Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Matthias Maier (tamiko)" <tamiko@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in src/patchsets/binutils/2.27: 00_all_0007-CVE-2017-8421.patch 00_all_0008-CVE-2017-9038.patch 00_all_0009-CVE-2017-9039.patch 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch 00_all_0011-0011-CVE-2017-9041.patch README.history binutils-2.27-CVE-2017-8421.patch
Date: Tue, 06 Jun 2017 20:57:53
Message-Id: 20170606205747.BD76F746D@oystercatcher.gentoo.org
1 tamiko 17/06/06 20:57:47
2
3 Modified: README.history
4 Added: 00_all_0007-CVE-2017-8421.patch
5 00_all_0008-CVE-2017-9038.patch
6 00_all_0009-CVE-2017-9039.patch
7 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch
8 00_all_0011-0011-CVE-2017-9041.patch
9 binutils-2.27-CVE-2017-8421.patch
10 Log:
11 binutils-2.27: Update to patchset 1.1
12
13 Revision Changes Path
14 1.2 src/patchsets/binutils/2.27/README.history
15
16 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?rev=1.2&view=markup
17 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?rev=1.2&content-type=text/plain
18 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?r1=1.1&r2=1.2
19
20 Index: README.history
21 ===================================================================
22 RCS file: /var/cvsroot/gentoo/src/patchsets/binutils/2.27/README.history,v
23 retrieving revision 1.1
24 retrieving revision 1.2
25 diff -u -r1.1 -r1.2
26 --- README.history 15 Nov 2016 07:08:40 -0000 1.1
27 +++ README.history 6 Jun 2017 20:57:47 -0000 1.2
28 @@ -1,3 +1,10 @@
29 +1.1 06 Jun 2017
30 + + 00_all_0007-CVE-2017-8421.patch
31 + + 00_all_0008-CVE-2017-9038.patch
32 + + 00_all_0009-CVE-2017-9039.patch
33 + + 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch
34 + + 00_all_0011-0011-CVE-2017-9041.patch
35 +
36 1.0 12 Nov 2016
37 + 00_all_0001-ld-always-warn-about-textrels-in-files.patch
38 + 00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch
39
40
41
42 1.1 src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch
43
44 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch?rev=1.1&view=markup
45 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch?rev=1.1&content-type=text/plain
46
47 Index: 00_all_0007-CVE-2017-8421.patch
48 ===================================================================
49 From 066b5b9598ffcf4d8e99034fa370e1ba8393341c Mon Sep 17 00:00:00 2001
50 From: Matthias Maier <tamiko@××××.org>
51 Date: Tue, 6 Jun 2017 13:04:17 -0500
52 Subject: [PATCH 1/5] CVE-2017-8421
53
54 [PATCH] Prevent memory exhaustion from a corrupt PE binary with an overlarge number of relocs.
55
56 Patch taken from [1]. Gentoo bug [2]
57
58 [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=39ff1b79f687b65f4144ddb379f22587003443fb
59 [2] https://bugs.gentoo.org/show_bug.cgi?id=618520
60 ---
61 binutils/objdump.c | 8 ++++++++
62 1 file changed, 8 insertions(+)
63
64 diff --git a/binutils/objdump.c b/binutils/objdump.c
65 index bf9c592..cbe2e0a 100644
66 --- a/binutils/objdump.c
67 +++ b/binutils/objdump.c
68 @@ -3238,6 +3238,14 @@ dump_relocs_in_section (bfd *abfd,
69 return;
70 }
71
72 + if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
73 + && relsize > get_file_size (bfd_get_filename (abfd)))
74 + {
75 + printf (" (too many: 0x%x)\n", section->reloc_count);
76 + bfd_set_error (bfd_error_file_truncated);
77 + bfd_fatal (bfd_get_filename (abfd));
78 + }
79 +
80 relpp = (arelent **) xmalloc (relsize);
81 relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms);
82
83 --
84 2.13.0
85
86
87
88
89 1.1 src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch
90
91 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch?rev=1.1&view=markup
92 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch?rev=1.1&content-type=text/plain
93
94 Index: 00_all_0008-CVE-2017-9038.patch
95 ===================================================================
96 From 581a94cb18d994071f9660a7b84d1d2bc104fc4f Mon Sep 17 00:00:00 2001
97 From: Matthias Maier <tamiko@××××.org>
98 Date: Tue, 6 Jun 2017 13:18:07 -0500
99 Subject: [PATCH 2/5] CVE-2017-9038
100
101 readelf: Update check for invalid word offsets in ARM unwind information.
102
103 Patch taken from [1]. Gentoo bug [2]
104
105 [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
106 [2] https://bugs.gentoo.org/show_bug.cgi?id=618826
107 ---
108 binutils/readelf.c | 6 +++---
109 1 file changed, 3 insertions(+), 3 deletions(-)
110
111 diff --git a/binutils/readelf.c b/binutils/readelf.c
112 index 274ddd1..9a515ff 100644
113 --- a/binutils/readelf.c
114 +++ b/binutils/readelf.c
115 @@ -7738,9 +7738,9 @@ get_unwind_section_word (struct arm_unw_aux_info * aux,
116 return FALSE;
117
118 /* If the offset is invalid then fail. */
119 - if (word_offset > (sec->sh_size - 4)
120 - /* PR 18879 */
121 - || (sec->sh_size < 5 && word_offset >= sec->sh_size)
122 + if (/* PR 21343 *//* PR 18879 */
123 + sec->sh_size < 4
124 + || word_offset > (sec->sh_size - 4)
125 || ((bfd_signed_vma) word_offset) < 0)
126 return FALSE;
127
128 --
129 2.13.0
130
131
132
133
134 1.1 src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch
135
136 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch?rev=1.1&view=markup
137 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch?rev=1.1&content-type=text/plain
138
139 Index: 00_all_0009-CVE-2017-9039.patch
140 ===================================================================
141 From b365e09549f642683fd21e5804be962077882d33 Mon Sep 17 00:00:00 2001
142 From: Matthias Maier <tamiko@××××.org>
143 Date: Tue, 6 Jun 2017 13:24:24 -0500
144 Subject: [PATCH 3/5] CVE-2017-9039
145
146 readelf: Fix overlarge memory allocation when reading a binary with an excessive number of program headers.
147
148 Patch taken from [1]. Gentoo bug [2]
149
150 [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5
151 [2] https://bugs.gentoo.org/show_bug.cgi?id=618826
152 ---
153 binutils/readelf.c | 14 ++++++++++++--
154 1 file changed, 12 insertions(+), 2 deletions(-)
155
156 diff --git a/binutils/readelf.c b/binutils/readelf.c
157 index 9a515ff..a11931d 100644
158 --- a/binutils/readelf.c
159 +++ b/binutils/readelf.c
160 @@ -4698,9 +4698,19 @@ get_program_headers (FILE * file)
161 if (program_headers != NULL)
162 return 1;
163
164 - phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum,
165 - sizeof (Elf_Internal_Phdr));
166 + /* Be kind to memory checkers by looking for
167 + e_phnum values which we know must be invalid. */
168 + if (elf_header.e_phnum
169 + * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr))
170 + >= current_file_size)
171 + {
172 + error (_("Too many program headers - %#x - the file is not that big\n"),
173 + elf_header.e_phnum);
174 + return FALSE;
175 + }
176
177 + phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum,
178 + sizeof (Elf_Internal_Phdr));
179 if (phdrs == NULL)
180 {
181 error (_("Out of memory reading %u program headers\n"),
182 --
183 2.13.0
184
185
186
187
188 1.1 src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch
189
190 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&view=markup
191 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&content-type=text/plain
192
193 Index: 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch
194 ===================================================================
195 From 264947c1489c7d7469d34db92672f8c3bde37fb2 Mon Sep 17 00:00:00 2001
196 From: Matthias Maier <tamiko@××××.org>
197 Date: Tue, 6 Jun 2017 13:30:14 -0500
198 Subject: [PATCH 4/5] CVE-2017-9040, CVE-2017-9042
199
200 readelf: fix out of range subtraction, seg fault from a NULL pointer and memory exhaustion, all from parsing corrupt binaries.
201
202 Patch taken from [1]. Gentoo bug [2]
203
204 [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf
205 [2] https://bugs.gentoo.org/show_bug.cgi?id=618826
206 ---
207 binutils/readelf.c | 15 +++++++++++++++
208 1 file changed, 15 insertions(+)
209
210 diff --git a/binutils/readelf.c b/binutils/readelf.c
211 index a11931d..b3ec415 100644
212 --- a/binutils/readelf.c
213 +++ b/binutils/readelf.c
214 @@ -9072,6 +9072,12 @@ process_dynamic_section (FILE * file)
215 processing that. This is overkill, I know, but it
216 should work. */
217 section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0);
218 + if ((bfd_size_type) section.sh_offset > current_file_size)
219 + {
220 + /* See PR 21379 for a reproducer. */
221 + error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset);
222 + return FALSE;
223 + }
224
225 if (archive_file_offset != 0)
226 section.sh_size = archive_file_size - section.sh_offset;
227 @@ -14788,6 +14794,15 @@ process_mips_specific (FILE * file)
228 return 0;
229 }
230
231 + /* PR 21345 - print a slightly more helpful error message
232 + if we are sure that the cmalloc will fail. */
233 + if (conflictsno * sizeof (* iconf) > current_file_size)
234 + {
235 + error (_("Overlarge number of conflicts detected: %lx\n"),
236 + (long) conflictsno);
237 + return FALSE;
238 + }
239 +
240 iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf));
241 if (iconf == NULL)
242 {
243 --
244 2.13.0
245
246
247
248
249 1.1 src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch
250
251 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch?rev=1.1&view=markup
252 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch?rev=1.1&content-type=text/plain
253
254 Index: 00_all_0011-0011-CVE-2017-9041.patch
255 ===================================================================
256 From 268cb749fe1b1f78929d3df43f3142c9c73f2bda Mon Sep 17 00:00:00 2001
257 From: Matthias Maier <tamiko@××××.org>
258 Date: Tue, 6 Jun 2017 13:40:06 -0500
259 Subject: [PATCH 5/5] CVE-2017-9041
260
261 Patch taken from [1]. Gentoo bug [2]
262
263 [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19
264 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3
265 [2] https://bugs.gentoo.org/show_bug.cgi?id=618826
266 ---
267 binutils/readelf.c | 7 +++++++
268 1 file changed, 7 insertions(+)
269
270 diff --git a/binutils/readelf.c b/binutils/readelf.c
271 index b3ec415..984fb9b 100644
272 --- a/binutils/readelf.c
273 +++ b/binutils/readelf.c
274 @@ -14918,7 +14918,14 @@ process_mips_specific (FILE * file)
275 printf (_(" Lazy resolver\n"));
276 if (ent == (bfd_vma) -1)
277 goto got_print_fail;
278 +
279 + /* Check for the MSB of GOT[1] being set, denoting a GNU object.
280 + This entry will be used by some runtime loaders, to store the
281 + module pointer. Otherwise this is an ordinary local entry.
282 + PR 21344: Check for the entry being fully available before
283 + fetching it. */
284 if (data
285 + && data + ent - pltgot + addr_size <= data_end
286 && (byte_get (data + ent - pltgot, addr_size)
287 >> (addr_size * 8 - 1)) != 0)
288 {
289 --
290 2.13.0
291
292
293
294
295 1.1 src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch
296
297 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch?rev=1.1&view=markup
298 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch?rev=1.1&content-type=text/plain
299
300 Index: binutils-2.27-CVE-2017-8421.patch
301 ===================================================================
302 From 39ff1b79f687b65f4144ddb379f22587003443fb Mon Sep 17 00:00:00 2001
303 From: Nick Clifton <nickc@××××××.com>
304 Date: Tue, 2 May 2017 11:54:53 +0100
305 Subject: [PATCH] Prevent memory exhaustion from a corrupt PE binary with an
306 overlarge number of relocs.
307
308 PR 21440
309 * objdump.c (dump_relocs_in_section): Check for an excessive
310 number of relocs before attempting to dump them.
311 ---
312 binutils/ChangeLog | 6 ++++++
313 binutils/objdump.c | 8 ++++++++
314 2 files changed, 14 insertions(+)
315
316 diff --git a/binutils/objdump.c b/binutils/objdump.c
317 index bc61000..5972da1 100644
318 --- a/binutils/objdump.c
319 +++ b/binutils/objdump.c
320 @@ -3379,6 +3379,14 @@ dump_relocs_in_section (bfd *abfd,
321 return;
322 }
323
324 + if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
325 + && relsize > get_file_size (bfd_get_filename (abfd)))
326 + {
327 + printf (" (too many: 0x%x)\n", section->reloc_count);
328 + bfd_set_error (bfd_error_file_truncated);
329 + bfd_fatal (bfd_get_filename (abfd));
330 + }
331 +
332 relpp = (arelent **) xmalloc (relsize);
333 relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms);
334
335 --
336 2.9.3
Report Message
Find on MARC Find on Google Groups