mirror of
https://git.yoctoproject.org/poky
synced 2026-04-11 08:02:21 +02:00
binutls: Security fix CVE-2018-6759
Affects <= 2.30 (From OE-Core rev: 8f9b8ee0e7ad6526a3f93a8f0ca8e9fe055fdff6) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
committed by
Richard Purdie
Richard Purdie
parent
b283276544
commit
0112dfc031
@@ -38,6 +38,7 @@ SRC_URI = "\
|
||||
file://CVE-2018-8945.patch \
|
||||
file://CVE-2018-7643.patch \
|
||||
file://CVE-2018-6872.patch \
|
||||
file://CVE-2018-6759.patch \
|
||||
"
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
|
||||
108
meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
Normal file
108
meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
Normal file
@@ -0,0 +1,108 @@
|
||||
From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001
|
||||
From: Nick Clifton <nickc@redhat.com>
|
||||
Date: Tue, 6 Feb 2018 15:48:29 +0000
|
||||
Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by
|
||||
chacking the size of debuglink sections.
|
||||
|
||||
PR 22794
|
||||
* opncls.c (bfd_get_debug_link_info_1): Check the size of the
|
||||
section before attempting to read it in.
|
||||
(bfd_get_alt_debug_link_info): Likewise.
|
||||
|
||||
Upstream-Status: Backport
|
||||
Affects: Binutils <= 2.30
|
||||
CVE: CVE-2018-6759
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
bfd/ChangeLog | 7 +++++++
|
||||
bfd/opncls.c | 22 +++++++++++++++++-----
|
||||
2 files changed, 24 insertions(+), 5 deletions(-)
|
||||
|
||||
Index: git/bfd/opncls.c
|
||||
===================================================================
|
||||
--- git.orig/bfd/opncls.c
|
||||
+++ git/bfd/opncls.c
|
||||
@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
|
||||
bfd_byte *contents;
|
||||
unsigned int crc_offset;
|
||||
char *name;
|
||||
+ bfd_size_type size;
|
||||
|
||||
BFD_ASSERT (abfd);
|
||||
BFD_ASSERT (crc32_out);
|
||||
@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
|
||||
if (sect == NULL)
|
||||
return NULL;
|
||||
|
||||
+ size = bfd_get_section_size (sect);
|
||||
+
|
||||
+ /* PR 22794: Make sure that the section has a reasonable size. */
|
||||
+ if (size < 8 || size >= bfd_get_size (abfd))
|
||||
+ return NULL;
|
||||
+
|
||||
if (!bfd_malloc_and_get_section (abfd, sect, &contents))
|
||||
{
|
||||
if (contents != NULL)
|
||||
@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
|
||||
|
||||
/* CRC value is stored after the filename, aligned up to 4 bytes. */
|
||||
name = (char *) contents;
|
||||
- /* PR 17597: avoid reading off the end of the buffer. */
|
||||
- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
|
||||
+ /* PR 17597: Avoid reading off the end of the buffer. */
|
||||
+ crc_offset = strnlen (name, size) + 1;
|
||||
crc_offset = (crc_offset + 3) & ~3;
|
||||
- if (crc_offset + 4 > bfd_get_section_size (sect))
|
||||
+ if (crc_offset + 4 > size)
|
||||
return NULL;
|
||||
|
||||
*crc32 = bfd_get_32 (abfd, contents + crc_offset);
|
||||
@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
|
||||
bfd_byte *contents;
|
||||
unsigned int buildid_offset;
|
||||
char *name;
|
||||
+ bfd_size_type size;
|
||||
|
||||
BFD_ASSERT (abfd);
|
||||
BFD_ASSERT (buildid_len);
|
||||
@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
|
||||
if (sect == NULL)
|
||||
return NULL;
|
||||
|
||||
+ size = bfd_get_section_size (sect);
|
||||
+ if (size < 8 || size >= bfd_get_size (abfd))
|
||||
+ return NULL;
|
||||
+
|
||||
if (!bfd_malloc_and_get_section (abfd, sect, & contents))
|
||||
{
|
||||
if (contents != NULL)
|
||||
@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
|
||||
|
||||
/* BuildID value is stored after the filename. */
|
||||
name = (char *) contents;
|
||||
- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
|
||||
+ buildid_offset = strnlen (name, size) + 1;
|
||||
if (buildid_offset >= bfd_get_section_size (sect))
|
||||
return NULL;
|
||||
|
||||
- *buildid_len = bfd_get_section_size (sect) - buildid_offset;
|
||||
+ *buildid_len = size - buildid_offset;
|
||||
*buildid_out = bfd_malloc (*buildid_len);
|
||||
memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
|
||||
|
||||
Index: git/bfd/ChangeLog
|
||||
===================================================================
|
||||
--- git.orig/bfd/ChangeLog
|
||||
+++ git/bfd/ChangeLog
|
||||
@@ -1,3 +1,10 @@
|
||||
+2018-02-06 Nick Clifton <nickc@redhat.com>
|
||||
+
|
||||
+ PR 22794
|
||||
+ * opncls.c (bfd_get_debug_link_info_1): Check the size of the
|
||||
+ section before attempting to read it in.
|
||||
+ (bfd_get_alt_debug_link_info): Likewise.
|
||||
+
|
||||
2018-02-09 Nick Clifton <nickc@redhat.com>
|
||||
|
||||
Import patch from mainline:
|
||||
Reference in New Issue
Block a user