summaryrefslogtreecommitdiff
path: root/system
diff options
context:
space:
mode:
authorA. Wilcox <AWilcox@Wilcox-Tech.com>2018-12-08 18:46:12 +0000
committerA. Wilcox <AWilcox@Wilcox-Tech.com>2018-12-08 18:46:12 +0000
commit33c8b06837879978fece3749280c6bb7613e4de3 (patch)
tree1eb4b8c4d60e350fdee62ec474ad965e869a65d8 /system
parent791c07e0235932c246b15902c47cd459fc652718 (diff)
downloadpackages-33c8b06837879978fece3749280c6bb7613e4de3.tar.gz
packages-33c8b06837879978fece3749280c6bb7613e4de3.tar.bz2
packages-33c8b06837879978fece3749280c6bb7613e4de3.tar.xz
packages-33c8b06837879978fece3749280c6bb7613e4de3.zip
system/binutils: fix CVE-2018-19931 and CVE-2018-19932
Diffstat (limited to 'system')
-rw-r--r--system/binutils/APKBUILD11
-rw-r--r--system/binutils/CVE-2018-19931.patch31
-rw-r--r--system/binutils/CVE-2018-19932.patch47
3 files changed, 87 insertions, 2 deletions
diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD
index 4cd3901ec..67f81db9d 100644
--- a/system/binutils/APKBUILD
+++ b/system/binutils/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org>
pkgname=binutils
pkgver=2.31.1
-pkgrel=1
+pkgrel=2
pkgdesc="Tools necessary to build programs"
url="http://www.gnu.org/software/binutils/"
depends=""
@@ -16,6 +16,8 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-libs"
[ "${CARCH}" != "ppc" ] || options='!check'
source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
binutils-ld-fix-static-linking.patch
+ CVE-2018-19931.patch
+ CVE-2018-19932.patch
disable-gnu-mbind.patch
disable-ifunc-tests.patch
disable-preinit-array-tests.patch
@@ -35,7 +37,10 @@ fi
# secfixes:
# 2.28-r1:
-# - CVE-2017-7614
+# - CVE-2017-7614
+# 2.31.1-r2:
+# - CVE-2018-19931
+# - CVE-2018-19932
build() {
local _sysroot=/
@@ -114,6 +119,8 @@ libs() {
sha512sums="0fca326feb1d5f5fe505a827b20237fe3ec9c13eaf7ec7e35847fd71184f605ba1cefe1314b1b8f8a29c0aa9d88162849ee1c1a3e70c2f7407d88339b17edb30 binutils-2.31.1.tar.xz
ecee33b0e435aa704af1c334e560f201638ff79e199aa11ed78a72f7c9b46f85fbb227af5748e735fd681d1965fcc42ac81b0c8824e540430ce0c706c81e8b49 binutils-ld-fix-static-linking.patch
+4cfece75605ea17df676692e9ed2a5f8b3221fdb93fca9655f67260a9f4fd4f9e5a62141f51ba9bb7819f4628cdda4fd3f2f82e947ba197980f2b0c2c58a147c CVE-2018-19931.patch
+68d1699d66aeb9dabb76d2e56e881fe73e55cc9594741107bf9f1a23fd2c1dc4421d02317bfc0218b02ad1372d3a8a577044578fffbfd8504ca238be835c5ff0 CVE-2018-19932.patch
d378fdf1964f8f2bd0b1e62827ac5884bdf943aa435ec89c29fc84bb045d406b733fffaff8fdd8bd1cba8ddea7701c4cf6ccf3ed76a8a3df9c72b447737575a6 disable-gnu-mbind.patch
474ab24097bbb5b24433620549e5234fe65c547824c1342f693c718ffbc81e2d968259cce2d650b55200dd1ec89da207ea2db10c551cd9941285c4600b4297b2 disable-ifunc-tests.patch
3537752e63cef0b5ef136d003ff7e814ba66b12624d817430112d0f291a792e8960fa69a78036f526af835441b3ee483d6a53d55c7b3dd8ee96f0399682dbcbe disable-preinit-array-tests.patch
diff --git a/system/binutils/CVE-2018-19931.patch b/system/binutils/CVE-2018-19931.patch
new file mode 100644
index 000000000..99a9797e3
--- /dev/null
+++ b/system/binutils/CVE-2018-19931.patch
@@ -0,0 +1,31 @@
+From 5f60af5d24d181371d67534fa273dd221df20c07 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 30 Nov 2018 11:45:33 +0000
+Subject: [PATCH] Fix a memory exhaustion bug when attempting to allocate room
+ for an impossible number of program headers.
+
+ * elfcode.h (elf_object_p): Check for corrupt input files with
+ more program headers than can actually fit in the file.
+---
+ bfd/elfcode.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index f224c8b..16ed8e5 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -784,6 +784,11 @@ elf_object_p (bfd *abfd)
+ if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
+ goto got_wrong_format_error;
+ #endif
++ /* Check for a corrupt input file with an impossibly large number
++ of program headers. */
++ if (bfd_get_file_size (abfd) > 0
++ && i_ehdrp->e_phnum > bfd_get_file_size (abfd))
++ goto got_no_match;
+ amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);
+ elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
+ if (elf_tdata (abfd)->phdr == NULL)
+--
+2.9.3
+
diff --git a/system/binutils/CVE-2018-19932.patch b/system/binutils/CVE-2018-19932.patch
new file mode 100644
index 000000000..383aae70f
--- /dev/null
+++ b/system/binutils/CVE-2018-19932.patch
@@ -0,0 +1,47 @@
+From beab453223769279cc1cef68a1622ab8978641f7 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 30 Nov 2018 11:43:12 +0000
+Subject: [PATCH] Remove an abort in the bfd library and add a check for an
+ integer overflow when mapping sections to segments.
+
+ PR 23932
+ * elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section
+ size.
+ (rewrite_elf_program_header): If no sections are mapped into a
+ segment return an error.
+---
+ bfd/elf.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 604971d..79a76be 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -6644,6 +6644,7 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd)
+ the given segment. LMA addresses are compared. */
+ #define IS_CONTAINED_BY_LMA(section, segment, base) \
+ (section->lma >= base \
++ && (section->lma + SECTION_SIZE (section, segment) >= section->lma) \
+ && (section->lma + SECTION_SIZE (section, segment) \
+ <= SEGMENT_END (segment, base)))
+
+@@ -7167,7 +7168,15 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd)
+ suggested_lma = output_section;
+ }
+
+- BFD_ASSERT (map->count > 0);
++ /* PR 23932. A corrupt input file may contain sections that cannot
++ be assigned to any segment - because for example they have a
++ negative size - or segments that do not contain any sections. */
++ if (map->count == 0)
++ {
++ bfd_set_error (bfd_error_bad_value);
++ free (sections);
++ return FALSE;
++ }
+
+ /* Add the current segment to the list of built segments. */
+ *pointer_to_map = map;
+--
+2.9.3
+