Fix seg-faulta that can occur when parsing corrupt DWARF2 information, corrupt ELF files and corrupt PE files.

Resolves: #1551779
Resolves: #1573359
Resolves: #1574700
Resolves: #1573365
Resolves: #1551786
Resolves: #1546624
Resolves: #1543245
Resolves: #1539888

binutils-2.29-filename-in-error-messages.patch

@@ -1,6 +1,6 @@
 --- binutils.orig/binutils/readelf.c	2017-07-24 15:27:09.859116315 +0100
 +++ binutils-2.29/binutils/readelf.c	2017-07-24 15:30:33.557770525 +0100
-@@ -18414,39 +18414,49 @@ process_archive (char * file_name, FILE
+@@ -18414,39 +18414,50 @@ process_archive (char * file_name, FILE
  static bfd_boolean
  process_file (char * file_name)
  {
@@ -56,6 +56,7 @@
 +      error (_("Failed to read file's magic number\n"));
        fclose (file);
 -      return FALSE;
++      ret = FALSE;
 +      goto done;
      }
  

binutils-2.29-non-elf-orphan-skip.patch

@@ -0,0 +1,147 @@
+--- binutils.orig/ld/emultempl/elf32.em	2017-09-14 15:35:45.971100712 +0100
++++ binutils-2.29/ld/emultempl/elf32.em	2017-09-14 15:40:30.315782167 +0100
+@@ -2011,6 +2011,29 @@ output_rel_find (asection *sec, int isdy
+ 
+ static int orphan_init_done = 0;
+ 
++/* Return whether IN is suitable to be part of OUT.  */
++
++static bfd_boolean
++elf_orphan_compatible (asection *in, asection *out)
++{
++  /* Non-zero sh_info implies a section with SHF_INFO_LINK with
++     unknown semantics for the generic linker, or a SHT_REL/SHT_RELA
++     section where sh_info specifies a symbol table.  (We won't see
++     SHT_GROUP, SHT_SYMTAB or SHT_DYNSYM sections here.)  We clearly
++     can't merge SHT_REL/SHT_RELA using differing symbol tables, and
++     shouldn't merge sections with differing unknown semantics.  */
++  if (elf_section_data (out)->this_hdr.sh_info
++      != elf_section_data (in)->this_hdr.sh_info)
++    return FALSE;
++  /* We can't merge two sections with differing SHF_EXCLUDE when doing
++     a relocatable link.  */
++  if (bfd_link_relocatable (&link_info)
++      && ((elf_section_flags (out) ^ elf_section_flags (in)) & SHF_EXCLUDE) != 0)
++    return FALSE;
++  return _bfd_elf_match_sections_by_type (link_info.output_bfd, out,
++					  in->owner, in);
++}
++
+ /* Place an orphan section.  We use this to put random SHF_ALLOC
+    sections in the right segment.  */
+ 
+@@ -2067,8 +2090,9 @@ gld${EMULATION_NAME}_place_orphan (asect
+   lang_output_section_statement_type *os;
+   lang_output_section_statement_type *match_by_name = NULL;
+   int isdyn = 0;
+-  int iself = s->owner->xvec->flavour == bfd_target_elf_flavour;
+-  unsigned int sh_type = iself ? elf_section_type (s) : SHT_NULL;
++  int elfinput = s->owner->xvec->flavour == bfd_target_elf_flavour;
++  int elfoutput = link_info.output_bfd->xvec->flavour == bfd_target_elf_flavour;
++  unsigned int sh_type = elfinput ? elf_section_type (s) : SHT_NULL;
+   flagword flags;
+   asection *nexts;
+ 
+@@ -2076,7 +2100,7 @@ gld${EMULATION_NAME}_place_orphan (asect
+       && link_info.combreloc
+       && (s->flags & SEC_ALLOC))
+     {
+-      if (iself)
++      if (elfinput)
+ 	switch (sh_type)
+ 	  {
+ 	  case SHT_RELA:
+@@ -2098,6 +2122,8 @@ gld${EMULATION_NAME}_place_orphan (asect
+     }
+ 
+   if (!bfd_link_relocatable (&link_info)
++      && elfinput
++      && elfoutput
+       && (s->flags & SEC_ALLOC) != 0
+       && (elf_section_flags (s) & SHF_GNU_MBIND) != 0)
+     {
+@@ -2148,23 +2174,18 @@ gld${EMULATION_NAME}_place_orphan (asect
+ 	   lang_insert_orphan to create a new output section.  */
+ 	constraint = SPECIAL;
+ 
+-	/* SEC_EXCLUDE is cleared when doing a relocatable link.  But
+-	   we can't merge 2 input sections with the same name when only
+-	   one of them has SHF_EXCLUDE.  Don't merge 2 sections with
+-	   different sh_info.  */
++	/* Check to see if we already have an output section statement
++	   with this name, and its bfd section has compatible flags.
++	   If the section already exists but does not have any flags
++	   set, then it has been created by the linker, possibly as a
++	   result of a --section-start command line switch.  */
+ 	if (os->bfd_section != NULL
+-	    && (elf_section_data (os->bfd_section)->this_hdr.sh_info
+-		== elf_section_data (s)->this_hdr.sh_info)
+ 	    && (os->bfd_section->flags == 0
+-		|| ((!bfd_link_relocatable (&link_info)
+-		     || (iself && (((elf_section_flags (s)
+-				     ^ elf_section_flags (os->bfd_section))
+-				    & SHF_EXCLUDE) == 0)))
+-		    && ((s->flags ^ os->bfd_section->flags)
++		|| (((s->flags ^ os->bfd_section->flags)
+ 		     & (SEC_LOAD | SEC_ALLOC)) == 0
+-		    && _bfd_elf_match_sections_by_type (link_info.output_bfd,
+-							os->bfd_section,
+-							s->owner, s))))
++		    && (!elfinput
++			|| !elfoutput
++			|| elf_orphan_compatible (s, os->bfd_section)))))
+ 	  {
+ 	    /* We already have an output section statement with this
+ 	       name, and its bfd section has compatible flags.
+@@ -2253,8 +2274,8 @@ gld${EMULATION_NAME}_place_orphan (asect
+   else if ((flags & SEC_ALLOC) == 0)
+     ;
+   else if ((flags & SEC_LOAD) != 0
+-	   && ((iself && sh_type == SHT_NOTE)
+-	       || (!iself && CONST_STRNEQ (secname, ".note"))))
++	   && ((elfinput && sh_type == SHT_NOTE)
++	       || (!elfinput && CONST_STRNEQ (secname, ".note"))))
+     place = &hold[orphan_interp];
+   else if ((flags & (SEC_LOAD | SEC_HAS_CONTENTS | SEC_THREAD_LOCAL)) == 0)
+     place = &hold[orphan_bss];
+@@ -2264,8 +2285,8 @@ gld${EMULATION_NAME}_place_orphan (asect
+     place = &hold[orphan_tdata];
+   else if ((flags & SEC_READONLY) == 0)
+     place = &hold[orphan_data];
+-  else if (((iself && (sh_type == SHT_RELA || sh_type == SHT_REL))
+-	    || (!iself && CONST_STRNEQ (secname, ".rel")))
++  else if (((elfinput && (sh_type == SHT_RELA || sh_type == SHT_REL))
++	    || (!elfinput && CONST_STRNEQ (secname, ".rel")))
+ 	   && (flags & SEC_LOAD) != 0)
+     place = &hold[orphan_rel];
+   else if ((flags & SEC_CODE) == 0)
+diff -rup binutils.orig/bfd/elf32-i386.c binutils-2.29/bfd/elf32-i386.c
+--- binutils.orig/bfd/elf32-i386.c	2017-09-15 10:27:16.828950825 +0100
++++ binutils-2.29/bfd/elf32-i386.c	2017-09-15 10:27:38.962692771 +0100
+@@ -6921,8 +6921,9 @@ elf_i386_link_setup_gnu_properties (stru
+       for (abfd = info->input_bfds;
+ 	   abfd != NULL;
+ 	   abfd = abfd->link.next)
+-	if ((abfd->flags
+-	     & (DYNAMIC | BFD_LINKER_CREATED | BFD_PLUGIN)) == 0)
++	if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
++	    && (abfd->flags
++		 & (DYNAMIC | BFD_LINKER_CREATED | BFD_PLUGIN)) == 0)
+ 	  {
+ 	    htab->elf.dynobj = abfd;
+ 	    dynobj = abfd;
+diff -rup binutils.orig/bfd/elf64-x86-64.c binutils-2.29/bfd/elf64-x86-64.c
+--- binutils.orig/bfd/elf64-x86-64.c	2017-09-15 10:27:16.820950918 +0100
++++ binutils-2.29/bfd/elf64-x86-64.c	2017-09-15 10:28:02.621416935 +0100
+@@ -7466,8 +7466,9 @@ error_alignment:
+ 	  for (abfd = info->input_bfds;
+ 	       abfd != NULL;
+ 	       abfd = abfd->link.next)
+-	    if ((abfd->flags
+-		 & (DYNAMIC | BFD_LINKER_CREATED | BFD_PLUGIN)) == 0)
++	    if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
++		&& (abfd->flags
++		    & (DYNAMIC | BFD_LINKER_CREATED | BFD_PLUGIN)) == 0)
+ 	      {
+ 		htab->elf.dynobj = abfd;
+ 		dynobj = abfd;

binutils-CVE-2017-12799.patch

@@ -0,0 +1,11 @@
+--- binutils.orig/bfd/elf.c	2018-05-31 10:14:28.057641463 +0100
++++ binutils-2.29/bfd/elf.c	2018-05-31 11:56:03.883865081 +0100
+@@ -10977,7 +10977,7 @@ elf_read_notes (bfd *abfd, file_ptr offs
+ {
+   char *buf;
+ 
+-  if (size <= 0)
++  if (size == 0 || (size + 1) == 0)
+     return TRUE;
+ 
+   if (bfd_seek (abfd, offset, SEEK_SET) != 0)

binutils-CVE-2017-12967.patch

@@ -0,0 +1,11 @@
+--- binutils.orig/bfd/tekhex.c	2018-05-31 10:14:28.056641473 +0100
++++ binutils-2.29/bfd/tekhex.c	2018-05-31 11:41:13.185681254 +0100
+@@ -307,7 +307,7 @@ getsym (char *dstp, char **srcp, unsigne
+   len = hex_value (*src++);
+   if (len == 0)
+     len = 16;
+-  for (i = 0; i < len && src < endp; i++)
++  for (i = 0; i < len && (src + i) < endp; i++)
+     dstp[i] = src[i];
+   dstp[i] = 0;
+   *srcp = src + i;

binutils-CVE-2017-13757.patch

@@ -0,0 +1,132 @@
+diff -rup binutils.orig/bfd/elf32-i386.c binutils-2.29/bfd/elf32-i386.c
+--- binutils.orig/bfd/elf32-i386.c	2018-05-31 10:14:28.059641441 +0100
++++ binutils-2.29/bfd/elf32-i386.c	2018-05-31 10:15:09.362194799 +0100
+@@ -6376,7 +6376,7 @@ elf_i386_get_synthetic_symtab (bfd *abfd
+   for (j = 0; plts[j].name != NULL; j++)
+     {
+       plt = bfd_get_section_by_name (abfd, plts[j].name);
+-      if (plt == NULL)
++      if (plt == NULL || plt->size == 0)
+ 	continue;
+ 
+       /* Get the PLT section contents.  */
+@@ -6392,7 +6392,9 @@ elf_i386_get_synthetic_symtab (bfd *abfd
+ 
+       /* Check what kind of PLT it is.  */
+       plt_type = plt_unknown;
+-      if (plts[j].type == plt_unknown)
++      if (plts[j].type == plt_unknown
++	  && (plt->size >= (lazy_plt->plt0_entry_size
++			    + lazy_plt->plt_entry_size)))
+ 	{
+ 	  /* Match lazy PLT first.  */
+ 	  if (memcmp (plt_contents, lazy_plt->plt0_entry,
+@@ -6401,7 +6403,7 @@ elf_i386_get_synthetic_symtab (bfd *abfd
+ 	      /* The fist entry in the lazy IBT PLT is the same as the
+ 		 normal lazy PLT.  */
+ 	      if (lazy_ibt_plt != NULL
+-		  && (memcmp (plt_contents + lazy_ibt_plt->plt_entry_size,
++		  && (memcmp (plt_contents + lazy_ibt_plt->plt0_entry_size,
+ 			      lazy_ibt_plt->plt_entry,
+ 			      lazy_ibt_plt->plt_got_offset) == 0))
+ 		plt_type = plt_lazy | plt_second;
+@@ -6414,7 +6416,7 @@ elf_i386_get_synthetic_symtab (bfd *abfd
+ 	      /* The fist entry in the PIC lazy IBT PLT is the same as
+ 		 the normal PIC lazy PLT.  */
+ 	      if (lazy_ibt_plt != NULL
+-		  && (memcmp (plt_contents + lazy_ibt_plt->plt_entry_size,
++		  && (memcmp (plt_contents + lazy_ibt_plt->plt0_entry_size,
+ 			      lazy_ibt_plt->pic_plt_entry,
+ 			      lazy_ibt_plt->plt_got_offset) == 0))
+ 		plt_type = plt_lazy | plt_pic | plt_second;
+@@ -6424,7 +6426,8 @@ elf_i386_get_synthetic_symtab (bfd *abfd
+ 	}
+ 
+       if (non_lazy_plt != NULL
+-	  && (plt_type == plt_unknown || plt_type == plt_non_lazy))
++	  && (plt_type == plt_unknown || plt_type == plt_non_lazy)
++	  && plt->size >= non_lazy_plt->plt_entry_size)
+ 	{
+ 	  /* Match non-lazy PLT.  */
+ 	  if (memcmp (plt_contents, non_lazy_plt->plt_entry,
+@@ -6436,7 +6439,8 @@ elf_i386_get_synthetic_symtab (bfd *abfd
+ 	}
+ 
+       if ((non_lazy_ibt_plt != NULL)
+-	  && (plt_type == plt_unknown || plt_type == plt_second))
++	  && (plt_type == plt_unknown || plt_type == plt_second)
++	  && plt->size >= non_lazy_ibt_plt->plt_entry_size)
+ 	{
+ 	  if (memcmp (plt_contents,
+ 		      non_lazy_ibt_plt->plt_entry,
+@@ -6494,6 +6498,9 @@ elf_i386_get_synthetic_symtab (bfd *abfd
+ 	got_addr = (bfd_vma) -1;
+     }
+ 
++  if (count == 0)
++    return -1;
++
+   size = count * sizeof (asymbol);
+   s = *ret = (asymbol *) bfd_zmalloc (size);
+   if (s == NULL)
+Only in binutils-2.29/bfd/: elf32-i386.c.orig
+diff -rup binutils.orig/bfd/elf64-x86-64.c binutils-2.29/bfd/elf64-x86-64.c
+--- binutils.orig/bfd/elf64-x86-64.c	2018-05-31 10:14:28.078641236 +0100
++++ binutils-2.29/bfd/elf64-x86-64.c	2018-05-31 10:15:25.284022632 +0100
+@@ -6756,7 +6756,7 @@ elf_x86_64_get_synthetic_symtab (bfd *ab
+   for (j = 0; plts[j].name != NULL; j++)
+     {
+       plt = bfd_get_section_by_name (abfd, plts[j].name);
+-      if (plt == NULL)
++      if (plt == NULL || plt->size == 0)
+ 	continue;
+ 
+       /* Get the PLT section contents.  */
+@@ -6772,7 +6772,9 @@ elf_x86_64_get_synthetic_symtab (bfd *ab
+ 
+       /* Check what kind of PLT it is.  */
+       plt_type = plt_unknown;
+-      if (plts[j].type == plt_unknown)
++      if (plts[j].type == plt_unknown
++	  && (plt->size >= (lazy_plt->plt_entry_size
++			    + lazy_plt->plt_entry_size)))
+ 	{
+ 	  /* Match lazy PLT first.  Need to check the first two
+ 	     instructions.   */
+@@ -6800,7 +6802,8 @@ elf_x86_64_get_synthetic_symtab (bfd *ab
+ 	}
+ 
+       if (non_lazy_plt != NULL
+-	  && (plt_type == plt_unknown || plt_type == plt_non_lazy))
++	  && (plt_type == plt_unknown || plt_type == plt_non_lazy)
++	  && plt->size >= non_lazy_plt->plt_entry_size)
+ 	{
+ 	  /* Match non-lazy PLT.  */
+ 	  if (memcmp (plt_contents, non_lazy_plt->plt_entry,
+@@ -6811,6 +6814,7 @@ elf_x86_64_get_synthetic_symtab (bfd *ab
+       if (plt_type == plt_unknown || plt_type == plt_second)
+ 	{
+ 	  if (non_lazy_bnd_plt != NULL
++	      && plt->size >= non_lazy_bnd_plt->plt_entry_size
+ 	      && (memcmp (plt_contents, non_lazy_bnd_plt->plt_entry,
+ 			  non_lazy_bnd_plt->plt_got_offset) == 0))
+ 	    {
+@@ -6819,6 +6823,7 @@ elf_x86_64_get_synthetic_symtab (bfd *ab
+ 	      non_lazy_plt = non_lazy_bnd_plt;
+ 	    }
+ 	  else if (non_lazy_ibt_plt != NULL
++		   && plt->size >= non_lazy_ibt_plt->plt_entry_size
+ 		   && (memcmp (plt_contents,
+ 			       non_lazy_ibt_plt->plt_entry,
+ 			       non_lazy_ibt_plt->plt_got_offset) == 0))
+@@ -6864,6 +6869,9 @@ elf_x86_64_get_synthetic_symtab (bfd *ab
+       plts[j].contents = plt_contents;
+     }
+ 
++  if (count == 0)
++    return -1;
++
+   size = count * sizeof (asymbol);
+   s = *ret = (asymbol *) bfd_zmalloc (size);
+   if (s == NULL)
+Only in binutils-2.29/bfd/: elf64-x86-64.c.orig

binutils-CVE-2017-14333.patch

@@ -0,0 +1,224 @@
+--- binutils.orig/binutils/readelf.c	2018-05-31 10:14:28.019641872 +0100
++++ binutils-2.29/binutils/readelf.c	2018-05-31 10:57:28.912460915 +0100
+@@ -10154,9 +10154,8 @@ process_version_sections (FILE * file)
+ 	case SHT_GNU_verdef:
+ 	  {
+ 	    Elf_External_Verdef * edefs;
+-	    unsigned int idx;
+-	    unsigned int cnt;
+-	    unsigned int end;
++	    unsigned long idx;
++	    unsigned long cnt;
+ 	    char * endbuf;
+ 
+ 	    found = TRUE;
+@@ -10178,23 +10177,16 @@ process_version_sections (FILE * file)
+ 	      break;
+ 	    endbuf = (char *) edefs + section->sh_size;
+ 
+-	    /* PR 17531: file: id:000001,src:000172+005151,op:splice,rep:2.  */
+-	    end = (section->sh_info < section->sh_size
+-		   ? section->sh_info : section->sh_size);
+-	    for (idx = cnt = 0; cnt < end; ++cnt)
++	    for (idx = cnt = 0; cnt < section->sh_info; ++cnt)
+ 	      {
+ 		char * vstart;
+ 		Elf_External_Verdef * edef;
+ 		Elf_Internal_Verdef ent;
+ 		Elf_External_Verdaux * eaux;
+ 		Elf_Internal_Verdaux aux;
+-		unsigned int isum;
++		unsigned long isum;
+ 		int j;
+ 
+-		/* Check for very large indices.  */
+-		if (idx > (size_t) (endbuf - (char *) edefs))
+-		  break;
+-
+ 		vstart = ((char *) edefs) + idx;
+ 		if (vstart + sizeof (*edef) > endbuf)
+ 		  break;
+@@ -10209,19 +10201,20 @@ process_version_sections (FILE * file)
+ 		ent.vd_aux     = BYTE_GET (edef->vd_aux);
+ 		ent.vd_next    = BYTE_GET (edef->vd_next);
+ 
+-		printf (_("  %#06x: Rev: %d  Flags: %s"),
++		printf (_("  %#06lx: Rev: %d  Flags: %s"),
+ 			idx, ent.vd_version, get_ver_flags (ent.vd_flags));
+ 
+ 		printf (_("  Index: %d  Cnt: %d  "),
+ 			ent.vd_ndx, ent.vd_cnt);
+ 
+-		/* Check for overflow and underflow.  */
+-		if (ent.vd_aux + sizeof (* eaux) > (size_t) (endbuf - vstart)
+-		    || (vstart + ent.vd_aux < vstart))
++		/* Check for overflow.  */
++		if (ent.vd_aux > (size_t) (endbuf - vstart))
+ 		  break;
+ 
+ 		vstart += ent.vd_aux;
+ 
++		if (vstart + sizeof (*eaux) > endbuf)
++		  break;
+ 		eaux = (Elf_External_Verdaux *) vstart;
+ 
+ 		aux.vda_name = BYTE_GET (eaux->vda_name);
+@@ -10236,6 +10229,14 @@ process_version_sections (FILE * file)
+ 
+ 		for (j = 1; j < ent.vd_cnt; j++)
+ 		  {
++		    if (aux.vda_next < sizeof (*eaux)
++			&& !(j == ent.vd_cnt - 1 && aux.vda_next == 0))
++		      {
++			warn (_("Invalid vda_next field of %lx\n"),
++			      aux.vda_next);
++			j = ent.vd_cnt;
++			break;
++		      }
+ 		    /* Check for overflow.  */
+ 		    if (aux.vda_next > (size_t) (endbuf - vstart))
+ 		      break;
+@@ -10243,18 +10244,18 @@ process_version_sections (FILE * file)
+ 		    isum   += aux.vda_next;
+ 		    vstart += aux.vda_next;
+ 
+-		    eaux = (Elf_External_Verdaux *) vstart;
+ 		    if (vstart + sizeof (*eaux) > endbuf)
+ 		      break;
++		    eaux = (Elf_External_Verdaux *) vstart;
+ 
+ 		    aux.vda_name = BYTE_GET (eaux->vda_name);
+ 		    aux.vda_next = BYTE_GET (eaux->vda_next);
+ 
+ 		    if (VALID_DYNAMIC_NAME (aux.vda_name))
+-		      printf (_("  %#06x: Parent %d: %s\n"),
++		      printf (_("  %#06lx: Parent %d: %s\n"),
+ 			      isum, j, GET_DYNAMIC_NAME (aux.vda_name));
+ 		    else
+-		      printf (_("  %#06x: Parent %d, name index: %ld\n"),
++		      printf (_("  %#06lx: Parent %d, name index: %ld\n"),
+ 			      isum, j, aux.vda_name);
+ 		  }
+ 
+@@ -10263,7 +10264,14 @@ process_version_sections (FILE * file)
+ 
+ 		/* PR 17531:
+ 		   file: id:000001,src:000172+005151,op:splice,rep:2.  */
+-		if (idx + ent.vd_next < idx)
++		if (ent.vd_next < sizeof (*edef)
++		    && !(cnt == section->sh_info - 1 && ent.vd_next == 0))
++		  {
++		    warn (_("Invalid vd_next field of %lx\n"), ent.vd_next);
++		    cnt = section->sh_info;
++		    break;
++		  }
++		if (ent.vd_next > (size_t) (endbuf - ((char *) edefs + idx)))
+ 		  break;
+ 
+ 		idx += ent.vd_next;
+@@ -10279,8 +10287,8 @@ process_version_sections (FILE * file)
+ 	case SHT_GNU_verneed:
+ 	  {
+ 	    Elf_External_Verneed * eneed;
+-	    unsigned int idx;
+-	    unsigned int cnt;
++	    unsigned long idx;
++	    unsigned long cnt;
+ 	    char * endbuf;
+ 
+ 	    found = TRUE;
+@@ -10306,13 +10314,10 @@ process_version_sections (FILE * file)
+ 	      {
+ 		Elf_External_Verneed * entry;
+ 		Elf_Internal_Verneed ent;
+-		unsigned int isum;
++		unsigned long isum;
+ 		int j;
+ 		char * vstart;
+ 
+-		if (idx > (size_t) (endbuf - (char *) eneed))
+-		  break;
+-
+ 		vstart = ((char *) eneed) + idx;
+ 		if (vstart + sizeof (*entry) > endbuf)
+ 		  break;
+@@ -10325,7 +10330,7 @@ process_version_sections (FILE * file)
+ 		ent.vn_aux     = BYTE_GET (entry->vn_aux);
+ 		ent.vn_next    = BYTE_GET (entry->vn_next);
+ 
+-		printf (_("  %#06x: Version: %d"), idx, ent.vn_version);
++		printf (_("  %#06lx: Version: %d"), idx, ent.vn_version);
+ 
+ 		if (VALID_DYNAMIC_NAME (ent.vn_file))
+ 		  printf (_("  File: %s"), GET_DYNAMIC_NAME (ent.vn_file));
+@@ -10355,24 +10360,26 @@ process_version_sections (FILE * file)
+ 		    aux.vna_next  = BYTE_GET (eaux->vna_next);
+ 
+ 		    if (VALID_DYNAMIC_NAME (aux.vna_name))
+-		      printf (_("  %#06x:   Name: %s"),
++		      printf (_("  %#06lx:   Name: %s"),
+ 			      isum, GET_DYNAMIC_NAME (aux.vna_name));
+ 		    else
+-		      printf (_("  %#06x:   Name index: %lx"),
++		      printf (_("  %#06lx:   Name index: %lx"),
+ 			      isum, aux.vna_name);
+ 
+ 		    printf (_("  Flags: %s  Version: %d\n"),
+ 			    get_ver_flags (aux.vna_flags), aux.vna_other);
+ 
+-		    /* Check for overflow.  */
+-		    if (aux.vna_next > (size_t) (endbuf - vstart)
+-			|| (aux.vna_next == 0 && j < ent.vn_cnt - 1))
++		    if (aux.vna_next < sizeof (*eaux)
++			&& !(j == ent.vn_cnt - 1 && aux.vna_next == 0))
+ 		      {
+ 			warn (_("Invalid vna_next field of %lx\n"),
+ 			      aux.vna_next);
+ 			j = ent.vn_cnt;
+ 			break;
+ 		      }
++		    /* Check for overflow.  */
++		    if (aux.vna_next > (size_t) (endbuf - vstart))
++		      break;
+ 		    isum   += aux.vna_next;
+ 		    vstart += aux.vna_next;
+ 		  }
+@@ -10380,12 +10387,15 @@ process_version_sections (FILE * file)
+ 		if (j < ent.vn_cnt)
+ 		  warn (_("Missing Version Needs auxillary information\n"));
+ 
+-		if (ent.vn_next == 0 && cnt < section->sh_info - 1)
++		if (ent.vn_next < sizeof (*entry)
++		    && !(cnt == section->sh_info - 1 && ent.vn_next == 0))
+ 		  {
+-		    warn (_("Corrupt Version Needs structure - offset to next structure is zero with entries still left to be processed\n"));
++		    warn (_("Invalid vn_next field of %lx\n"), ent.vn_next);
+ 		    cnt = section->sh_info;
+ 		    break;
+ 		  }
++		if (ent.vn_next > (size_t) (endbuf - ((char *) eneed + idx)))
++		  break;
+ 		idx += ent.vn_next;
+ 	      }
+ 
+@@ -12859,7 +12869,9 @@ dump_section_as_strings (Elf_Internal_Sh
+   real_start = start = (unsigned char *) get_section_contents (section,
+ 							       file);
+   if (start == NULL)
+-    return FALSE;
++    /* PR 21820: Do not fail if the section was empty.  */
++    return (section->sh_size == 0 || section->sh_type == SHT_NOBITS) ? TRUE : FALSE;
++
+   num_bytes = section->sh_size;
+ 
+   printf (_("\nString dump of section '%s':\n"), printable_section_name (section));
+@@ -13005,7 +13017,8 @@ dump_section_as_bytes (Elf_Internal_Shdr
+ 
+   real_start = start = (unsigned char *) get_section_contents (section, file);
+   if (start == NULL)
+-    return FALSE;
++    /* PR 21820: Do not fail if the section was empty.  */
++    return (section->sh_size == 0 || section->sh_type == SHT_NOBITS) ? TRUE : FALSE;
+ 
+   section_size = section->sh_size;
+ 

binutils-CVE-2018-10372.patch

@@ -0,0 +1,22 @@
+--- binutils.orig/binutils/dwarf.c	2018-07-11 11:45:09.971024884 +0100
++++ binutils-2.29/binutils/dwarf.c	2018-07-11 14:16:38.417025086 +0100
+@@ -8509,7 +8509,18 @@ process_cu_tu_index (struct dwarf_sectio
+ 		}
+ 
+ 	      if (!do_display)
+-		memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
++		{
++		  size_t num_copy = sizeof (uint64_t);
++
++		  /* PR 23064: Beware of buffer overflow.  */
++		  if (ph + num_copy < limit)
++		    memcpy (&this_set[row - 1].signature, ph, num_copy);
++		  else
++		    {
++		      warn (_("Signature (%p) extends beyond end of space in section\n"), ph);
++		      return 0;
++		    }
++		}
+ 
+ 	      prow = poffsets + (row - 1) * ncols * 4;
+ 	      /* PR 17531: file: b8ce60a8.  */

binutils-CVE-2018-10373.patch

@@ -0,0 +1,11 @@
+--- binutils.orig/bfd/dwarf2.c	2018-07-11 14:28:44.557235916 +0100
++++ binutils-2.29.1/bfd/dwarf2.c	2018-07-11 14:38:37.611875790 +0100
+@@ -1593,7 +1593,7 @@ concat_filename (struct line_info_table
+ {
+   char *filename;
+ 
+-  if (file - 1 >= table->num_files)
++  if (table == NULL || file - 1 >= table->num_files)
+     {
+       /* FILE == 0 means unknown.  */
+       if (file)

binutils-CVE-2018-10535.patch

@@ -0,0 +1,19 @@
+--- binutils.orig/bfd/peXXigen.c	2018-07-11 14:28:44.937231840 +0100
++++ binutils-2.29.1/bfd/peXXigen.c	2018-07-11 14:29:27.861771394 +0100
+@@ -2992,6 +2992,16 @@ _bfd_XX_bfd_copy_private_bfd_data_common
+ 	      return FALSE;
+ 	    }
+ 
++	  /* PR 23110.  */
++	  else if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size < 0)
++	    {
++	      /* xgettext:c-format */
++	      _bfd_error_handler
++		(_("%pB: Data Directory size (%#lx) is negative"),
++		 obfd, ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size);
++	      return FALSE;
++	    }
++
+           for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size
+ 		 / sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++)
+             {

binutils-CVE-2018-6323.patch

@@ -0,0 +1,20 @@
+--- binutils.orig/bfd/elfcode.h	2018-07-11 14:28:45.439226455 +0100
++++ binutils-2.29.1/bfd/elfcode.h	2018-07-11 15:23:54.982819379 +0100
+@@ -680,7 +680,7 @@ elf_object_p (bfd *abfd)
+       if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp))
+ 	goto got_wrong_format_error;
+ #endif
+-      amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum;
++      amt = sizeof (*i_shdrp) * (bfd_size_type) i_ehdrp->e_shnum;
+       i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
+       if (!i_shdrp)
+ 	goto got_no_match;
+@@ -776,7 +776,7 @@ elf_object_p (bfd *abfd)
+       if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
+ 	goto got_wrong_format_error;
+ #endif
+-      amt = i_ehdrp->e_phnum * sizeof (*i_phdr);
++      amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);
+       elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
+       if (elf_tdata (abfd)->phdr == NULL)
+ 	goto got_no_match;

binutils-CVE-2018-6759.patch

@@ -0,0 +1,68 @@
+--- binutils.orig/bfd/opncls.c	2018-07-11 14:28:44.690234489 +0100
++++ binutils-2.29.1/bfd/opncls.c	2018-07-11 15:14:54.576580916 +0100
+@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   bfd_byte *contents;
+   unsigned int crc_offset;
+   char *name;
++  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (crc32_out);
+@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   if (sect == NULL)
+     return NULL;
+ 
++  size = bfd_get_section_size (sect);
++
++  /* PR 22794: Make sure that the section has a reasonable size.  */
++  if (size < 8 || size >= bfd_get_size (abfd))
++    return NULL;
++
+   if (!bfd_malloc_and_get_section (abfd, sect, &contents))
+     {
+       if (contents != NULL)
+@@ -1198,9 +1205,9 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   /* CRC value is stored after the filename, aligned up to 4 bytes.  */
+   name = (char *) contents;
+   /* PR 17597: avoid reading off the end of the buffer.  */
+-  crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
++  crc_offset = strnlen (name, size) + 1;
+   crc_offset = (crc_offset + 3) & ~3;
+-  if (crc_offset >= bfd_get_section_size (sect))
++  if (crc_offset >= size)
+     return NULL;
+ 
+   *crc32 = bfd_get_32 (abfd, contents + crc_offset);
+@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+   bfd_byte *contents;
+   unsigned int buildid_offset;
+   char *name;
++  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (buildid_len);
+@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+   if (sect == NULL)
+     return NULL;
+ 
++  size = bfd_get_section_size (sect);
++  if (size < 8 || size >= bfd_get_size (abfd))
++    return NULL;
++
+   if (!bfd_malloc_and_get_section (abfd, sect, & contents))
+     {
+       if (contents != NULL)
+@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+ 
+   /* BuildID value is stored after the filename.  */
+   name = (char *) contents;
+-  buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
++  buildid_offset = strnlen (name, size) + 1;
+   if (buildid_offset >= bfd_get_section_size (sect))
+     return NULL;
+ 
+-  *buildid_len = bfd_get_section_size (sect) - buildid_offset;
++  *buildid_len = size - buildid_offset;
+   *buildid_out = bfd_malloc (*buildid_len);
+   memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
+ 

binutils-CVE-2018-7208.patch

@@ -0,0 +1,12 @@
+--- binutils.orig/bfd/coffgen.c	2018-07-11 11:45:09.490030070 +0100
++++ binutils-2.29/bfd/coffgen.c	2018-07-11 15:02:48.863331411 +0100
+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
+     }
+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
+      generate one, so we must be careful to ignore it.  */
+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
++  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
++      < obj_raw_syment_count (abfd))
+     {
+       auxent->u.auxent.x_sym.x_tagndx.p =
+ 	table_base + auxent->u.auxent.x_sym.x_tagndx.l;

binutils-CVE-2018-7568.patch

@@ -0,0 +1,39 @@
+--- binutils.orig/bfd/dwarf1.c	2018-07-11 11:45:09.482030157 +0100
++++ binutils-2.29/bfd/dwarf1.c	2018-07-11 11:48:19.564980423 +0100
+@@ -208,6 +208,7 @@ parse_die (bfd *             abfd,
+   /* Then the attributes.  */
+   while (xptr < (this_die + aDieInfo->length))
+     {
++      unsigned int   block_len;
+       unsigned short attr;
+ 
+       /* Parse the attribute based on its form.  This section
+@@ -243,10 +244,26 @@ parse_die (bfd *             abfd,
+ 	  xptr += 4;
+ 	  break;
+ 	case FORM_BLOCK2:
+-	  xptr += 2 + bfd_get_16 (abfd, (bfd_byte *) xptr);
++ 	  if (xptr + 2 <= aDiePtrEnd)
++	    {
++	      block_len = bfd_get_16 (abfd, xptr);
++	      if (xptr + block_len > aDiePtrEnd
++		  || xptr + block_len < xptr)
++		return FALSE;
++	      xptr += block_len;
++	    }
++ 	  xptr += 2;
+ 	  break;
+ 	case FORM_BLOCK4:
+-	  xptr += 4 + bfd_get_32 (abfd, (bfd_byte *) xptr);
++	  if (xptr + 4 <= aDiePtrEnd)
++	    {
++	      block_len = bfd_get_32 (abfd, xptr);
++	      if (xptr + block_len > aDiePtrEnd
++		  || xptr + block_len < xptr)
++		return FALSE;
++	      xptr += block_len;
++	    }
++ 	  xptr += 4;
+ 	  break;
+ 	case FORM_STRING:
+ 	  if (attr == AT_name)

binutils-CVE-2018-7569.patch

@@ -0,0 +1,75 @@
+--- binutils.orig/bfd/dwarf2.c	2018-07-11 11:45:09.491030059 +0100
++++ binutils-2.29/bfd/dwarf2.c	2018-07-11 12:16:12.975943400 +0100
+@@ -626,14 +626,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
+ }
+ 
+ static bfd_byte *
+-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
+-	      bfd_byte *buf,
+-	      bfd_byte *end,
+-	      unsigned int size ATTRIBUTE_UNUSED)
+-{
+-  if (buf + size > end)
+-    return NULL;
+-  return buf;
++read_n_bytes (bfd_byte *           buf,
++	      bfd_byte *           end,
++	      struct dwarf_block * block)
++{
++  unsigned int  size = block->size;
++  bfd_byte *    block_end = buf + size;
++
++  if (block_end > end || block_end < buf)
++    {
++      block->data = NULL;
++      block->size = 0;
++      return end;
++    }
++  else
++    {
++      block->data = buf;
++      return block_end;
++    }
+ }
+ 
+ /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
+@@ -1131,8 +1141,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 2;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block4:
+@@ -1142,8 +1151,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 4;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data2:
+@@ -1183,8 +1191,7 @@ read_attribute_value (struct attribute *
+       blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
+ 					 FALSE, info_ptr_end);
+       info_ptr += bytes_read;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block1:
+@@ -1194,8 +1201,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
+       info_ptr += 1;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data1:

binutils-CVE-2018-7643.patch

@@ -0,0 +1,16 @@
+--- binutils.orig/binutils/dwarf.c	2018-04-27 09:22:07.402864408 +0100
++++ binutils-2.30/binutils/dwarf.c	2018-04-27 09:24:26.794235786 +0100
+@@ -6810,6 +6810,13 @@ display_debug_ranges (struct dwarf_secti
+ 	  continue;
+ 	}
+ 
++      if (next < section_begin || next >= finish)
++	{
++	  warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),
++		(unsigned long) offset, i);
++	  continue;
++	}
++
+       if (dwarf_check != 0 && i > 0)
+ 	{
+ 	  if (start < next)

binutils-ifunc-relocs-in-notes.patch

@@ -0,0 +1,148 @@
+diff -rup binutils.orig/bfd/elf32-i386.c binutils-2.29/bfd/elf32-i386.c
+--- binutils.orig/bfd/elf32-i386.c	2018-03-09 15:45:28.758238880 +0000
++++ binutils-2.29/bfd/elf32-i386.c	2018-03-09 15:47:19.000943106 +0000
+@@ -4097,6 +4097,10 @@ elf_i386_relocate_section (bfd *output_b
+ 
+ 	  if ((input_section->flags & SEC_ALLOC) == 0)
+ 	    {
++	      /* If this is a SHT_NOTE section without SHF_ALLOC, treat
++	         STT_GNU_IFUNC symbol as STT_FUNC.  */
++	      if (elf_section_type (input_section) == SHT_NOTE)
++		goto skip_ifunc;
+ 	      /* Dynamic relocs are not propagated for SEC_DEBUGGING
+ 		 sections because such sections are not SEC_ALLOC and
+ 		 thus ld.so will not process them.  */
+@@ -4318,6 +4322,7 @@ do_ifunc_pointer:
+ 	    }
+ 	}
+ 
++    skip_ifunc:
+       resolved_to_zero = (eh != NULL
+ 			  && UNDEFINED_WEAK_RESOLVED_TO_ZERO (info,
+ 							      eh->has_got_reloc,
+diff -rup binutils.orig/bfd/elf32-s390.c binutils-2.29/bfd/elf32-s390.c
+--- binutils.orig/bfd/elf32-s390.c	2018-03-09 15:45:28.775238681 +0000
++++ binutils-2.29/bfd/elf32-s390.c	2018-03-09 15:47:50.219576165 +0000
+@@ -2770,6 +2770,9 @@ elf_s390_relocate_section (bfd *output_b
+ 	case R_390_8:
+ 	case R_390_16:
+ 	case R_390_32:
++	  if ((input_section->flags & SEC_ALLOC) == 0)
++	    break;
++
+ 	  if (h != NULL
+ 	      && s390_is_ifunc_symbol_p (h)
+ 	      && h->def_regular)
+@@ -2831,9 +2834,6 @@ elf_s390_relocate_section (bfd *output_b
+ 		}
+ 	    }
+ 
+-	  if ((input_section->flags & SEC_ALLOC) == 0)
+-	    break;
+-
+ 	  if ((bfd_link_pic (info)
+ 	       && (h == NULL
+ 		   || ELF_ST_VISIBILITY (h->other) == STV_DEFAULT
+diff -rup binutils.orig/bfd/elf64-s390.c binutils-2.29/bfd/elf64-s390.c
+--- binutils.orig/bfd/elf64-s390.c	2018-03-09 15:45:28.779238634 +0000
++++ binutils-2.29/bfd/elf64-s390.c	2018-03-09 15:48:30.734099969 +0000
+@@ -2737,6 +2737,9 @@ elf_s390_relocate_section (bfd *output_b
+ 	case R_390_32:
+ 	case R_390_64:
+ 
++	  if ((input_section->flags & SEC_ALLOC) == 0)
++	    break;
++
+ 	  if (h != NULL
+ 	      && s390_is_ifunc_symbol_p (h)
+ 	      && h->def_regular)
+@@ -2799,9 +2802,6 @@ elf_s390_relocate_section (bfd *output_b
+ 		}
+ 	    }
+ 
+-	  if ((input_section->flags & SEC_ALLOC) == 0)
+-	    break;
+-
+ 	  if ((bfd_link_pic (info)
+ 	       && (h == NULL
+ 		   || ELF_ST_VISIBILITY (h->other) == STV_DEFAULT
+diff -rup binutils.orig/bfd/elf64-x86-64.c binutils-2.29/bfd/elf64-x86-64.c
+--- binutils.orig/bfd/elf64-x86-64.c	2018-03-09 15:45:28.772238716 +0000
++++ binutils-2.29/bfd/elf64-x86-64.c	2018-03-09 15:48:59.184765567 +0000
+@@ -4426,6 +4426,10 @@ elf_x86_64_relocate_section (bfd *output
+ 
+ 	  if ((input_section->flags & SEC_ALLOC) == 0)
+ 	    {
++	      /* If this is a SHT_NOTE section without SHF_ALLOC, treat
++	         STT_GNU_IFUNC symbol as STT_FUNC.  */
++	      if (elf_section_type (input_section) == SHT_NOTE)
++		goto skip_ifunc;
+ 	      /* Dynamic relocs are not propagated for SEC_DEBUGGING
+ 		 sections because such sections are not SEC_ALLOC and
+ 		 thus ld.so will not process them.  */
+@@ -4651,6 +4655,7 @@ do_ifunc_pointer:
+ 	    }
+ 	}
+ 
++    skip_ifunc:
+       resolved_to_zero = (eh != NULL
+ 			  && UNDEFINED_WEAK_RESOLVED_TO_ZERO (info,
+ 							      eh->has_got_reloc,
+diff -rup binutils.orig/bfd/elfnn-aarch64.c binutils-2.29/bfd/elfnn-aarch64.c
+--- binutils.orig/bfd/elfnn-aarch64.c	2018-03-09 15:45:28.768238763 +0000
++++ binutils-2.29/bfd/elfnn-aarch64.c	2018-03-09 15:53:05.151874514 +0000
+@@ -4981,6 +4981,20 @@ elfNN_aarch64_final_link_relocate (reloc
+       const char *name;
+       bfd_vma addend = 0;
+ 
++      if ((input_section->flags & SEC_ALLOC) == 0)
++	{
++	  /* If this is a SHT_NOTE section without SHF_ALLOC, treat
++	     STT_GNU_IFUNC symbol as STT_FUNC.  */
++	  if (elf_section_type (input_section) == SHT_NOTE)
++	    goto skip_ifunc;
++
++	  /* Dynamic relocs are not propagated for SEC_DEBUGGING
++	     sections because such sections are not SEC_ALLOC and
++	     thus ld.so will not process them.  */
++	  if ((input_section->flags & SEC_DEBUGGING) != 0)
++	    return bfd_reloc_ok;
++	}
++
+       if ((input_section->flags & SEC_ALLOC) == 0
+ 	  || h->plt.offset == (bfd_vma) -1)
+ 	abort ();
+@@ -5157,6 +5171,7 @@ elfNN_aarch64_final_link_relocate (reloc
+ 	}
+     }
+ 
++ skip_ifunc:
+   switch (bfd_r_type)
+     {
+     case BFD_RELOC_AARCH64_NONE:
+diff -rup binutils.orig/bfd/elfxx-sparc.c binutils-2.29/bfd/elfxx-sparc.c
+--- binutils.orig/bfd/elfxx-sparc.c	2018-03-09 15:45:28.767238774 +0000
++++ binutils-2.29/bfd/elfxx-sparc.c	2018-03-09 15:53:51.395330976 +0000
+@@ -3203,7 +3203,13 @@ _bfd_sparc_elf_relocate_section (bfd *ou
+ 
+ 	  if ((input_section->flags & SEC_ALLOC) == 0
+ 	      || h->plt.offset == (bfd_vma) -1)
+-	    abort ();
++	    {
++	      /* If this is a SHT_NOTE section without SHF_ALLOC, treat
++	         STT_GNU_IFUNC symbol as STT_FUNC.  */
++	      if (elf_section_type (input_section) == SHT_NOTE)
++		goto skip_ifunc;
++	      abort ();
++	    }
+ 
+ 	  plt_sec = htab->elf.splt;
+ 	  if (! plt_sec)
+@@ -3307,6 +3313,7 @@ _bfd_sparc_elf_relocate_section (bfd *ou
+ 	    }
+ 	}
+ 
++    skip_ifunc:
+       eh = (struct _bfd_sparc_elf_link_hash_entry *) h;
+       resolved_to_zero = (eh != NULL
+                           && UNDEFINED_WEAK_RESOLVED_TO_ZERO (info, eh));

binutils-readelf-other-sym-info.patch

@@ -0,0 +1,66 @@
+diff -rup binutils.orig/binutils/readelf.c binutils-2.29/binutils/readelf.c
+--- binutils.orig/binutils/readelf.c	2017-12-12 16:24:19.571221194 +0000
++++ binutils-2.29/binutils/readelf.c	2017-12-12 16:27:26.997979803 +0000
+@@ -11018,12 +11018,14 @@ print_dynamic_symbol (bfd_vma si, unsign
+       unsigned int vis = ELF_ST_VISIBILITY (psym->st_other);
+ 
+       printf (" %-7s",  get_symbol_visibility (vis));
++#if 0
+       /* Check to see if any other bits in the st_other field are set.
+ 	 Note - displaying this information disrupts the layout of the
+ 	 table being generated, but for the moment this case is very
+ 	 rare.  */
+       if (psym->st_other ^ vis)
+ 	printf (" [%s] ", get_symbol_other (psym->st_other ^ vis));
++#endif
+     }
+ 
+   printf (" %3.3s ", get_symbol_index_type (psym->st_shndx));
+@@ -11031,6 +11033,15 @@ print_dynamic_symbol (bfd_vma si, unsign
+     print_symbol (25, GET_DYNAMIC_NAME (psym->st_name));
+   else
+     printf (_(" <corrupt: %14ld>"), psym->st_name);
++#if 1
++    {
++      unsigned int vis = ELF_ST_VISIBILITY (psym->st_other);
++
++      /* Check to see if any other bits in the st_other field are set.  */
++      if (psym->st_other ^ vis)
++	printf (" \t[%s]", get_symbol_other (psym->st_other ^ vis));
++    }
++#endif
+   putchar ('\n');
+ }
+ 
+--- binutils.orig/binutils/readelf.c	2017-12-12 16:36:21.806561149 +0000
++++ binutils-2.29.1/binutils/readelf.c	2017-12-12 16:38:17.763168514 +0000
+@@ -11548,11 +11548,13 @@ process_symbol_table (FILE * file)
+ 		  unsigned int vis = ELF_ST_VISIBILITY (psym->st_other);
+ 
+ 		  printf (" %-7s", get_symbol_visibility (vis));
++#if 0
+ 		  /* Check to see if any other bits in the st_other field are set.
+ 		     Note - displaying this information disrupts the layout of the
+ 		     table being generated, but for the moment this case is very rare.  */
+ 		  if (psym->st_other ^ vis)
+ 		    printf (" [%s] ", get_symbol_other (psym->st_other ^ vis));
++#endif
+ 		}
+ 	      printf (" %4s ", get_symbol_index_type (psym->st_shndx));
+ 	      print_symbol (25, psym->st_name < strtab_size
+@@ -11571,7 +11573,15 @@ process_symbol_table (FILE * file)
+ 		    printf (sym_info == symbol_hidden ? "@%s" : "@@%s",
+ 			    version_string);
+ 		}
++#if 1
++		{
++		  unsigned int vis = ELF_ST_VISIBILITY (psym->st_other);
+ 
++		  /* Check to see if any other bits in the st_other field are set.  */
++		  if (psym->st_other ^ vis)
++		    printf (" \t[%s] ", get_symbol_other (psym->st_other ^ vis));
++		}
++#endif
+ 	      putchar ('\n');
+ 
+ 	      if (ELF_ST_BIND (psym->st_info) == STB_LOCAL

binutils-speed-up-objdump.patch

@@ -0,0 +1,97 @@
+--- binutils.orig/binutils/objdump.c	2018-03-05 17:04:19.901619738 +0000
++++ binutils-2.29/binutils/objdump.c	2018-03-05 17:10:08.334643096 +0000
+@@ -664,9 +664,7 @@ slurp_dynamic_symtab (bfd *abfd)
+ static bfd_boolean
+ is_significant_symbol_name (const char * name)
+ {
+-  return strcmp (name, ".plt") == 0
+-    ||   strcmp (name, ".got") == 0
+-    ||   strcmp (name, ".plt.got") == 0;
++  return strncmp (name, ".plt", 4) == 0 || strcmp (name, ".got") == 0;
+ }
+ 
+ /* Filter out (in place) symbols that are useless for disassembly.
+@@ -937,6 +935,7 @@ find_symbol_for_address (bfd_vma vma,
+   asection *sec;
+   unsigned int opb;
+   bfd_boolean want_section;
++  long rel_count;
+ 
+   if (sorted_symcount < 1)
+     return NULL;
+@@ -1065,33 +1064,59 @@ find_symbol_for_address (bfd_vma vma,
+      and we have dynamic relocations available, then we can produce
+      a better result by matching a relocation to the address and
+      using the symbol associated with that relocation.  */
++  rel_count = aux->dynrelcount;
+   if (!want_section
+-      && aux->dynrelbuf != NULL
+       && sorted_syms[thisplace]->value != vma
++      && rel_count > 0
++      && aux->dynrelbuf != NULL
++      && aux->dynrelbuf[0]->address <= vma
++      && aux->dynrelbuf[rel_count - 1]->address >= vma
+       /* If we have matched a synthetic symbol, then stick with that.  */
+       && (sorted_syms[thisplace]->flags & BSF_SYNTHETIC) == 0)
+     {
+-      long        rel_count;
+-      arelent **  rel_pp;
++      arelent **  rel_low;
++      arelent **  rel_high;
+ 
+-      for (rel_count = aux->dynrelcount, rel_pp = aux->dynrelbuf;
+-	   rel_count--;)
++      rel_low = aux->dynrelbuf;
++      rel_high = rel_low + rel_count - 1;
++      while (rel_low <= rel_high)
+ 	{
+-	  arelent * rel = rel_pp[rel_count];
++	  arelent ** rel_mid = &rel_low[(rel_high - rel_low) / 2];
++	  arelent *  rel = *rel_mid;
+ 
+-	  if (rel->address == vma
+-	      && rel->sym_ptr_ptr != NULL
+-	      /* Absolute relocations do not provide a more helpful symbolic address.  */
+-	      && ! bfd_is_abs_section ((* rel->sym_ptr_ptr)->section))
++	  if (rel->address == vma)
+ 	    {
+-	      if (place != NULL)
+-		* place = thisplace;
+-	      return * rel->sym_ptr_ptr;
++	      /* Absolute relocations do not provide a more helpful
++	         symbolic address.  Find a non-absolute relocation
++	         with the same address.  */
++
++	      arelent **rel_vma = rel_mid;
++
++	      for (rel_mid--;
++		   rel_mid >= rel_low && rel_mid[0]->address == vma;
++		   rel_mid--)
++		rel_vma = rel_mid;
++
++	      for (; rel_vma <= rel_high && rel_vma[0]->address == vma;
++		   rel_vma++)
++		{
++		  rel = *rel_vma;
++		  if (rel->sym_ptr_ptr != NULL
++		      && ! bfd_is_abs_section ((* rel->sym_ptr_ptr)->section))
++		    {
++		      if (place != NULL)
++			* place = thisplace;
++		      return * rel->sym_ptr_ptr;
++		    }
++		}
++	      break;
+ 	    }
+ 
+-	  /* We are scanning backwards, so if we go below the target address
+-	     we have failed.  */
+-	  if (rel_pp[rel_count]->address < vma)
++	  if (vma < rel->address)
++	    rel_high = rel_mid;
++	  else if (vma >= rel_mid[1]->address)
++	    rel_low = rel_mid + 1;
++	  else
+ 	    break;
+ 	}
+     }

binutils-strip-delete-relocs.patch

@@ -0,0 +1,73 @@
+diff -rup binutils.orig/bfd/elf64-sparc.c binutils-2.29.1/bfd/elf64-sparc.c
+--- binutils.orig/bfd/elf64-sparc.c	2017-12-07 17:23:06.764174312 +0000
++++ binutils-2.29.1/bfd/elf64-sparc.c	2017-12-07 17:23:20.540009839 +0000
+@@ -287,6 +287,7 @@ elf64_sparc_set_reloc (bfd *abfd ATTRIBU
+                        unsigned int count)
+ {
+   asect->orelocation = location;
++  asect->reloc_count = count / 2;
+   canon_reloc_count (asect) = count;
+ }
+ 
+Only in binutils-2.29.1/bfd: elf64-sparc.c.orig
+diff -rup binutils.orig/bfd/elfcode.h binutils-2.29.1/bfd/elfcode.h
+--- binutils.orig/bfd/elfcode.h	2017-12-07 17:23:06.722174814 +0000
++++ binutils-2.29.1/bfd/elfcode.h	2017-12-07 17:23:20.541009827 +0000
+@@ -958,6 +958,12 @@ elf_write_relocs (bfd *abfd, asection *s
+ 	  return;
+ 	}
+ 
++      if (ptr->howto == NULL)
++	{
++	  *failedp = TRUE;
++	  return;
++	}
++
+       src_rela.r_offset = ptr->address + addr_offset;
+       src_rela.r_info = ELF_R_INFO (n, ptr->howto->type);
+       src_rela.r_addend = ptr->addend;
+diff -rup binutils.orig/binutils/objcopy.c binutils-2.29.1/binutils/objcopy.c
+--- binutils.orig/binutils/objcopy.c	2017-12-07 17:23:06.769174253 +0000
++++ binutils-2.29.1/binutils/objcopy.c	2017-12-07 17:23:20.542009815 +0000
+@@ -3785,14 +3785,24 @@ copy_relocations_in_section (bfd *ibfd,
+     }
+   else
+     {
+-      relpp = (arelent **) xmalloc (relsize);
+-      relcount = bfd_canonicalize_reloc (ibfd, isection, relpp, isympp);
+-      if (relcount < 0)
++      if (isection->orelocation != NULL)
+ 	{
+-	  status = 1;
+-	  bfd_nonfatal_message (NULL, ibfd, isection,
+-				_("relocation count is negative"));
+-	  return;
++	  /* Some other function has already set up the output relocs
++	     for us, so scan those instead of the default relocs.  */
++	  relcount = isection->reloc_count;
++	  relpp = isection->orelocation;
++	}
++      else
++	{
++	  relpp = (arelent **) xmalloc (relsize);
++	  relcount = bfd_canonicalize_reloc (ibfd, isection, relpp, isympp);
++	  if (relcount < 0)
++	    {
++	      status = 1;
++	      bfd_nonfatal_message (NULL, ibfd, isection,
++				    _("relocation count is negative"));
++	      return;
++	    }
+ 	}
+ 
+       if (strip_symbols == STRIP_ALL)
+@@ -3815,7 +3825,8 @@ copy_relocations_in_section (bfd *ibfd,
+ 		  temp_relpp [temp_relcount++] = relpp [i];
+ 	    }
+ 	  relcount = temp_relcount;
+-	  free (relpp);
++	  if (isection->orelocation == NULL)
++	    free (relpp);
+ 	  relpp = temp_relpp;
+ 	}
+ 

binutils.spec

@@ -1,19 +1,14 @@
-# rpmbuild parameters:
+# Binutils SPEC file.  Can be invoked with the following parameters:
+
 # --define "binutils_target arm-linux-gnu" to create arm-linux-gnu-binutils.
 # --with=bootstrap: Build with minimal dependencies.
 # --with=debug: Build without optimizations and without splitting the debuginfo.
 # --without=docs: Skip building documentation.
-# --without=testsuite: Do not run the testsuite.
+# --without=testsuite: Do not run the testsuite.  Default is to run it.
+# --with=testsuite: Run the testsuite.  Default when --with=debug is not to run it.
+
+#---Start of Configure Options-----------------------------------------------
 
-%if 0%{!?binutils_target:1}
-%define binutils_target %{_target_platform}
-%define isnative 1
-%define enable_shared 1
-%else
-%define cross %{binutils_target}-
-%define isnative 0
-%define enable_shared 0
-%endif
 # BZ 1124342: Provide a way to enable deterministic archives.
 # BZ 1195883: But do not do this by default.
 %define enable_deterministic_archives 0
@@ -21,6 +16,10 @@
 %define enable_lto 1
 # Disable the default generation of compressed debug sections.
 %define default_compress_debug 0
+# Default to read-only-relocations (relro) in shared binaries.
+%define default_relro 1
+
+#----End of Configure Options------------------------------------------------
 
 # Default: Not bootstrapping.
 %bcond_with bootstrap
@@ -40,60 +39,192 @@
 %undefine with_testsuite
 %endif
 
+%if 0%{!?binutils_target:1}
+%define binutils_target %{_target_platform}
+%define isnative 1
+%define enable_shared 1
+%else
+%define cross %{binutils_target}-
+%define isnative 0
+%define enable_shared 0
+%endif
+
+#----------------------------------------------------------------------------
+
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.29
-Release: 6%{?dist}
+Release: 17%{?dist}
 License: GPLv3+
 Group: Development/Tools
 URL: http://sources.redhat.com/binutils
 
-# Note - the Linux Kernel binutils releases are too unstable and contain too
-# many controversial patches so we stick with the official FSF version
+# Note - the Linux Kernel binutils releases are too unstable and contain
+# too many controversial patches so we stick with the official FSF version
 # instead.
 
 Source: http://ftp.gnu.org/gnu/binutils/binutils-%{version}.tar.xz
 
 Source2: binutils-2.19.50.0.1-output-format.sed
 
+# Purpose:  Use /lib64 and /usr/lib64 instead of /lib and /usr/lib in the
+#           default library search path of 64-bit targets.
+# Lifetime: Permanent, but it should not be.  This is a bug in the libtool
+#           sources used in both binutils and gcc, (specifically the
+#           libtool.m4 file).  These are based on a version released in 2009
+#           (2.2.6?) rather than the latest version.  (Definitely fixed in
+#           libtool version 2.4.6).
 Patch01: binutils-2.20.51.0.2-libtool-lib64.patch
+
+# Purpose:  Appends a RHEL or Fedora release string to the generic binutils
+#           version string.
+# Lifetime: Permanent.  This is a RHEL/Fedora specific patch.
 Patch02: binutils-2.25-version.patch
-Patch03: binutils-2.25-set-long-long.patch
-Patch04: binutils-2.20.51.0.10-sec-merge-emit.patch
-# Enable -zrelro by default: BZ #621983
-Patch05: binutils-2.22.52.0.1-relro-on-by-default.patch
-# Local patch - export demangle.h with the binutils-devel rpm.
-Patch06: binutils-2.22.52.0.1-export-demangle.h.patch
-# Disable checks that config.h has been included before system headers.  BZ #845084
-Patch07: binutils-2.22.52.0.4-no-config-h-check.patch
-# Fix detections little endian PPC shared libraries
-Patch08: binutils-2.24-ldforcele.patch
-Patch09: binutils-2.25.1-cleansweep.patch
-Patch10: binutils-2.26-fix-compile-warnings.patch
-# Import H.J.Lu's Kernel LTO patch.
-Patch11: binutils-2.26-lto.patch
-# Skip PR14918 linker test for ARM native targets.
-Patch12: binutils-2.29-skip-rp14918-test-for-arm.patch
-# Include the filename concerned in readelf error messages.
-Patch13: binutils-2.29-filename-in-error-messages.patch
-# Ignore duplicate indirect symbols generated by GOLD.
-Patch14: binutils-2.28-ignore-gold-duplicates.patch
-# Do not enable the PPC64 plt-localentry0 linker optimization by default.
-Patch15: binutils-2.29-ppc64-plt-localentry0-disable.patch
+
+# Purpose:  Prevent a seg-fault when attempting to pad a section with a NULL
+#           padding pointer.
+# Lifetime: Permanent - but should be contributed upstream and fixed.
+#           FIXME: Need a test case to reproduce the potential bug so
+#           that the patch can be contributes.
+Patch03: binutils-2.20.51.0.10-sec-merge-emit.patch
+
+# Purpose:  Exports the demangle.h header file (associated with the libiberty
+#           sources) with the binutils-devel rpm.
+# Lifetime: Permanent.  This is a RHEL/Fedora specific patch.
+Patch04: binutils-2.22.52.0.1-export-demangle.h.patch
+
+# Purpose:  Disables the check in the BFD library's header file that config.h
+#           has been included before the bfd.h header.  See BZ #845084 for
+#           more details.
+# Lifetime: Permanent - but it should not be.  The bfd.h header defines
+#           various types that are dependent upon configuration options, so
+#           the order of inclusion is important.
+# FIXME:    It would be better if the packages using the BFD header were
+#           fixed so that they do include the header files in the correct
+#           order.
+Patch05: binutils-2.22.52.0.4-no-config-h-check.patch
+
+# Purpose:  Import H.J.Lu's Kernel LTO patch.
+# Lifetime: Permanent, but needs continual updating.
+# FIXME:    Try removing....
+Patch06: binutils-2.26-lto.patch
+
+# Purpose:  Skip PR14918 linker test for ARM native targets.
+# Lifetime: Fixed in 2.30.
+Patch07: binutils-2.29-skip-rp14918-test-for-arm.patch
+
+# Purpose:  Include the filename concerned in readelf error messages.  This
+#           makes readelf's output more helpful when it is run on multiple
+#           input files.
+# Lifetime: Permanent.  This patch changes the format of readelf's output,
+#           making it better (IMHO) but also potentially breaking tools that
+#           depend upon readelf's current format.  Hence it remains a local
+#           patch.
+Patch08: binutils-2.29-filename-in-error-messages.patch
+
+# Purpose:  Do not enable the PPC64 plt-localentry0 linker optimization by
+#           default.
+# Lifetime: Fixed in 2.29.1.
+Patch09: binutils-2.29-ppc64-plt-localentry0-disable.patch
+
+# Purpose:  Prevent a seg-fault in the linker by not attempting to place orphan ELF
+#           sections into a non-ELF output section.
+# Lifetime: Fixed in 2.29.1.
+Patch10: binutils-2.29-non-elf-orphan-skip.patch
+
+# Purpose:  Ignore duplicate indirect symbols generated by GOLD.
+#           sections into a non-ELF output section.
+# Lifetime: Fixed in 2.29.1.
+Patch11: binutils-2.28-ignore-gold-duplicates.patch
+
+# Purpose:  Fixes a bug in strip/objcopy which could cause it to crash when
+#           deleting relocs in a file which also contains mergeable notes.
+# Lifetime: Fixed in 2.30.
+Patch12: binutils-strip-delete-relocs.patch
+
+# Purpose:  Changes readelf so that when it displays extra information about
+#           a symbol, this information is placed at the end of the line.
+# Lifetime: Permanent.
+# FIXME:    The proper fix would be to update the scripts that are expecting
+#           a fixed output from readelf.  But it seems that some of them are
+#           no longer being maintained.
+Patch13: binutils-readelf-other-sym-info.patch
+
+# Purpose:  Improves objdump's function for locating a symbol to match a
+#           given address, so that it uses a binary chop algorithm.
+# Lifetime: Fixed in 2.31.
+Patch14: binutils-speed-up-objdump.patch
+
+# Purpose:  Treat relocs against STT_GNU_IFUNC symbols in note sections as
+#           if they were relocs against STT_FUNC symbols instead.
+# Lifetime: Fixed in 2.31.
+Patch15: binutils-ifunc-relocs-in-notes.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt x86 binaries.
+# Lifetime: Fixed in 2.29.1.
+Patch16: binutils-CVE-2017-13757.patch
+
+# Purpose:  Fix a seg-fault induced when parsing ELF version information.
+# Lifetime: Fixed in 2.29.1.
+Patch17: binutils-CVE-2017-14333.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt TEKHEX format files.
+# Lifetime: Fixed in 2.29.1.
+Patch18: binutils-CVE-2017-12967.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt ELF format files.
+# Lifetime: Fixed in 2.29.1.
+Patch19: binutils-CVE-2017-12799.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt DWARF1 files.
+# Lifetime: Fixed in 2.30.
+Patch20: binutils-CVE-2018-7568.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt DWARF2 files.
+# Lifetime: Fixed in 2.30.
+Patch21: binutils-CVE-2018-7569.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt DWARF2 files.
+# Lifetime: Fixed in 2.30.
+Patch22: binutils-CVE-2018-10372.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt PE format files.
+# Lifetime: Fixed in 2.30.
+Patch23: binutils-CVE-2018-10535.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt DWARF2 information.
+# Lifetime: Fixed in 2.31.
+Patch24: binutils-CVE-2018-10373.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt ELF format files.
+# Lifetime: Fixed in 2.31.
+Patch25: binutils-CVE-2018-7643.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt PE format files.
+# Lifetime: Fixed in 2.31.
+Patch26: binutils-CVE-2018-7208.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt ELF format files.
+# Lifetime: Fixed in 2.31.
+Patch27: binutils-CVE-2018-7643.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt ELF format files.
+# Lifetime: Fixed in 2.31.
+Patch28: binutils-CVE-2018-6323.patch
+
+#----------------------------------------------------------------------------
 
 Provides: bundled(libiberty)
 
-# BZ 1173780: Building GOLD for PPC is not working at the moment.
-# %define gold_arches %ix86 x86_64 %arm aarch64 ppc* %{power64}
-%define gold_arches %ix86 x86_64 %arm aarch64
+%define gold_arches %ix86 x86_64 %arm aarch64 %{power64} s390x
 
 %if %{with bootstrap}
-%define build_gold	no
+%define build_gold      no
 %else
 %ifarch %gold_arches
-%define build_gold	both
+%define build_gold      both
 %else
-%define build_gold	no
+%define build_gold      no
 %endif
 %endif
 
@@ -140,8 +271,8 @@ BuildRequires: libstdc++-static
 Conflicts: gcc-c++ < 4.0.0
 
 # The higher of these two numbers determines the default ld.
-%{!?ld_bfd_priority: %global ld_bfd_priority	50}
-%{!?ld_gold_priority:%global ld_gold_priority	30}
+%{!?ld_bfd_priority: %global ld_bfd_priority    50}
+%{!?ld_gold_priority:%global ld_gold_priority   30}
 
 %if "%{build_gold}" == "both"
 Requires(post): coreutils
@@ -155,6 +286,8 @@ Requires(preun): %{_sbindir}/alternatives
 %define _gnu %{nil}
 %endif
 
+#----------------------------------------------------------------------------
+
 %description
 Binutils is a collection of binary utilities, including ar (for
 creating, modifying and extracting from archives), as (a family of GNU
@@ -168,6 +301,8 @@ of an object or archive file), strings (for listing printable strings
 from files), strip (for discarding symbols), and addr2line (for
 converting addresses to file and line).
 
+#----------------------------------------------------------------------------
+
 %package devel
 Summary: BFD and opcodes static and dynamic libraries and header files
 Group: System Environment/Libraries
@@ -195,25 +330,38 @@ dynamic libraries.
 Developers starting new projects are strongly encouraged to consider
 using libelf instead of BFD.
 
+#----------------------------------------------------------------------------
+
 %prep
 %setup -q -n binutils-%{version}
-%patch01 -p1 -b .libtool-lib64~
-%patch02 -p1 -b .version~
-%patch03 -p1 -b .set-long-long~
-%patch04 -p1 -b .sec-merge-emit~
-%patch05 -p1 -b .relro~
-%patch06 -p1 -b .export-demangle-h~
-%patch07 -p1 -b .no-config-h-check~
-%ifarch ppc64le
-%patch08 -p1 -b .ldforcele~
-%endif
-%patch09 -p0
+%patch01 -p1
+%patch02 -p1
+%patch03 -p1
+%patch04 -p1
+%patch05 -p1
+%patch06 -p1
+%patch07 -p1
+%patch08 -p1
+%patch09 -p1
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
 
 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 
@@ -251,15 +399,17 @@ touch */configure
 %define _target_platform %{_arch}-%{_vendor}-%{_host_os}
 %endif
 
+#----------------------------------------------------------------------------
+
 %build
 echo target is %{binutils_target}
+
 %ifarch %{power64}
-#CFLAGS=`echo $RPM_OPT_FLAGS | sed -e -s "s/-Werror//g"`
-#export CFLAGS
 export CFLAGS="$RPM_OPT_FLAGS -Wno-error"
 %else
 export CFLAGS="$RPM_OPT_FLAGS"
 %endif
+
 CARGS=
 
 case %{binutils_target} in i?86*|sparc*|ppc*|s390*|sh*|arm*|aarch64*)
@@ -292,6 +442,20 @@ case %{binutils_target} in x86_64*|i?86*|arm*|aarch64*)
   ;;
 esac
 
+%if %{default_relro}
+# BZ 1523946: PowerPC64 is not ready for relro.
+case %{binutils_target} in
+    ppc64*)
+        CARGS="$CARGS --enable-relro=no"
+        ;;
+    *)
+        CARGS="$CARGS --enable-relro=yes"
+        ;;
+esac
+%else
+        CARGS="$CARGS --enable-relro=no"
+%endif
+
 %if 0%{?_with_debug:1}
 CFLAGS="$CFLAGS -O0 -ggdb2 -Wno-error -D_FORTIFY_SOURCE=0"
 %define enable_shared 0
@@ -300,6 +464,7 @@ CFLAGS="$CFLAGS -O0 -ggdb2 -Wno-error -D_FORTIFY_SOURCE=0"
 # We could optimize the cross builds size by --enable-shared but the produced
 # binaries may be less convenient in the embedded environment.
 %configure \
+  --quiet \
   --build=%{_target_platform} --host=%{_target_platform} \
   --target=%{binutils_target} \
 %ifarch %gold_arches
@@ -323,7 +488,7 @@ CFLAGS="$CFLAGS -O0 -ggdb2 -Wno-error -D_FORTIFY_SOURCE=0"
 %endif
 %if %{enable_deterministic_archives}
   --enable-deterministic-archives \
-%else    
+%else
   --enable-deterministic-archives=no \
 %endif
 %if %{enable_lto}
@@ -338,7 +503,7 @@ CFLAGS="$CFLAGS -O0 -ggdb2 -Wno-error -D_FORTIFY_SOURCE=0"
   --enable-plugins \
   --with-bugurl=http://bugzilla.redhat.com/bugzilla/
 
-%if %{with docs}  
+%if %{with docs}
 make %{_smp_mflags} tooldir=%{_prefix} all
 make %{_smp_mflags} tooldir=%{_prefix} info
 %else
@@ -363,16 +528,18 @@ uuencode binutils-%{_target_platform}.tar.bz2 binutils-%{_target_platform}.tar.b
 rm -f binutils-%{_target_platform}.tar.bz2 binutils-%{_target_platform}-*.{sum,log}
 %endif
 
+#----------------------------------------------------------------------------
+
 %install
 rm -rf %{buildroot}
-%if %{with docs}  
+%if %{with docs}
 make install DESTDIR=%{buildroot}
 %else
 make install DESTDIR=%{buildroot} MAKEINFO=true
 %endif
 
 %if %{isnative}
-%if %{with info}
+%if %{with docs}
 make prefix=%{buildroot}%{_prefix} infodir=%{buildroot}%{_infodir} install-info
 %endif
 
@@ -453,14 +620,14 @@ $OUTPUT_FORMAT
 INPUT ( %{_libdir}/libopcodes.a -lbfd )
 EOH
 
-%else # !%{isnative}
+%else # !isnative
 # For cross-binutils we drop the documentation.
 rm -rf %{buildroot}%{_infodir}
 # We keep these as one can have native + cross binutils of different versions.
-#rm -rf %{buildroot}%{_prefix}/share/locale
-#rm -rf %{buildroot}%{_mandir}
+#rm -rf {buildroot}{_prefix}/share/locale
+#rm -rf {buildroot}{_mandir}
 rm -rf %{buildroot}%{_libdir}/libiberty.a
-%endif # !%{isnative}
+%endif # !isnative
 
 # This one comes from gcc
 rm -f %{buildroot}%{_infodir}/dir
@@ -485,9 +652,13 @@ if [ -x gold/ld-new ]; then
   cat %{?cross}gold.lang >> %{?cross}binutils.lang
 fi
 
+#----------------------------------------------------------------------------
+
 %clean
 rm -rf %{buildroot}
 
+#----------------------------------------------------------------------------
+
 %post
 %if "%{build_gold}" == "both"
 %__rm -f %{_bindir}/%{?cross}ld
@@ -495,8 +666,9 @@ rm -rf %{buildroot}
   %{_bindir}/%{?cross}ld.bfd %{ld_bfd_priority}
 %{_sbindir}/alternatives --install %{_bindir}/%{?cross}ld %{?cross}ld \
   %{_bindir}/%{?cross}ld.gold %{ld_gold_priority}
-%{_sbindir}/alternatives --auto %{?cross}ld 
-%endif
+%{_sbindir}/alternatives --auto %{?cross}ld
+%endif # both ld.gold and ld.bfd
+
 %if %{isnative}
 /sbin/ldconfig
 %if %{with docs}
@@ -505,16 +677,20 @@ rm -rf %{buildroot}
   /sbin/install-info --info-dir=%{_infodir} %{_infodir}/gprof.info.gz
   /sbin/install-info --info-dir=%{_infodir} %{_infodir}/ld.info.gz
 %endif # with docs
-%endif # %{isnative}
+%endif # isnative
+
 exit 0
 
+#----------------------------------------------------------------------------
+
 %preun
 %if "%{build_gold}" == "both"
 if [ $1 = 0 ]; then
   %{_sbindir}/alternatives --remove %{?cross}ld %{_bindir}/%{?cross}ld.bfd
   %{_sbindir}/alternatives --remove %{?cross}ld %{_bindir}/%{?cross}ld.gold
 fi
-%endif
+%endif # both ld.gold and ld.bfd
+
 %if %{isnative}
 if [ $1 = 0 ]; then
   if [ -e %{_infodir}/binutils.info.gz ]
@@ -525,9 +701,12 @@ if [ $1 = 0 ]; then
     /sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/ld.info.gz
   fi
 fi
-%endif
+%endif # isnative
+
 exit 0
 
+#----------------------------------------------------------------------------
+
 %if %{isnative}
 %postun
 /sbin/ldconfig
@@ -538,24 +717,31 @@ exit 0
     /sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/gprof.info.gz
     /sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/ld.info.gz
   fi
-%endif # %{isnative}
+%endif # isnative
+
+#----------------------------------------------------------------------------
 
 %files -f %{?cross}binutils.lang
 %defattr(-,root,root,-)
 %license COPYING COPYING3 COPYING3.LIB COPYING.LIB
 %doc README
 %{_bindir}/%{?cross}[!l]*
+
 %if "%{build_gold}" == "both"
 %{_bindir}/%{?cross}ld.*
 %ghost %{_bindir}/%{?cross}ld
 %else
 %{_bindir}/%{?cross}ld*
-%endif
+%endif # both ld.gold and ld.bfd
+
+%if %{with docs}
 %{_mandir}/man1/*
 %{_infodir}/as.info.gz
 %{_infodir}/binutils.info.gz
 %{_infodir}/gprof.info.gz
 %{_infodir}/ld.info.gz
+%endif # with docs
+
 %if %{enable_shared}
 %{_libdir}/lib*.so
 %exclude %{_libdir}/libbfd.so
@@ -563,6 +749,7 @@ exit 0
 %endif
 
 %if %{isnative}
+
 %if %{with docs}
 %{_infodir}/[^b]*info*
 %{_infodir}/binutils*info*
@@ -574,12 +761,65 @@ exit 0
 %{_libdir}/lib*.a
 %{_libdir}/libbfd.so
 %{_libdir}/libopcodes.so
+
 %if %{with docs}
 %{_infodir}/bfd*info*
 %endif # with docs
-%endif # %{isnative}
 
+%endif # isnative
+
+#----------------------------------------------------------------------------
 %changelog
+* Wed Jul 11 2018 Nick Clifton  <nickc@redhat.com> 2.29-17
+- Fix a seg-fault that can occur when parsing corrupt DWARF2 information.  (#1551779)
+- Fix a seg-fault that can occur when parsing corrupt DWARF2 information.  (#1573359)
+- Fix a seg-fault that can occur when parsing corrupt PE files.  (#1574700)
+- Fix a seg-fault that can occur when parsing corrupt DWARF2 information.  (#1573365)
+- Fix a seg-fault that can occur when parsing corrupt ELF files.  (#1551786)
+- Fix a seg-fault that can occur when parsing corrupt PE files.  (#1546624)
+- Fix a seg-fault that can occur when parsing corrupt ELF files.  (#1543245)
+- Fix a seg-fault that can occur when parsing corrupt ELF files.  (#1539888)
+
+* Wed Jul 11 2018 Nick Clifton  <nickc@redhat.com> 2.29-16
+- Fix a seg-fault that can occur when parsing corrupt DWARF1 information.  (#1551772)
+
+* Thu May 31 2018 Nick Clifton  <nickc@redhat.com> 2.29-15
+- Fix a seg-fault that can occur when parsing corrupt x86 binaries.  (#1487762)
+- Fix a seg-fault that can occur when parsing ELF version information.  (#1492130)
+- Fix a seg-fault that can occur when parsing corrupt TEKHEX files.  (#1484527)
+- Fix a seg-fault that can occur when parsing corrupt ELF files.  (#1480343)
+
+* Fri Mar 09 2018 Nick Clifton  <nickc@redhat.com> 2.29-14
+- Treat relocs against s390x IFUNC symbols in note sections as relocs against the FUNC symbol instead.  (#1553705)
+
+* Mon Mar 05 2018 Nick Clifton  <nickc@redhat.com> 2.29.13
+- Speed up objdump.  (#1551540)
+
+* Mon Dec 18 2017 Nick Clifton  <nickc@redhat.com> 2.29-12
+- Re-enable gold for PowerPC64 and s390x.  (#1173780)
+
+* Fri Dec 15 2017 Nick Clifton  <nickc@redhat.com> 2.29-11
+- Have readelf display extra symbol information at the end of the line.  (#1479302)
+
+* Mon Dec 11 2017 Nick Clifton  <nickc@redhat.com> 2.29-10
+- Do not enable relro by default for the PowerPC64 architecture.  (#1523946)
+
+* Fri Dec 08 2017 Nick Clifton  <nickc@redhat.com> 2.29-9
+- Stop strip from crashing when deleteing relocs in a file with annobin notes.  (#1520805)
+
+* Wed Dec 06 2017 Nick Clifton  <nickc@redhat.com> 2.29-8
+- Have readelf return an exit failure status when attempting to process an empty file. (#1522732)
+
+* Fri Nov 17 2017 Nick Clifton  <nickc@redhat.com> 2.29-7
+- Import fix for PR 21884 which stops a seg-fault in the linker when changing output format to binary during a final link.
+  (#1491023)
+- Annotate patches with reason and lifetime expectances.
+- Retire: binutils-2.24-ldforcele.patch
+- Retire: binutils-2.25-set-long-long.patch
+- Retire: binutils-2.25.1-cleansweep.patch
+- Retire: binutils-2.26-fix-compile-warnings.patch
+- Retire: binutils-2.28-ignore-gold-duplicates.patch
+
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.29-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 
@@ -686,7 +926,7 @@ exit 0
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 
 * Thu Feb 02 2017 Stephen Gallagher  <sgallagh@redhat.com> 2.27-16
-- Install COPYING[*] files using the %license macro.
+- Install COPYING[*] files using the % license macro.
   (#1418430)
 
 * Tue Jan 31 2017 Nick Clifton  <nickc@redhat.com> 2.27-15
@@ -1018,7 +1258,7 @@ exit 0
 - Fix compiling using gcc 4.9  (#1087374)
 
 * Thu Mar 27 2014 Nick Clifton <nickc@redhat.com> - 2.24-11
-- Use %{version} in Source string.  Delete unused patches.
+- Use {version} in Source string.  Delete unused patches.
 
 * Tue Jan 28 2014 Nick Clifton <nickc@redhat.com> - 2.24-10
 - Fix decoding of abbrevs using a DW_FORM_ref_addr attribute.  (#1056797)
@@ -1233,10 +1473,8 @@ exit 0
 * Fri Apr 27 2012 Nick Clifton <nickc@redhat.com> - 2.22.52.0.1-12
 - Include demangle.h in the devel rpm.
 
-%if 0%{?rhel} >= 7
 * Tue Apr 03 2012 Nick Clifton <nickc@redhat.com> - 2.22.52.0.1-11
 - Enable -zrelro by default for RHEL 7+. (#807831)
-%endif
 
 * Fri Mar 16 2012 Jakub Jelinek <jakub@redhat.com> - 2.22.52.0.1-10
 - Fix up handling of hidden ifunc relocs on i?86
@@ -1248,10 +1486,8 @@ exit 0
 - Fix up handling of hidden ifunc relocs on x86_64
 - Add Intel TSX support
 
-%if 0%{?fedora} >= 18
 * Tue Mar 06 2012 Nick Clifton <nickc@redhat.com> - 2.22.52.0.1-7
 - Enable -zrelro by default. (#621983 #807831)
-%endif
 
 * Mon Feb 27 2012 Jeff Law <law@redhat.com> - 2.22.52.0.1-6
 - Fix c++filt docs (#797752)
@@ -2608,4 +2844,3 @@ exit 0
 * Wed Oct 22 1997 Erik Troan <ewt@redhat.com>
 - added 2.8.1.0.1 patch from hj
 - added patch for alpha palcode form rth
-