Fix a seg-fault running objcopy on a corrupt PE format file. (#1574702)

Fix a seg-fault running objcopy on a corrupt ELF format file. (#1574705)
2018-05-10 10:46:37 +01:00 · 2018-05-10 10:46:37 +01:00 · 347768434c
commit 347768434c
parent f53b235000
3 changed files with 63 additions and 1 deletions
--- a/binutils-CVE-2018-10534.patch
+++ b/binutils-CVE-2018-10534.patch
@ -0,0 +1,18 @@
+--- binutils.orig/bfd/peXXigen.c	2018-05-10 10:09:03.619147342 +0100
+++ binutils-2.30/bfd/peXXigen.c	2018-05-10 10:20:20.884883540 +0100
+@@ -2991,6 +2991,15 @@ _bfd_XX_bfd_copy_private_bfd_data_common
+ 				  bfd_get_section_size (section) - (addr - section->vma));
+ 	      return FALSE;
+ 	    }
+	  /* PR 23110.  */
+	  else if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size < 0)
+	    {
+	      /* xgettext:c-format */
+	      _bfd_error_handler
+		(_("%pB: Data Directory size (%#lx) is negative"),
+		 obfd, ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size);
+	      return FALSE;
+	    }
+ 
+ 	  for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size
+ 		 / sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++)
--- a/binutils-CVE-2018-10535.patch
+++ b/binutils-CVE-2018-10535.patch
@ -0,0 +1,28 @@
+--- binutils.orig/bfd/elf.c	2018-05-10 10:09:03.622147305 +0100
+++ binutils-2.30/bfd/elf.c	2018-05-10 10:29:09.895577234 +0100
+@@ -4021,16 +4021,23 @@ ignore_section_sym (bfd *abfd, asymbol *
+ {
+   elf_symbol_type *type_ptr;
+ 
+  if (sym == NULL)
+    return FALSE;
+
+   if ((sym->flags & BSF_SECTION_SYM) == 0)
+     return FALSE;
+ 
+  if (sym->section == NULL)
+    return TRUE;
+
+   type_ptr = elf_symbol_from (abfd, sym);
+   return ((type_ptr != NULL
+ 	   && type_ptr->internal_elf_sym.st_shndx != 0
+ 	   && bfd_is_abs_section (sym->section))
+ 	  || !(sym->section->owner == abfd
+-	       || (sym->section->output_section->owner == abfd
+-		   && sym->section->output_offset == 0)
+              || (sym->section->output_section != NULL
+                  && sym->section->output_section->owner == abfd
+		  && sym->section->output_offset == 0)
+ 	       || bfd_is_abs_section (sym->section)));
+ }
+ 
--- a/binutils.spec
+++ b/binutils.spec
@ -69,7 +69,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.30
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: GPLv3+
 Group: Development/Tools
 URL: https://sourceware.org/binutils
@ -255,6 +255,16 @@ Patch29: binutils-CVE-2018-7569.patch
 # Lifetime: Fixed in 2.31
 Patch30: binutils-CVE-2018-7568.patch

+# Purpose:  Fix a seg-fault triggered by running objcopy on a corrupt
+#           PE format file.
+# Lifetime: Fixed in 2.31
+Patch31: binutils-CVE-2018-10534.patch
+
+# Purpose:  Fix a seg-fault triggered by running objcopy on a corrupt
+#           ELF format file.
+# Lifetime: Fixed in 2.31
+Patch32: binutils-CVE-2018-10535.patch
+
 #----------------------------------------------------------------------------

 Provides: bundled(libiberty)
@ -410,6 +420,8 @@ using libelf instead of BFD.
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
+%patch31 -p1
+%patch32 -p1

 # We cannot run autotools as there is an exact requirement of autoconf-2.59.

@ -823,6 +835,10 @@ exit 0

 #----------------------------------------------------------------------------
 %changelog
+* Thu May 10 2018 Nick Clifton  <nickc@redhat.com> 2.30-19
+- Fix a seg-fault running objcopy on a corrupt PE format file.  (#1574702)
+- Fix a seg-fault running objcopy on a corrupt ELF format file.  (#1574705)
+
 * Tue May 01 2018 Nick Clifton  <nickc@redhat.com> 2.30-18
 - Fix a seg-fault parsing corrupt DWARF information.  (#1573360)
 - Fix another seg-fault parsing corrupt DWARF information.  (#1573367)