+	CVE-2018-19932.patch
 	disable-gnu-mbind.patch
 	disable-ifunc-tests.patch
 	disable-preinit-array-tests.patch
@@ -35,7 +37,10 @@ fi
 
 # secfixes:
 #   2.28-r1:
-#   - CVE-2017-7614
+#     - CVE-2017-7614
+#   2.31.1-r2:
+#     - CVE-2018-19931
+#     - CVE-2018-19932
 
 build() {
 	local _sysroot=/
@@ -114,6 +119,8 @@ libs() {
 
 sha512sums="0fca326feb1d5f5fe505a827b20237fe3ec9c13eaf7ec7e35847fd71184f605ba1cefe1314b1b8f8a29c0aa9d88162849ee1c1a3e70c2f7407d88339b17edb30  binutils-2.31.1.tar.xz
 ecee33b0e435aa704af1c334e560f201638ff79e199aa11ed78a72f7c9b46f85fbb227af5748e735fd681d1965fcc42ac81b0c8824e540430ce0c706c81e8b49  binutils-ld-fix-static-linking.patch
+4cfece75605ea17df676692e9ed2a5f8b3221fdb93fca9655f67260a9f4fd4f9e5a62141f51ba9bb7819f4628cdda4fd3f2f82e947ba197980f2b0c2c58a147c  CVE-2018-19931.patch
+68d1699d66aeb9dabb76d2e56e881fe73e55cc9594741107bf9f1a23fd2c1dc4421d02317bfc0218b02ad1372d3a8a577044578fffbfd8504ca238be835c5ff0  CVE-2018-19932.patch
 d378fdf1964f8f2bd0b1e62827ac5884bdf943aa435ec89c29fc84bb045d406b733fffaff8fdd8bd1cba8ddea7701c4cf6ccf3ed76a8a3df9c72b447737575a6  disable-gnu-mbind.patch
 474ab24097bbb5b24433620549e5234fe65c547824c1342f693c718ffbc81e2d968259cce2d650b55200dd1ec89da207ea2db10c551cd9941285c4600b4297b2  disable-ifunc-tests.patch
 3537752e63cef0b5ef136d003ff7e814ba66b12624d817430112d0f291a792e8960fa69a78036f526af835441b3ee483d6a53d55c7b3dd8ee96f0399682dbcbe  disable-preinit-array-tests.patch
diff --git a/system/binutils/CVE-2018-19931.patch b/system/binutils/CVE-2018-19931.patch
new file mode 100644
index 000000000..99a9797e3
--- /dev/null
+++ b/system/binutils/CVE-2018-19931.patch
@@ -0,0 +1,31 @@
+From 5f60af5d24d181371d67534fa273dd221df20c07 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 30 Nov 2018 11:45:33 +0000
+Subject: [PATCH] Fix a memory exhaustion bug when attempting to allocate room
+ for an impossible number of program headers.
+
+	* elfcode.h (elf_object_p): Check for corrupt input files with
+	more program headers than can actually fit in the file.
+---
+ bfd/elfcode.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index f224c8b..16ed8e5 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -784,6 +784,11 @@ elf_object_p (bfd *abfd)
+       if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
+ 	goto got_wrong_format_error;
+ #endif
++      /* Check for a corrupt input file with an impossibly large number
++	 of program headers.  */
++      if (bfd_get_file_size (abfd) > 0
++	  && i_ehdrp->e_phnum > bfd_get_file_size (abfd))
++	goto got_no_match;
+       amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);
+       elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
+       if (elf_tdata (abfd)->phdr == NULL)
+-- 
+2.9.3
+
diff --git a/system/binutils/CVE-2018-19932.patch b/system/binutils/CVE-2018-19932.patch
new file mode 100644
index 000000000..383aae70f
--- /dev/null
+++ b/system/binutils/CVE-2018-19932.patch
@@ -0,0 +1,47 @@
+From beab453223769279cc1cef68a1622ab8978641f7 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 30 Nov 2018 11:43:12 +0000
+Subject: [PATCH] Remove an abort in the bfd library and add a check for an
+ integer overflow when mapping sections to segments.
+
+	PR 23932
+	* elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section
+	size.
+	(rewrite_elf_program_header): If no sections are mapped into a
+	segment return an error.
+---
+ bfd/elf.c     | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 604971d..79a76be 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -6644,6 +6644,7 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd)
+      the given segment.  LMA addresses are compared.  */
+ #define IS_CONTAINED_BY_LMA(section, segment, base)			\
+   (section->lma >= base							\
++   && (section->lma + SECTION_SIZE (section, segment) >= section->lma)	\
+    && (section->lma + SECTION_SIZE (section, segment)			\
+        <= SEGMENT_END (segment, base)))
+ 
+@@ -7167,7 +7168,15 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd)
+ 		suggested_lma = output_section;
+ 	    }
+ 
+-	  BFD_ASSERT (map->count > 0);
++	  /* PR 23932.  A corrupt input file may contain sections that cannot
++	     be assigned to any segment - because for example they have a
++	     negative size - or segments that do not contain any sections.  */
++	  if (map->count == 0)
++	    {
++	      bfd_set_error (bfd_error_bad_value);
++	      free (sections);
++	      return FALSE;
++	    }
+ 
+ 	  /* Add the current segment to the list of built segments.  */
+ 	  *pointer_to_map = map;
+-- 
+2.9.3
+