Fix for PR 22887 - crashing objdump by passing it a corrupt AOUT binary. (#1553115)

Fix for PR 22905 - crashing objdump by passing it a corrupt DWARF file.  (#1553122)
Fix for PR 22741 - crashing objdump by passing it a corrupt COFF file.  (#1571918)

binutils-CVE-2018-7208.patch

@@ -0,0 +1,12 @@
+--- binutils.orig/bfd/coffgen.c	2018-04-27 09:23:33.449859052 +0100
++++ binutils-2.30/bfd/coffgen.c	2018-04-27 09:34:34.530135122 +0100
+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
+     }
+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
+      generate one, so we must be careful to ignore it.  */
+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
++  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
++      < obj_raw_syment_count (abfd))
+     {
+       auxent->u.auxent.x_sym.x_tagndx.p =
+ 	table_base + auxent->u.auxent.x_sym.x_tagndx.l;

binutils-CVE-2018-7642.patch

@@ -0,0 +1,17 @@
+--- binutils.orig/bfd/aoutx.h	2018-04-26 15:14:18.411450291 +0100
++++ binutils-2.30/bfd/aoutx.h	2018-04-26 17:22:38.328770529 +0100
+@@ -2283,10 +2283,12 @@ NAME (aout, swap_std_reloc_in) (bfd *abf
+   if (r_baserel)
+     r_extern = 1;
+ 
+-  if (r_extern && r_index > symcount)
++  if (r_extern && r_index >= symcount)
+     {
+       /* We could arrange to return an error, but it might be useful
+-	 to see the file even if it is bad.  */
++	 to see the file even if it is bad.  FIXME: Of course this
++	 means that objdump -r *doesn't* see the actual reloc, and
++	 objcopy silently writes a different reloc.  */
+       r_extern = 0;
+       r_index = N_ABS;
+     }

binutils-CVE-2018-7643.patch

@@ -0,0 +1,16 @@
+--- binutils.orig/binutils/dwarf.c	2018-04-27 09:22:07.402864408 +0100
++++ binutils-2.30/binutils/dwarf.c	2018-04-27 09:24:26.794235786 +0100
+@@ -6810,6 +6810,13 @@ display_debug_ranges (struct dwarf_secti
+ 	  continue;
+ 	}
+ 
++      if (next < section_begin || next >= finish)
++	{
++	  warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),
++		(unsigned long) offset, i);
++	  continue;
++	}
++
+       if (dwarf_check != 0 && i > 0)
+ 	{
+ 	  if (start < next)

binutils.spec

@@ -65,7 +65,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.30
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: GPLv3+
 Group: Development/Tools
 URL: https://sourceware.org/binutils
@@ -202,6 +202,21 @@ Patch19: binutils-gold-llvm-plugin.patch
 # Lifetime: Fixed in 2.31
 Patch20: binutils-gas-build-notes.patch
 
+# Purpose:  Fix a CVE triggered by running objdump on a corrupt AOUT
+#           format file.
+# Lifetime: Fixed in 2.31
+Patch21: binutils-CVE-2018-7642.patch
+
+# Purpose:  Fix a CVE triggered by running objdump on a binary containing
+#           corrupt DWARF debug information.
+# Lifetime: Fixed in 2.31
+Patch22: binutils-CVE-2018-7643.patch
+
+# Purpose:  Fix a CVE triggered by running objdump on a corrupt COFF
+#           format file.
+# Lifetime: Fixed in 2.31
+Patch23: binutils-CVE-2018-7208.patch
+
 #----------------------------------------------------------------------------
 
 Provides: bundled(libiberty)
@@ -347,6 +362,9 @@ using libelf instead of BFD.
 %patch18 -p1
 %patch19 -p1
 %patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
 
 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 
@@ -760,6 +778,11 @@ exit 0
 
 #----------------------------------------------------------------------------
 %changelog
+* Fri Apr 27 2018 Nick Clifton  <nickc@redhat.com> 2.30-16
+- Fix for PR 22887 - crashing objdump by passing it a corrupt AOUT binary.  (#1553115)
+- Fix for PR 22905 - crashing objdump by passing it a corrupt DWARF file.  (#1553122)
+- Fix for PR 22741 - crashing objdump by passing it a corrupt COFF file.  (#1571918)
+
 * Thu Apr 26 2018 Nick Clifton  <nickc@redhat.com> 2.30-15
 - Enhance the assembler to automatically generate annobin notes if none are present in the input.