From 33c8b06837879978fece3749280c6bb7613e4de3 Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Sat, 8 Dec 2018 18:46:12 +0000 Subject: system/binutils: fix CVE-2018-19931 and CVE-2018-19932 --- system/binutils/APKBUILD | 11 +++++++-- system/binutils/CVE-2018-19931.patch | 31 ++++++++++++++++++++++++ system/binutils/CVE-2018-19932.patch | 47 ++++++++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 system/binutils/CVE-2018-19931.patch create mode 100644 system/binutils/CVE-2018-19932.patch (limited to 'system/binutils') diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD index 4cd3901ec..67f81db9d 100644 --- a/system/binutils/APKBUILD +++ b/system/binutils/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Adelie Platform Group pkgname=binutils pkgver=2.31.1 -pkgrel=1 +pkgrel=2 pkgdesc="Tools necessary to build programs" url="http://www.gnu.org/software/binutils/" depends="" @@ -16,6 +16,8 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-libs" [ "${CARCH}" != "ppc" ] || options='!check' source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz binutils-ld-fix-static-linking.patch + CVE-2018-19931.patch + CVE-2018-19932.patch disable-gnu-mbind.patch disable-ifunc-tests.patch disable-preinit-array-tests.patch @@ -35,7 +37,10 @@ fi # secfixes: # 2.28-r1: -# - CVE-2017-7614 +# - CVE-2017-7614 +# 2.31.1-r2: +# - CVE-2018-19931 +# - CVE-2018-19932 build() { local _sysroot=/ @@ -114,6 +119,8 @@ libs() { sha512sums="0fca326feb1d5f5fe505a827b20237fe3ec9c13eaf7ec7e35847fd71184f605ba1cefe1314b1b8f8a29c0aa9d88162849ee1c1a3e70c2f7407d88339b17edb30 binutils-2.31.1.tar.xz ecee33b0e435aa704af1c334e560f201638ff79e199aa11ed78a72f7c9b46f85fbb227af5748e735fd681d1965fcc42ac81b0c8824e540430ce0c706c81e8b49 binutils-ld-fix-static-linking.patch +4cfece75605ea17df676692e9ed2a5f8b3221fdb93fca9655f67260a9f4fd4f9e5a62141f51ba9bb7819f4628cdda4fd3f2f82e947ba197980f2b0c2c58a147c CVE-2018-19931.patch +68d1699d66aeb9dabb76d2e56e881fe73e55cc9594741107bf9f1a23fd2c1dc4421d02317bfc0218b02ad1372d3a8a577044578fffbfd8504ca238be835c5ff0 CVE-2018-19932.patch d378fdf1964f8f2bd0b1e62827ac5884bdf943aa435ec89c29fc84bb045d406b733fffaff8fdd8bd1cba8ddea7701c4cf6ccf3ed76a8a3df9c72b447737575a6 disable-gnu-mbind.patch 474ab24097bbb5b24433620549e5234fe65c547824c1342f693c718ffbc81e2d968259cce2d650b55200dd1ec89da207ea2db10c551cd9941285c4600b4297b2 disable-ifunc-tests.patch 3537752e63cef0b5ef136d003ff7e814ba66b12624d817430112d0f291a792e8960fa69a78036f526af835441b3ee483d6a53d55c7b3dd8ee96f0399682dbcbe disable-preinit-array-tests.patch diff --git a/system/binutils/CVE-2018-19931.patch b/system/binutils/CVE-2018-19931.patch new file mode 100644 index 000000000..99a9797e3 --- /dev/null +++ b/system/binutils/CVE-2018-19931.patch @@ -0,0 +1,31 @@ +From 5f60af5d24d181371d67534fa273dd221df20c07 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Fri, 30 Nov 2018 11:45:33 +0000 +Subject: [PATCH] Fix a memory exhaustion bug when attempting to allocate room + for an impossible number of program headers. + + * elfcode.h (elf_object_p): Check for corrupt input files with + more program headers than can actually fit in the file. +--- + bfd/elfcode.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index f224c8b..16ed8e5 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -784,6 +784,11 @@ elf_object_p (bfd *abfd) + if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr)) + goto got_wrong_format_error; + #endif ++ /* Check for a corrupt input file with an impossibly large number ++ of program headers. */ ++ if (bfd_get_file_size (abfd) > 0 ++ && i_ehdrp->e_phnum > bfd_get_file_size (abfd)) ++ goto got_no_match; + amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr); + elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt); + if (elf_tdata (abfd)->phdr == NULL) +-- +2.9.3 + diff --git a/system/binutils/CVE-2018-19932.patch b/system/binutils/CVE-2018-19932.patch new file mode 100644 index 000000000..383aae70f --- /dev/null +++ b/system/binutils/CVE-2018-19932.patch @@ -0,0 +1,47 @@ +From beab453223769279cc1cef68a1622ab8978641f7 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Fri, 30 Nov 2018 11:43:12 +0000 +Subject: [PATCH] Remove an abort in the bfd library and add a check for an + integer overflow when mapping sections to segments. + + PR 23932 + * elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section + size. + (rewrite_elf_program_header): If no sections are mapped into a + segment return an error. +--- + bfd/elf.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index 604971d..79a76be 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -6644,6 +6644,7 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd) + the given segment. LMA addresses are compared. */ + #define IS_CONTAINED_BY_LMA(section, segment, base) \ + (section->lma >= base \ ++ && (section->lma + SECTION_SIZE (section, segment) >= section->lma) \ + && (section->lma + SECTION_SIZE (section, segment) \ + <= SEGMENT_END (segment, base))) + +@@ -7167,7 +7168,15 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd) + suggested_lma = output_section; + } + +- BFD_ASSERT (map->count > 0); ++ /* PR 23932. A corrupt input file may contain sections that cannot ++ be assigned to any segment - because for example they have a ++ negative size - or segments that do not contain any sections. */ ++ if (map->count == 0) ++ { ++ bfd_set_error (bfd_error_bad_value); ++ free (sections); ++ return FALSE; ++ } + + /* Add the current segment to the list of built segments. */ + *pointer_to_map = map; +-- +2.9.3 + -- cgit v1.2.3-60-g2f50