Fix a seg-fault parsing PE format binaries.

Resolves: #1560829
2018-05-17 14:40:13 +01:00 · 2018-05-17 14:40:13 +01:00 · 42246e47a2
parent e2612ee0fe
commit 42246e47a2
2 changed files with 40 additions and 2 deletions
--- a/binutils-CVE-2018-8945.patch
+++ b/binutils-CVE-2018-8945.patch
@ -0,0 +1,29 @@
+diff -rup binutils.orig/bfd/elf-attrs.c binutils-2.30/bfd/elf-attrs.c
+--- binutils.orig/bfd/elf-attrs.c	2018-05-17 14:14:04.341805666 +0100
+++ binutils-2.30/bfd/elf-attrs.c	2018-05-17 14:15:19.729952453 +0100
+@@ -438,6 +438,14 @@ _bfd_elf_parse_attributes (bfd *abfd, El
+   /* PR 17512: file: 2844a11d.  */
+   if (hdr->sh_size == 0)
+     return;
+  if (hdr->sh_size > bfd_get_file_size (abfd))
+    {
+      _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
+			  abfd, hdr->bfd_section, (long long) hdr->sh_size);
+      bfd_set_error (bfd_error_invalid_operation);
+      return;
+    }
+
+   contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
+   if (!contents)
+     return;
+diff -rup binutils.orig/bfd/elf.c binutils-2.30/bfd/elf.c
+--- binutils.orig/bfd/elf.c	2018-05-17 14:14:04.326805836 +0100
+++ binutils-2.30/bfd/elf.c	2018-05-17 14:15:59.412503342 +0100
+@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
+       /* Allocate and clear an extra byte at the end, to prevent crashes
+ 	 in case the string table is not terminated.  */
+       if (shstrtabsize + 1 <= 1
+	  || shstrtabsize > bfd_get_file_size (abfd)
+ 	  || bfd_seek (abfd, offset, SEEK_SET) != 0
+ 	  || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
+ 	shstrtab = NULL;
--- a/binutils.spec
+++ b/binutils.spec
@ -69,7 +69,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.30
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv3+
 Group: Development/Tools
 URL: https://sourceware.org/binutils
@ -275,6 +275,11 @@ Patch33: binutils-x86-local-relocs.patch
 # Lifetime: Fixed in 2.31
 Patch34: binutils-linkonce-notes.patch

+# Purpose:  Fix a seg-fault triggered by running objcopy on a corrupt
+#           PE format file.
+# Lifetime: Fixed in 2.31
+Patch35: binutils-CVE-2018-8945.patch
+
 #----------------------------------------------------------------------------

 Provides: bundled(libiberty)
@ -434,6 +439,7 @@ using libelf instead of BFD.
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
+%patch35 -p1

 # We cannot run autotools as there is an exact requirement of autoconf-2.59.

@ -847,6 +853,9 @@ exit 0

 #----------------------------------------------------------------------------
 %changelog
+* Thu May 17 2018 Nick Clifton  <nickc@redhat.com> 2.30-21
+- Fix a seg-fault parsing PE format binaries.  (#1560829)
+
 * Mon May 14 2018 Nick Clifton  <nickc@redhat.com> 2.30-20
 - Have the x86 linker resolve relocations against the _end, _edata and __bss_start symbols locally.  (#1576735)
 - Do not generate GNU build notes for linkonce sections.  (#1576362)
@ -883,7 +892,7 @@ exit 0

 * Fri Mar 09 2018 Nick Clifton  <nickc@redhat.com> 2.30-12
 - Treat relocs against s390x IFUNC symbols in note sections as relocs against the FUNC symbol instead.
- Combined previous patches into one which covers all ifunc supporting architectures.
+- Combined previous patches into one which covers all ifunc supporting architectures.    (#1553705)
 - Retire binutils-s390-ifunc-relocs-in-notes.patch
 - Retire binutils-x86_64-ifunc-relocs-in-notes.patch