Fix a seg-fault running objcopy on a corrupt PE format file. (#1574702)

Fix a seg-fault running objcopy on a corrupt ELF format file.  (#1574705)

binutils-CVE-2018-10534.patch

@@ -0,0 +1,18 @@
+--- binutils.orig/bfd/peXXigen.c	2018-05-10 10:09:03.619147342 +0100
++++ binutils-2.30/bfd/peXXigen.c	2018-05-10 10:20:20.884883540 +0100
+@@ -2991,6 +2991,15 @@ _bfd_XX_bfd_copy_private_bfd_data_common
+ 				  bfd_get_section_size (section) - (addr - section->vma));
+ 	      return FALSE;
+ 	    }
++	  /* PR 23110.  */
++	  else if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size < 0)
++	    {
++	      /* xgettext:c-format */
++	      _bfd_error_handler
++		(_("%pB: Data Directory size (%#lx) is negative"),
++		 obfd, ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size);
++	      return FALSE;
++	    }
+ 
+ 	  for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size
+ 		 / sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++)

binutils-CVE-2018-10535.patch

@@ -0,0 +1,28 @@
+--- binutils.orig/bfd/elf.c	2018-05-10 10:09:03.622147305 +0100
++++ binutils-2.30/bfd/elf.c	2018-05-10 10:29:09.895577234 +0100
+@@ -4021,16 +4021,23 @@ ignore_section_sym (bfd *abfd, asymbol *
+ {
+   elf_symbol_type *type_ptr;
+ 
++  if (sym == NULL)
++    return FALSE;
++
+   if ((sym->flags & BSF_SECTION_SYM) == 0)
+     return FALSE;
+ 
++  if (sym->section == NULL)
++    return TRUE;
++
+   type_ptr = elf_symbol_from (abfd, sym);
+   return ((type_ptr != NULL
+ 	   && type_ptr->internal_elf_sym.st_shndx != 0
+ 	   && bfd_is_abs_section (sym->section))
+ 	  || !(sym->section->owner == abfd
+-	       || (sym->section->output_section->owner == abfd
+-		   && sym->section->output_offset == 0)
++              || (sym->section->output_section != NULL
++                  && sym->section->output_section->owner == abfd
++		  && sym->section->output_offset == 0)
+ 	       || bfd_is_abs_section (sym->section)));
+ }
+ 

binutils.spec

@@ -69,7 +69,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.30
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: GPLv3+
 Group: Development/Tools
 URL: https://sourceware.org/binutils
@@ -255,6 +255,16 @@ Patch29: binutils-CVE-2018-7569.patch
 # Lifetime: Fixed in 2.31
 Patch30: binutils-CVE-2018-7568.patch
 
+# Purpose:  Fix a seg-fault triggered by running objcopy on a corrupt
+#           PE format file.
+# Lifetime: Fixed in 2.31
+Patch31: binutils-CVE-2018-10534.patch
+
+# Purpose:  Fix a seg-fault triggered by running objcopy on a corrupt
+#           ELF format file.
+# Lifetime: Fixed in 2.31
+Patch32: binutils-CVE-2018-10535.patch
+
 #----------------------------------------------------------------------------
 
 Provides: bundled(libiberty)
@@ -410,6 +420,8 @@ using libelf instead of BFD.
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
+%patch31 -p1
+%patch32 -p1
 
 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 
@@ -823,6 +835,10 @@ exit 0
 
 #----------------------------------------------------------------------------
 %changelog
+* Thu May 10 2018 Nick Clifton  <nickc@redhat.com> 2.30-19
+- Fix a seg-fault running objcopy on a corrupt PE format file.  (#1574702)
+- Fix a seg-fault running objcopy on a corrupt ELF format file.  (#1574705)
+
 * Tue May 01 2018 Nick Clifton  <nickc@redhat.com> 2.30-18
 - Fix a seg-fault parsing corrupt DWARF information.  (#1573360)
 - Fix another seg-fault parsing corrupt DWARF information.  (#1573367)