summaryrefslogtreecommitdiff
path: root/system/binutils
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2019-08-01 03:15:42 -0500
committerMax Rees <maxcrees@me.com>2019-08-01 03:15:42 -0500
commit0a29ea8a1e1a794d19ba9f23ccc2836379419e18 (patch)
tree407c1ab5977afd63aa60c6bd7308439700178682 /system/binutils
parentaddcb5d4b2d24c7927c597d156f5a31a3df2ab31 (diff)
downloadpackages-0a29ea8a1e1a794d19ba9f23ccc2836379419e18.tar.gz
packages-0a29ea8a1e1a794d19ba9f23ccc2836379419e18.tar.bz2
packages-0a29ea8a1e1a794d19ba9f23ccc2836379419e18.tar.xz
packages-0a29ea8a1e1a794d19ba9f23ccc2836379419e18.zip
system/binutils: patch multiple CVEs (#116)
Diffstat (limited to 'system/binutils')
-rw-r--r--system/binutils/APKBUILD31
-rw-r--r--system/binutils/CVE-2019-12972.patch33
-rw-r--r--system/binutils/CVE-2019-14250.patch25
-rw-r--r--system/binutils/CVE-2019-9070-and-9071.patch128
-rw-r--r--system/binutils/CVE-2019-9073.patch31
-rw-r--r--system/binutils/CVE-2019-9074.patch49
-rw-r--r--system/binutils/CVE-2019-9075.patch96
-rw-r--r--system/binutils/CVE-2019-9077.patch33
8 files changed, 423 insertions, 3 deletions
diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD
index 47b3609a2..c7924b43e 100644
--- a/system/binutils/APKBUILD
+++ b/system/binutils/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org>
pkgname=binutils
pkgver=2.32
-pkgrel=1
+pkgrel=2
pkgdesc="Tools necessary to build programs"
url="https://www.gnu.org/software/binutils/"
depends=""
@@ -23,6 +23,13 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
remove-pr19719-test.patch
remove-pr19553c-test.patch
srec.patch
+ CVE-2019-9070-and-9071.patch
+ CVE-2019-9073.patch
+ CVE-2019-9074.patch
+ CVE-2019-9075.patch
+ CVE-2019-9077.patch
+ CVE-2019-12972.patch
+ CVE-2019-14250.patch
"
if [ "$CHOST" != "$CTARGET" ]; then
@@ -33,12 +40,23 @@ if [ "$CHOST" != "$CTARGET" ]; then
builddir="$srcdir"/binutils-$pkgver
fi
-# secfixes:
+# secfixes: binutils
# 2.28-r1:
# - CVE-2017-7614
# 2.31.1-r2:
# - CVE-2018-19931
# - CVE-2018-19932
+# 2.32-r0:
+# - CVE-2018-1000876
+# 2.32-r2:
+# - CVE-2019-9070
+# - CVE-2019-9071
+# - CVE-2019-9073
+# - CVE-2019-9074
+# - CVE-2019-9075
+# - CVE-2019-9077
+# - CVE-2019-12972
+# - CVE-2019-14250
build() {
local _sysroot=/
@@ -124,4 +142,11 @@ d378fdf1964f8f2bd0b1e62827ac5884bdf943aa435ec89c29fc84bb045d406b733fffaff8fdd8bd
32ab4215669c728648179c124632467573a3d4675e79f0f0d221c22eb2ec1ca5488b79910bd09142f90a1e0d0b81d99ca4846297f4f9561f158db63745facb66 remove-pr2404-tests.patch
a193d1fa7f42d91915960460a15e4d24e0df529d81e23014bcf45d283fae76bb7b300fdcb0d0a9d521cdb9137322efa1dc357112596d6ae7a7fd05988ac359b9 remove-pr19719-test.patch
39ef9c76dd5db6b15f11ffa8061f7ca844fb79c3fb9879c3b1466eef332a28b833597c87003ab9f260b1b85023fae264659088aee27cad7e5aa77b2d58b9a3f6 remove-pr19553c-test.patch
-f720b3356b88e366c52941da056e543e4b42bc77f012e5b0290f79e15b0a31d855989ad01920680507a9df0544e5b8e26d0cf8d6f22fbdeb874af31cff4c16d3 srec.patch"
+f720b3356b88e366c52941da056e543e4b42bc77f012e5b0290f79e15b0a31d855989ad01920680507a9df0544e5b8e26d0cf8d6f22fbdeb874af31cff4c16d3 srec.patch
+f52d21f194c2d7dbdc56e93636d3228034ee1718b457e5a5ce289bba2454155846d1ff6ea8530d11a901a85c9af945360bc17cda9e7370c36362aa6c762154c7 CVE-2019-9070-and-9071.patch
+032fed723b610fe06e210e2ebee8d24962ecad1dc69d98d38e95f768c9ed64cb991158758ef71e684d6d762a30e9a852287836be2bb8a2aba27fe31d2792c0a0 CVE-2019-9073.patch
+16b4cc094a6846399e47271da6fe8d8bd8b70246e12e872fcafb85f11809b5699eddba723fbac664c062c02f9b5658ea9770e14c522e151cdea1d39e69c851dd CVE-2019-9074.patch
+a46b9211608e2f35219b95363a5ba90506742dcb9e4bd4a43915af6c0b3e74bd8339a8318dc2923c0952ef579112412cb1cf619a5f090066769a852587b27d03 CVE-2019-9075.patch
+c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be34df4954dbf02feb5232ebbecc596277fc2fe63673ed347c CVE-2019-9077.patch
+9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42 CVE-2019-12972.patch
+c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f CVE-2019-14250.patch"
diff --git a/system/binutils/CVE-2019-12972.patch b/system/binutils/CVE-2019-12972.patch
new file mode 100644
index 000000000..82b41c014
--- /dev/null
+++ b/system/binutils/CVE-2019-12972.patch
@@ -0,0 +1,33 @@
+From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 21 Jun 2019 11:51:38 +0930
+Subject: [PATCH] PR24689, string table corruption
+
+The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
+hdr->contents were initialized by setup_group rather than being read
+from the file, thus last byte was not zero and string dereference ran
+off the end of the buffer.
+
+ PR 24689
+ * elfcode.h (elf_object_p): Check type of e_shstrndx section.
+---
+ bfd/elfcode.h | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index a0487b0..5180f79 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -754,7 +754,8 @@ elf_object_p (bfd *abfd)
+ /* A further sanity check. */
+ if (i_ehdrp->e_shnum != 0)
+ {
+- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
++ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
++ || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+ {
+ /* PR 2257:
+ We used to just goto got_wrong_format_error here
+--
+2.9.3
+
diff --git a/system/binutils/CVE-2019-14250.patch b/system/binutils/CVE-2019-14250.patch
new file mode 100644
index 000000000..fedc4fa7f
--- /dev/null
+++ b/system/binutils/CVE-2019-14250.patch
@@ -0,0 +1,25 @@
+Author: marxin
+Date: Tue Jul 23 07:33:32 2019 UTC
+https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=273718
+
+libiberty: Check zero value shstrndx in simple-object-elf.c
+
+--- trunk/libiberty/simple-object-elf.c 2019/07/23 07:31:50 273717
++++ trunk/libiberty/simple-object-elf.c 2019/07/23 07:33:32 273718
+@@ -548,7 +548,15 @@
+ XDELETE (eor);
+ return NULL;
+ }
+-
++
++ if (eor->shstrndx == 0)
++ {
++ *errmsg = "invalid ELF shstrndx == 0";
++ *err = 0;
++ XDELETE (eor);
++ return NULL;
++ }
++
+ return (void *) eor;
+ }
+
diff --git a/system/binutils/CVE-2019-9070-and-9071.patch b/system/binutils/CVE-2019-9070-and-9071.patch
new file mode 100644
index 000000000..5f401d147
--- /dev/null
+++ b/system/binutils/CVE-2019-9070-and-9071.patch
@@ -0,0 +1,128 @@
+Author: nickc
+Date: Wed Apr 10 14:44:47 2019 UTC
+https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=270258
+
+Fix a stack exhaustion bug in libiberty's demangler when decoding a
+pathalogically constructed mangled name.
+
+PR 89394
+* cp-demangle.c (cplus_demangle_fill_name): Reject negative
+lengths.
+(d_count_templates_scopes): Replace num_templates and num_scopes
+parameters with a struct d_print_info pointer parameter. Adjust
+body of the function accordingly. Add recursion counter and check
+that the recursion limit is not reached.
+(d_print_init): Pass dpi parameter to d_count_templates_scopes.
+Reset recursion counter afterwards, unless the recursion limit was
+reached.
+
+--- trunk/libiberty/cp-demangle.c 2019/04/10 14:39:59 270257
++++ trunk/libiberty/cp-demangle.c 2019/04/10 14:44:47 270258
+@@ -861,7 +861,7 @@
+ int
+ cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len)
+ {
+- if (p == NULL || s == NULL || len == 0)
++ if (p == NULL || s == NULL || len <= 0)
+ return 0;
+ p->d_printing = 0;
+ p->type = DEMANGLE_COMPONENT_NAME;
+@@ -4061,7 +4061,7 @@
+ are larger than the actual numbers encountered. */
+
+ static void
+-d_count_templates_scopes (int *num_templates, int *num_scopes,
++d_count_templates_scopes (struct d_print_info *dpi,
+ const struct demangle_component *dc)
+ {
+ if (dc == NULL)
+@@ -4081,13 +4081,13 @@
+ break;
+
+ case DEMANGLE_COMPONENT_TEMPLATE:
+- (*num_templates)++;
++ dpi->num_copy_templates++;
+ goto recurse_left_right;
+
+ case DEMANGLE_COMPONENT_REFERENCE:
+ case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
+ if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
+- (*num_scopes)++;
++ dpi->num_saved_scopes++;
+ goto recurse_left_right;
+
+ case DEMANGLE_COMPONENT_QUAL_NAME:
+@@ -4152,42 +4152,42 @@
+ case DEMANGLE_COMPONENT_TAGGED_NAME:
+ case DEMANGLE_COMPONENT_CLONE:
+ recurse_left_right:
+- d_count_templates_scopes (num_templates, num_scopes,
+- d_left (dc));
+- d_count_templates_scopes (num_templates, num_scopes,
+- d_right (dc));
++ /* PR 89394 - Check for too much recursion. */
++ if (dpi->recursion > DEMANGLE_RECURSION_LIMIT)
++ /* FIXME: There ought to be a way to report to the
++ user that the recursion limit has been reached. */
++ return;
++
++ ++ dpi->recursion;
++ d_count_templates_scopes (dpi, d_left (dc));
++ d_count_templates_scopes (dpi, d_right (dc));
++ -- dpi->recursion;
+ break;
+
+ case DEMANGLE_COMPONENT_CTOR:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_ctor.name);
++ d_count_templates_scopes (dpi, dc->u.s_ctor.name);
+ break;
+
+ case DEMANGLE_COMPONENT_DTOR:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_dtor.name);
++ d_count_templates_scopes (dpi, dc->u.s_dtor.name);
+ break;
+
+ case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_extended_operator.name);
++ d_count_templates_scopes (dpi, dc->u.s_extended_operator.name);
+ break;
+
+ case DEMANGLE_COMPONENT_FIXED_TYPE:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_fixed.length);
++ d_count_templates_scopes (dpi, dc->u.s_fixed.length);
+ break;
+
+ case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS:
+ case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS:
+- d_count_templates_scopes (num_templates, num_scopes,
+- d_left (dc));
++ d_count_templates_scopes (dpi, d_left (dc));
+ break;
+
+ case DEMANGLE_COMPONENT_LAMBDA:
+ case DEMANGLE_COMPONENT_DEFAULT_ARG:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_unary_num.sub);
++ d_count_templates_scopes (dpi, dc->u.s_unary_num.sub);
+ break;
+ }
+ }
+@@ -4222,8 +4222,12 @@
+ dpi->next_copy_template = 0;
+ dpi->num_copy_templates = 0;
+
+- d_count_templates_scopes (&dpi->num_copy_templates,
+- &dpi->num_saved_scopes, dc);
++ d_count_templates_scopes (dpi, dc);
++ /* If we did not reach the recursion limit, then reset the
++ current recursion value back to 0, so that we can print
++ the templates. */
++ if (dpi->recursion < DEMANGLE_RECURSION_LIMIT)
++ dpi->recursion = 0;
+ dpi->num_copy_templates *= dpi->num_saved_scopes;
+
+ dpi->current_template = NULL;
diff --git a/system/binutils/CVE-2019-9073.patch b/system/binutils/CVE-2019-9073.patch
new file mode 100644
index 000000000..9ea45707b
--- /dev/null
+++ b/system/binutils/CVE-2019-9073.patch
@@ -0,0 +1,31 @@
+From 7d272a55caebfc26ab2e15d1e9439bac978b9bb7 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 20 Feb 2019 12:06:31 +1030
+Subject: [PATCH] PR24233, Out of memory
+
+ PR 24233
+ * objdump.c (dump_bfd_private_header): Print warning if
+ bfd_print_private_bfd_data returns false.
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/objdump.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 8725390..7d0c6a4 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -3178,7 +3178,9 @@ dump_bfd_header (bfd *abfd)
+ static void
+ dump_bfd_private_header (bfd *abfd)
+ {
+- bfd_print_private_bfd_data (abfd, stdout);
++ if (!bfd_print_private_bfd_data (abfd, stdout))
++ non_fatal (_("warning: private headers incomplete: %s"),
++ bfd_errmsg (bfd_get_error ()));
+ }
+
+ static void
+--
+2.9.3
+
diff --git a/system/binutils/CVE-2019-9074.patch b/system/binutils/CVE-2019-9074.patch
new file mode 100644
index 000000000..74b6c2040
--- /dev/null
+++ b/system/binutils/CVE-2019-9074.patch
@@ -0,0 +1,49 @@
+From 179f2db0d9c397d7dd8a59907b84208b79f7f48c Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 19 Feb 2019 22:48:44 +1030
+Subject: [PATCH] PR24235, Read memory violation in pei-x86_64.c
+
+ PR 24235
+ * pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
+ attempting to prevent read past end of section.
+---
+ bfd/pei-x86_64.c | 9 ++++-----
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
+index ff1093c..7e75104 100644
+--- a/bfd/pei-x86_64.c
++++ b/bfd/pei-x86_64.c
+@@ -541,7 +541,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+ /* virt_size might be zero for objects. */
+ if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
+ {
+- stop = (datasize / onaline) * onaline;
++ stop = datasize;
+ virt_size_is_zero = TRUE;
+ }
+ else if (datasize < stop)
+@@ -551,8 +551,8 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+ _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
+ pdata_section->name, (unsigned long) datasize,
+ (unsigned long) stop);
+- /* Be sure not to read passed datasize. */
+- stop = datasize / onaline;
++ /* Be sure not to read past datasize. */
++ stop = datasize;
+ }
+
+ /* Display functions table. */
+@@ -724,8 +724,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+ altent += imagebase;
+
+ if (altent >= pdata_vma
+- && (altent + PDATA_ROW_SIZE <= pdata_vma
+- + pei_section_data (abfd, pdata_section)->virt_size))
++ && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
+ {
+ pex64_get_runtime_function
+ (abfd, &arf, &pdata[altent - pdata_vma]);
+--
+2.9.3
+
diff --git a/system/binutils/CVE-2019-9075.patch b/system/binutils/CVE-2019-9075.patch
new file mode 100644
index 000000000..0084d3368
--- /dev/null
+++ b/system/binutils/CVE-2019-9075.patch
@@ -0,0 +1,96 @@
+From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 20 Feb 2019 08:21:24 +1030
+Subject: [PATCH] PR24236, Heap buffer overflow in
+ _bfd_archive_64_bit_slurp_armap
+
+ PR 24236
+ * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
+ sentinel NUL to string buffer nearer to loop where it is used.
+ Don't go past sentinel when scanning strings, and don't write
+ NUL again.
+ * archive.c (do_slurp_coff_armap): Simplify string handling to
+ archive64.c style.
+---
+ bfd/archive.c | 17 +++++++----------
+ bfd/archive64.c | 10 +++++-----
+ 3 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/bfd/archive.c b/bfd/archive.c
+index d2d9b72..68a92a3 100644
+--- a/bfd/archive.c
++++ b/bfd/archive.c
+@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
+ int *raw_armap, *rawptr;
+ struct artdata *ardata = bfd_ardata (abfd);
+ char *stringbase;
++ char *stringend;
+ bfd_size_type stringsize;
+ bfd_size_type parsed_size;
+ carsym *carsyms;
+@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
+ }
+
+ /* OK, build the carsyms. */
+- for (i = 0; i < nsymz && stringsize > 0; i++)
++ stringend = stringbase + stringsize;
++ *stringend = 0;
++ for (i = 0; i < nsymz; i++)
+ {
+- bfd_size_type len;
+-
+ rawptr = raw_armap + i;
+ carsyms->file_offset = swap ((bfd_byte *) rawptr);
+ carsyms->name = stringbase;
+- /* PR 17512: file: 4a1d50c1. */
+- len = strnlen (stringbase, stringsize);
+- if (len < stringsize)
+- len ++;
+- stringbase += len;
+- stringsize -= len;
++ stringbase += strlen (stringbase);
++ if (stringbase != stringend)
++ ++stringbase;
+ carsyms++;
+ }
+- *stringbase = 0;
+
+ ardata->symdef_count = nsymz;
+ ardata->first_file_filepos = bfd_tell (abfd);
+diff --git a/bfd/archive64.c b/bfd/archive64.c
+index 312bf82..42f6ed9 100644
+--- a/bfd/archive64.c
++++ b/bfd/archive64.c
+@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
+ return FALSE;
+ carsyms = ardata->symdefs;
+ stringbase = ((char *) ardata->symdefs) + carsym_size;
+- stringbase[stringsize] = 0;
+- stringend = stringbase + stringsize;
+
+ raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
+ if (raw_armap == NULL)
+@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
+ goto release_raw_armap;
+ }
+
++ stringend = stringbase + stringsize;
++ *stringend = 0;
+ for (i = 0; i < nsymz; i++)
+ {
+ carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
+ carsyms->name = stringbase;
+- if (stringbase < stringend)
+- stringbase += strlen (stringbase) + 1;
++ stringbase += strlen (stringbase);
++ if (stringbase != stringend)
++ ++stringbase;
+ ++carsyms;
+ }
+- *stringbase = '\0';
+
+ ardata->symdef_count = nsymz;
+ ardata->first_file_filepos = bfd_tell (abfd);
+--
+2.9.3
+
diff --git a/system/binutils/CVE-2019-9077.patch b/system/binutils/CVE-2019-9077.patch
new file mode 100644
index 000000000..de044e387
--- /dev/null
+++ b/system/binutils/CVE-2019-9077.patch
@@ -0,0 +1,33 @@
+From 7fc0c668f2aceb8582d74db1ad2528e2bba8a921 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 20 Feb 2019 17:03:47 +0000
+Subject: [PATCH] Fix a illegal memory access fault when parsing a corrupt MIPS
+ option section using readelf.
+
+ PR 24243
+ * readelf.c (process_mips_specific): Check for an options section
+ that is too small to even contain a single option.
+---
+ binutils/readelf.c | 6 ++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 54d165e..20ebacc 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -16187,6 +16187,12 @@ process_mips_specific (Filedata * filedata)
+ error (_("No MIPS_OPTIONS header found\n"));
+ return FALSE;
+ }
++ /* PR 24243 */
++ if (sect->sh_size < sizeof (* eopt))
++ {
++ error (_("The MIPS options section is too small.\n"));
++ return FALSE;
++ }
+
+ eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1,
+ sect->sh_size, _("options"));
+--
+2.9.3
+