From: Armin Kuster <akuster808@gmail.com>
To: akuster@mvista.com, openembedded-core@lists.openembedded.org
Subject: [ROCKO][PATCH 16/27] binutls: Security fix for CVE-2017-15996
Date: Wed, 8 Aug 2018 08:35:11 -0700 [thread overview]
Message-ID: <1533742522-24357-16-git-send-email-akuster808@gmail.com> (raw)
In-Reply-To: <1533742522-24357-1-git-send-email-akuster808@gmail.com>
From: Armin Kuster <akuster@mvista.com>
Affects: <= 2.29.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 +
.../binutils/binutils/CVE-2017-15996.patch | 84 ++++++++++++++++++++++
2 files changed, 85 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 917f667..7928de9 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -51,6 +51,7 @@ SRC_URI = "\
file://CVE-2017-15025.patch \
file://CVE-2017-15225.patch \
file://CVE-2017-15939.patch \
+ file://CVE-2017-15996.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch
new file mode 100644
index 0000000..dab8380
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch
@@ -0,0 +1,84 @@
+From d91f0b20e561e326ee91a09a76206257bde8438b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 28 Oct 2017 21:31:16 +1030
+Subject: [PATCH] PR22361 readelf buffer overflow on fuzzed archive header
+
+ PR 22361
+ * readelf.c (process_archive_index_and_symbols): Ensure ar_size
+ field is zero terminated for strtoul.
+ (setup_archive, get_archive_member_name): Likewise.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15996
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 7 +++++++
+ binutils/elfcomm.c | 11 +++++++++++
+ 2 files changed, 18 insertions(+)
+
+Index: git/binutils/elfcomm.c
+===================================================================
+--- git.orig/binutils/elfcomm.c
++++ git/binutils/elfcomm.c
+@@ -466,8 +466,12 @@ process_archive_index_and_symbols (struc
+ {
+ size_t got;
+ unsigned long size;
++ char fmag_save;
+
++ fmag_save = arch->arhdr.ar_fmag[0];
++ arch->arhdr.ar_fmag[0] = 0;
+ size = strtoul (arch->arhdr.ar_size, NULL, 10);
++ arch->arhdr.ar_fmag[0] = fmag_save;
+ /* PR 17531: file: 912bd7de. */
+ if ((signed long) size < 0)
+ {
+@@ -655,7 +659,10 @@ setup_archive (struct archive_info *arch
+ if (const_strneq (arch->arhdr.ar_name, "// "))
+ {
+ /* This is the archive string table holding long member names. */
++ char fmag_save = arch->arhdr.ar_fmag[0];
++ arch->arhdr.ar_fmag[0] = 0;
+ arch->longnames_size = strtoul (arch->arhdr.ar_size, NULL, 10);
++ arch->arhdr.ar_fmag[0] = fmag_save;
+ /* PR 17531: file: 01068045. */
+ if (arch->longnames_size < 8)
+ {
+@@ -758,6 +765,7 @@ get_archive_member_name (struct archive_
+ char *endp;
+ char *member_file_name;
+ char *member_name;
++ char fmag_save;
+
+ if (arch->longnames == NULL || arch->longnames_size == 0)
+ {
+@@ -766,9 +774,12 @@ get_archive_member_name (struct archive_
+ }
+
+ arch->nested_member_origin = 0;
++ fmag_save = arch->arhdr.ar_fmag[0];
++ arch->arhdr.ar_fmag[0] = 0;
+ k = j = strtoul (arch->arhdr.ar_name + 1, &endp, 10);
+ if (arch->is_thin_archive && endp != NULL && * endp == ':')
+ arch->nested_member_origin = strtoul (endp + 1, NULL, 10);
++ arch->arhdr.ar_fmag[0] = fmag_save;
+
+ if (j > arch->longnames_size)
+ {
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-10-28 Alan Modra <amodra@gmail.com>
++
++ PR 22361
++ * readelf.c (process_archive_index_and_symbols): Ensure ar_size
++ field is zero terminated for strtoul.
++ (setup_archive, get_archive_member_name): Likewise.
++
+ 2017-09-26 Alan Modra <amodra@gmail.com>
+
+ PR 22205
--
2.7.4
next prev parent reply other threads:[~2018-08-08 15:35 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-08 15:34 [ROCKO][PATCH 01/27] binutils: Security fix CVE-2017-12967 Armin Kuster
2018-08-08 15:34 ` [ROCKO][PATCH 02/27] binutils: Secuirty fix CVE-2017-14930 Armin Kuster
2018-08-08 15:34 ` [ROCKO][PATCH 03/27] binutls: Security fix CVE-2017-14932 Armin Kuster
2018-08-08 15:34 ` [ROCKO][PATCH 04/27] binutls: Security fix CVE-2017-14933 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 05/27] binutls: Security fix CVE-2017-14934 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 06/27] binutls: Security fix for CVE-2017-14938 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 07/27] binutls: Security fix for CVE-2017-14939 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 08/27] binutils: Security fix for CVE-2017-14940 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 09/27] binutls: Security fix for CVE-2017-15021 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 10/27] binutls: Security fix for CVE-2017-15022 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 11/27] binutls: Security fix for CVE-2017-15023 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 12/27] binutls: Security fix for CVE-2017-15024 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 13/27] binutls: Security fix for CVE-2017-15025 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 14/27] binutls: Security fix for CVE-2017-15225 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 15/27] binutls: Security fix for CVE-2017-15939 Armin Kuster
2018-08-08 15:35 ` Armin Kuster [this message]
2018-08-08 15:35 ` [ROCKO][PATCH 17/27] binutls: Security fix for CVE-2017-16826 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 18/27] binutls: Security fix for CVE-2017-16827 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 19/27] binutls: Security fix for CVE-2017-16828 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 20/27] binutls: Security fix for CVE-2017-16829 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 21/27] binutls: Security fix for CVE-2017-16830 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 22/27] binutls: Security fix for CVE-2017-16831 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 23/27] binutls: Security fix for CVE-2017-16832 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 24/27] binutls: Security fix for CVE-2017-17080 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 25/27] Binutils: Security fix for CVE-2017-17121 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 26/27] binutls: Security fix for CVE-2017-17122 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 27/27] binutls: Security fix for CVE-2017-17125 Armin Kuster
2018-08-08 16:06 ` ✗ patchtest: failure for "[ROCKO] binutils: Security fix..." and 26 more Patchwork
2018-08-08 16:40 ` [ROCKO][PATCH 01/27] binutils: Security fix CVE-2017-12967 akuster808
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1533742522-24357-16-git-send-email-akuster808@gmail.com \
--to=akuster808@gmail.com \
--cc=akuster@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox