mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-11 08:02:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

binutls: Security fix CVE-2018-7568

Browse Source 
Affects <= 2.30

(From OE-Core rev: 9dee4cec26322604e71ca5db4b17b1088a98971b)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2018-08-05 22:02:12 -07:00
committed by Richard Purdie
parent 219deb5228
commit ea6a69cb83
2 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
meta/recipes-devtools/binutils/binutils-2.30.inc
View File

@@ -42,6 +42,7 @@ SRC_URI = "\
file://CVE-2018-7642.patch \
file://CVE-2018-7208.patch \
file://CVE-2018-7569.patch \
file://CVE-2018-7568.patch \
"
S = "${WORKDIR}/git"

85
meta/recipes-devtools/binutils/binutils/CVE-2018-7568.patch Normal file
View File

@@ -0,0 +1,85 @@
From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 28 Feb 2018 10:13:54 +0000
Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1
debug information.
PR 22894
* dwarf1.c (parse_die): Check the length of form blocks before
advancing the data pointer.
Upstream-Status: Backport
Affects: Binutils <= 2.30
CVE: CVE-2018-7568
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
bfd/ChangeLog | 6 ++++++
bfd/dwarf1.c | 17 +++++++++++++++--
2 files changed, 21 insertions(+), 2 deletions(-)
Index: git/bfd/dwarf1.c
===================================================================
--- git.orig/bfd/dwarf1.c
+++ git/bfd/dwarf1.c
@@ -213,6 +213,7 @@ parse_die (bfd * abfd,
/* Then the attributes. */
while (xptr + 2 <= aDiePtrEnd)
{
+ unsigned int block_len;
unsigned short attr;
/* Parse the attribute based on its form. This section
@@ -255,12 +256,24 @@ parse_die (bfd * abfd,
break;
case FORM_BLOCK2:
if (xptr + 2 <= aDiePtrEnd)
- xptr += bfd_get_16 (abfd, xptr);
+ {
+ block_len = bfd_get_16 (abfd, xptr);
+ if (xptr + block_len > aDiePtrEnd
+ || xptr + block_len < xptr)
+ return FALSE;
+ xptr += block_len;
+ }
xptr += 2;
break;
case FORM_BLOCK4:
if (xptr + 4 <= aDiePtrEnd)
- xptr += bfd_get_32 (abfd, xptr);
+ {
+ block_len = bfd_get_32 (abfd, xptr);
+ if (xptr + block_len > aDiePtrEnd
+ || xptr + block_len < xptr)
+ return FALSE;
+ xptr += block_len;
+ }
xptr += 4;
break;
case FORM_STRING:
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -4,7 +4,11 @@
* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
range before converting to a symbol table pointer.
-2018-02-28 Alan Modra <amodra@gmail.com>
+2018-02-28 Nick Clifton <nickc@redhat.com>
+
+ PR 22894
+ * dwarf1.c (parse_die): Check the length of form blocks before
+ advancing the data pointer.
PR 22895
PR 22893
@@ -14,6 +18,8 @@
size is invalid.
(read_attribute_value): Adjust invocations of read_n_bytes.
+2018-02-28 Alan Modra <amodra@gmail.com>
+
PR 22887
* aoutx.h (swap_std_reloc_in): Correct r_index bound check.