From 61a9b29768c17f233bd169335a456b60978183b5 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 11 Jul 2018 12:03:26 +0100 Subject: [PATCH] Fix a seg-fault that can occur when parsing corrupt DWARF information. Resolves: #1551772 --- binutils-CVE-2018-7568.patch | 39 ++++++++++++++++++++++++++++++++++++ binutils.spec | 22 +++++++++++++------- 2 files changed, 54 insertions(+), 7 deletions(-) create mode 100644 binutils-CVE-2018-7568.patch diff --git a/binutils-CVE-2018-7568.patch b/binutils-CVE-2018-7568.patch new file mode 100644 index 0000000..84370b4 --- /dev/null +++ b/binutils-CVE-2018-7568.patch @@ -0,0 +1,39 @@ +--- binutils.orig/bfd/dwarf1.c 2018-07-11 11:45:09.482030157 +0100 ++++ binutils-2.29/bfd/dwarf1.c 2018-07-11 11:48:19.564980423 +0100 +@@ -208,6 +208,7 @@ parse_die (bfd * abfd, + /* Then the attributes. */ + while (xptr < (this_die + aDieInfo->length)) + { ++ unsigned int block_len; + unsigned short attr; + + /* Parse the attribute based on its form. This section +@@ -243,10 +244,26 @@ parse_die (bfd * abfd, + xptr += 4; + break; + case FORM_BLOCK2: +- xptr += 2 + bfd_get_16 (abfd, (bfd_byte *) xptr); ++ if (xptr + 2 <= aDiePtrEnd) ++ { ++ block_len = bfd_get_16 (abfd, xptr); ++ if (xptr + block_len > aDiePtrEnd ++ || xptr + block_len < xptr) ++ return FALSE; ++ xptr += block_len; ++ } ++ xptr += 2; + break; + case FORM_BLOCK4: +- xptr += 4 + bfd_get_32 (abfd, (bfd_byte *) xptr); ++ if (xptr + 4 <= aDiePtrEnd) ++ { ++ block_len = bfd_get_32 (abfd, xptr); ++ if (xptr + block_len > aDiePtrEnd ++ || xptr + block_len < xptr) ++ return FALSE; ++ xptr += block_len; ++ } ++ xptr += 4; + break; + case FORM_STRING: + if (attr == AT_name) diff --git a/binutils.spec b/binutils.spec index 8af7a02..82c0267 100644 --- a/binutils.spec +++ b/binutils.spec @@ -54,7 +54,7 @@ Summary: A GNU collection of binary utilities Name: %{?cross}binutils%{?_with_debug:-debug} Version: 2.29 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv3+ Group: Development/Tools URL: http://sources.redhat.com/binutils @@ -176,6 +176,10 @@ Patch18: binutils-CVE-2017-12967.patch # Lifetime: Fixed in 2.29.1. Patch19: binutils-CVE-2017-12799.patch +# Purpose: Fix a seg-fault induced when parsing corrupt DWARF files. +# Lifetime: Fixed in 2.30. +Patch20: binutils-CVE-2018-7568.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -317,6 +321,7 @@ using libelf instead of BFD. %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. @@ -725,25 +730,28 @@ exit 0 #---------------------------------------------------------------------------- %changelog -* Thu May 31 2018 Nick Clifton 2.29-1-15 +* Wed Jul 11 2018 Nick Clifton 2.29-16 +- Fix a seg-fault that can occur when parsing corrupt DWARF information. (#1551772) + +* Thu May 31 2018 Nick Clifton 2.29-15 - Fix a seg-fault that can occur when parsing corrupt x86 binaries. (#1487762) - Fix a seg-fault that can occur when parsing ELF version information. (#1492130) - Fix a seg-fault that can occur when parsing corrupt TEKHEX files. (#1484527) - Fix a seg-fault that can occur when parsing corrupt ELF files. (#1480343) -* Fri Mar 09 2018 Nick Clifton 2.29-1-14 +* Fri Mar 09 2018 Nick Clifton 2.29-14 - Treat relocs against s390x IFUNC symbols in note sections as relocs against the FUNC symbol instead. (#1553705) -* Mon Mar 05 2018 Nick Clifton 2.29.1-13 +* Mon Mar 05 2018 Nick Clifton 2.29.13 - Speed up objdump. (#1551540) -* Mon Dec 18 2017 Nick Clifton 2.29.1-12 +* Mon Dec 18 2017 Nick Clifton 2.29-12 - Re-enable gold for PowerPC64 and s390x. (#1173780) -* Fri Dec 15 2017 Nick Clifton 2.29.1-11 +* Fri Dec 15 2017 Nick Clifton 2.29-11 - Have readelf display extra symbol information at the end of the line. (#1479302) -* Mon Dec 11 2017 Nick Clifton 2.29.1-10 +* Mon Dec 11 2017 Nick Clifton 2.29-10 - Do not enable relro by default for the PowerPC64 architecture. (#1523946) * Fri Dec 08 2017 Nick Clifton 2.29-9