aboutsummaryrefslogtreecommitdiffstats
path: root/main/binutils
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2014-12-08 14:47:27 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2014-12-08 14:49:06 +0000
commit6e866d5d899e7e93df6525c24b5560383ff34453 (patch)
tree75cc25436dc047486753499dbacafff1899a6d4b /main/binutils
parent491d4e86baf9fcf4c526f827a70fc8d70b4fd899 (diff)
downloadaports-6e866d5d899e7e93df6525c24b5560383ff34453.tar.bz2
aports-6e866d5d899e7e93df6525c24b5560383ff34453.tar.xz
main/binutils: various security fixes
Diffstat (limited to 'main/binutils')
-rw-r--r--main/binutils/APKBUILD40
-rw-r--r--main/binutils/binutils-2.24-CVE-2014-8484.patch31
-rw-r--r--main/binutils/binutils-2.24-CVE-2014-8485.patch70
-rw-r--r--main/binutils/binutils-2.24-CVE-2014-8501.patch26
-rw-r--r--main/binutils/binutils-2.24-CVE-2014-8502.patch504
-rw-r--r--main/binutils/binutils-2.24-CVE-2014-8503.patch16
-rw-r--r--main/binutils/binutils-2.24-CVE-2014-8504.patch50
-rw-r--r--main/binutils/binutils-2.24-CVE-2014-8737.patch128
-rw-r--r--main/binutils/binutils-2.24-CVE-2014-8738.patch48
9 files changed, 909 insertions, 4 deletions
diff --git a/main/binutils/APKBUILD b/main/binutils/APKBUILD
index a85e84b065..797b2cf8e8 100644
--- a/main/binutils/APKBUILD
+++ b/main/binutils/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=binutils
pkgver=2.24
-pkgrel=2
+pkgrel=3
pkgdesc="Tools necessary to build programs"
url="http://www.gnu.org/software/binutils/"
depends=""
@@ -20,6 +20,14 @@ source="http://ftp.gnu.org/gnu/binutils/binutils-$pkgver.tar.bz2
binutils-ld-fix-static-linking.patch
02_fix-opcodes-configure-bfd-version-on-busybox-ash.patch
bfd-version.patch
+ binutils-2.24-CVE-2014-8484.patch
+ binutils-2.24-CVE-2014-8485.patch
+ binutils-2.24-CVE-2014-8501.patch
+ binutils-2.24-CVE-2014-8502.patch
+ binutils-2.24-CVE-2014-8503.patch
+ binutils-2.24-CVE-2014-8504.patch
+ binutils-2.24-CVE-2014-8737.patch
+ binutils-2.24-CVE-2014-8738.patch
"
_builddir="$srcdir/$pkgname-$pkgver"
@@ -85,12 +93,36 @@ libs() {
md5sums="e0f71a7b2ddab0f8612336ac81d9636b binutils-2.24.tar.bz2
c9f308494b87c243f121a56d58f2da87 binutils-ld-fix-static-linking.patch
26210092adc0e0d7b236eb464dea543a 02_fix-opcodes-configure-bfd-version-on-busybox-ash.patch
-56c179892fa33cd0bac127761834e5d9 bfd-version.patch"
+56c179892fa33cd0bac127761834e5d9 bfd-version.patch
+125d8ce675ced84814d5f068106dbaa3 binutils-2.24-CVE-2014-8484.patch
+6923e5279a84cb7134b07e2cf6686434 binutils-2.24-CVE-2014-8485.patch
+4c590dc70829d8f4fc190f0fe7e3add8 binutils-2.24-CVE-2014-8501.patch
+339fd5a7b79f973e0eb57e9616cfb1e5 binutils-2.24-CVE-2014-8502.patch
+70540e2c6418a54ad88ab9c6b988d075 binutils-2.24-CVE-2014-8503.patch
+acce1f1d28db6bdb84b430a05f331366 binutils-2.24-CVE-2014-8504.patch
+12fb3e860203a06b5d1f4b023c06dcec binutils-2.24-CVE-2014-8737.patch
+d35b0ccb79d565757821b3e0206f3873 binutils-2.24-CVE-2014-8738.patch"
sha256sums="e5e8c5be9664e7f7f96e0d09919110ab5ad597794f5b1809871177a0f0f14137 binutils-2.24.tar.bz2
d5c5581d0ba04ef2e3690f6fb57435bf7ce343f2376fe972a2a693c5429eec9c binutils-ld-fix-static-linking.patch
0bbd84e3e761e482e5a78ca126964b2af3b492dad66f49b62603f653bb795ea5 02_fix-opcodes-configure-bfd-version-on-busybox-ash.patch
-79cea3abac2fc544494853b03a5fbf92489969397286d201b25706359e0862bb bfd-version.patch"
+79cea3abac2fc544494853b03a5fbf92489969397286d201b25706359e0862bb bfd-version.patch
+f4eb21ee16f34d7d60f9dd2d6a45616a78e60c79ae40a2a691316ed73704f8a1 binutils-2.24-CVE-2014-8484.patch
+8bab2ee0dba00bccf78f3a9fee492342c6d6e362b43bdebe20b5226bbc76d3e7 binutils-2.24-CVE-2014-8485.patch
+15d8878af78a26bc7ff9e40312c3265d8172328d505c03d2429177c981ab4397 binutils-2.24-CVE-2014-8501.patch
+cdd5bc44831eb58b00ae374e39102a24870ca14f0eb8c40fc18d94b89c14b3bd binutils-2.24-CVE-2014-8502.patch
+03261cba91e0a93a71d1554660d7dadf0735f6ec358ca6ad1443eb66b92b45ae binutils-2.24-CVE-2014-8503.patch
+47b092c472373d60655f1cde6d8f83dcf4e2ccdc818fb4c335b141ea2f472a02 binutils-2.24-CVE-2014-8504.patch
+86fc02360f3c93ab73e2cc7df4f9516611220185fb543f9be4d87b10bc1d73f4 binutils-2.24-CVE-2014-8737.patch
+51e116f55dd72ae8b8af6d8f9755ff557953857251e5490532840cca4a6fae51 binutils-2.24-CVE-2014-8738.patch"
sha512sums="5ec95ad47d49b12c4558a8db0ca2109d3ee1955e3776057f3330c4506f8f4d1cf5e505fbf8a16b98403a0fcdeaaf986fe0a22be6456247dbdace63ce1f776b12 binutils-2.24.tar.bz2
ecee33b0e435aa704af1c334e560f201638ff79e199aa11ed78a72f7c9b46f85fbb227af5748e735fd681d1965fcc42ac81b0c8824e540430ce0c706c81e8b49 binutils-ld-fix-static-linking.patch
f7c2d19c4fce831d5f2791e4daadde70a1286bcf27074e24e635224fc9f39f47b6d95cbf2860eea1be1362f995e348fca0a0c2d9fe2d491dfe5d674c82f83bfb 02_fix-opcodes-configure-bfd-version-on-busybox-ash.patch
-2fce2bbb667e643d090898d221f896ef7c192e858edbda3d460cb2067b130ce6d44730a47e332cae4c7bacf1a858dcc33715246fd209c7d98d2eda4aeb3f5b6c bfd-version.patch"
+2fce2bbb667e643d090898d221f896ef7c192e858edbda3d460cb2067b130ce6d44730a47e332cae4c7bacf1a858dcc33715246fd209c7d98d2eda4aeb3f5b6c bfd-version.patch
+e5b136a63c2c402c52dc07383cff0247560aedee541f05144ceba7aaa27ec5eeccf94cd6be36cc7389a597349f02277efff06465a3ae6ea4eecd3169f6794124 binutils-2.24-CVE-2014-8484.patch
+df3d20083118fa7bd42d95356478af43cdf24d0ffd54aaefc11806bf7cfddd0c8a3d639846e6087b6a7134e6984894cb3044195babc47e48ac1899e4b8384a08 binutils-2.24-CVE-2014-8485.patch
+87e56bd9a0d491465202ffac22c732e4c490186c78d366d90130db8ba9882bf0047782fd6873fd1585ce3a336dd75c4cdc830508baeb3e6ec52f1655e6743f21 binutils-2.24-CVE-2014-8501.patch
+b1e89da52483df8b8156d9c778c22eda50c6c5d2838c89257ec3118f01895a60c47a3120f1a6e59e083490bcaa5c4baaf16ab41625a115b47254a7e4b62ae387 binutils-2.24-CVE-2014-8502.patch
+ad9c2774c824d4eaf2c99e539786e740f71937aca9af043c05bec422367cc3461904d7c5ca37ba57dc9502170d2082759b1786e5b4024c67be7188632d6349f1 binutils-2.24-CVE-2014-8503.patch
+c54400678d742a2033036c85ce062cce3b65a32be6656ce39921291d39ccb237fdd20dadf12c20982d372a7cec46d32b07fcaad845c0d1986fc388e7b773af12 binutils-2.24-CVE-2014-8504.patch
+85de4bb4646d6b20872337ae452ab9c514661d998b9633e45b1e3d3f267adbc210f9ca35ae71e80f769fb033f2ff6fa8a7d06a7fbc72255076be4006c2e9abca binutils-2.24-CVE-2014-8737.patch
+364efbd7f0e98f3796fce4cab8c54f67a2d410c7eb05cbf206aa72911ca7c904f8e5ca929b105a2a23bf0887026bee29086e32f522a39bce8c6547751895b8eb binutils-2.24-CVE-2014-8738.patch"
diff --git a/main/binutils/binutils-2.24-CVE-2014-8484.patch b/main/binutils/binutils-2.24-CVE-2014-8484.patch
new file mode 100644
index 0000000000..69a5e85064
--- /dev/null
+++ b/main/binutils/binutils-2.24-CVE-2014-8484.patch
@@ -0,0 +1,31 @@
+--- binutils-2.24/bfd/srec.c 2013-11-04 16:33:37.000000000 +0100
++++ binutils-2.24-1/bfd/srec.c 2014-10-24 21:46:38.973046641 +0200
+@@ -455,7 +455,7 @@
+ {
+ file_ptr pos;
+ char hdr[3];
+- unsigned int bytes;
++ unsigned int bytes, min_bytes;
+ bfd_vma address;
+ bfd_byte *data;
+ unsigned char check_sum;
+@@ -478,6 +478,19 @@
+ }
+
+ check_sum = bytes = HEX (hdr + 1);
++ min_bytes = 3;
++ if (hdr[0] == '2' || hdr[0] == '8')
++ min_bytes = 4;
++ else if (hdr[0] == '3' || hdr[0] == '7')
++ min_bytes = 5;
++ if (bytes < min_bytes)
++ {
++ (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"),
++ abfd, lineno, bytes);
++ bfd_set_error (bfd_error_bad_value);
++ goto error_return;
++ }
++
+ if (bytes * 2 > bufsize)
+ {
+ if (buf != NULL)
diff --git a/main/binutils/binutils-2.24-CVE-2014-8485.patch b/main/binutils/binutils-2.24-CVE-2014-8485.patch
new file mode 100644
index 0000000000..705c74835b
--- /dev/null
+++ b/main/binutils/binutils-2.24-CVE-2014-8485.patch
@@ -0,0 +1,70 @@
+diff --git a/bfd/elf.c b/bfd/elf.c
+index c884d1d..c8ac826 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
+ if (shdr->contents == NULL)
+ {
+ _bfd_error_handler
+- (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
++ (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+ bfd_set_error (bfd_error_bad_value);
+- return FALSE;
++ -- num_group;
++ continue;
+ }
+
+ memset (shdr->contents, 0, amt);
+@@ -618,8 +619,17 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
+ if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
+ || (bfd_bread (shdr->contents, shdr->sh_size, abfd)
+ != shdr->sh_size))
+- return FALSE;
+-
++ {
++ _bfd_error_handler
++ (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
++ bfd_set_error (bfd_error_bad_value);
++ -- num_group;
++ /* PR 17510: If the group contents are even partially
++ corrupt, do not allow any of the contents to be used. */
++ memset (shdr->contents, 0, amt);
++ continue;
++ }
++
+ /* Translate raw contents, a flag word followed by an
+ array of elf section indices all in target byte order,
+ to the flag word followed by an array of elf section
+@@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
+ }
+ }
+ }
++
++ /* PR 17510: Corrupt binaries might contain invalid groups. */
++ if (num_group != (unsigned) elf_tdata (abfd)->num_group)
++ {
++ elf_tdata (abfd)->num_group = num_group;
++
++ /* If all groups are invalid then fail. */
++ if (num_group == 0)
++ {
++ elf_tdata (abfd)->group_sect_ptr = NULL;
++ elf_tdata (abfd)->num_group = num_group = -1;
++ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
++ bfd_set_error (bfd_error_bad_value);
++ }
++ }
+ }
+ }
+
+@@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
+ {
+ (*_bfd_error_handler) (_("%B: no group info for section %A"),
+ abfd, newsect);
++ return FALSE;
+ }
+ return TRUE;
+ }
+--
+1.7.1
+
diff --git a/main/binutils/binutils-2.24-CVE-2014-8501.patch b/main/binutils/binutils-2.24-CVE-2014-8501.patch
new file mode 100644
index 0000000000..1312885854
--- /dev/null
+++ b/main/binutils/binutils-2.24-CVE-2014-8501.patch
@@ -0,0 +1,26 @@
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index 2fb631c..987be40 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -504,6 +504,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
+ {
+ int idx;
+
++ /* PR 17512: Corrupt PE binaries can cause seg-faults. */
++ if (a->NumberOfRvaAndSizes > 16)
++ {
++ (*_bfd_error_handler)
++ (_("%B: aout header specifies an invalid number of data-directory entries: %d"),
++ abfd, a->NumberOfRvaAndSizes);
++ /* Paranoia: If the number is corrupt, then assume that the
++ actual entries themselves might be corrupt as well. */
++ a->NumberOfRvaAndSizes = 0;
++ }
++
++
+ for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
+ {
+ /* If data directory is empty, rva also should be 0. */
+--
+1.7.1
+
diff --git a/main/binutils/binutils-2.24-CVE-2014-8502.patch b/main/binutils/binutils-2.24-CVE-2014-8502.patch
new file mode 100644
index 0000000000..4cb1dd012e
--- /dev/null
+++ b/main/binutils/binutils-2.24-CVE-2014-8502.patch
@@ -0,0 +1,504 @@
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 4679268..48e1dca 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -1574,38 +1574,74 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ Elf_Internal_Ehdr *ehdr;
+ const struct elf_backend_data *bed;
+ const char *name;
++ bfd_boolean ret = TRUE;
++ static bfd_boolean * sections_being_created = NULL;
++ static bfd * sections_being_created_abfd = NULL;
++ static unsigned int nesting = 0;
+
+ if (shindex >= elf_numsections (abfd))
+ return FALSE;
+
++ if (++ nesting > 3)
++ {
++ /* PR17512: A corrupt ELF binary might contain a recursive group of
++ sections, each the string indicies pointing to the next in the
++ loop. Detect this here, by refusing to load a section that we are
++ already in the process of loading. We only trigger this test if
++ we have nested at least three sections deep as normal ELF binaries
++ can expect to recurse at least once.
++
++ FIXME: It would be better if this array was attached to the bfd,
++ rather than being held in a static pointer. */
++
++ if (sections_being_created_abfd != abfd)
++ sections_being_created = NULL;
++ if (sections_being_created == NULL)
++ {
++ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */
++ sections_being_created = (bfd_boolean *)
++ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
++ sections_being_created_abfd = abfd;
++ }
++ if (sections_being_created [shindex])
++ {
++ (*_bfd_error_handler)
++ (_("%B: warning: loop in section dependencies detected"), abfd);
++ return FALSE;
++ }
++ sections_being_created [shindex] = TRUE;
++ }
++
+ hdr = elf_elfsections (abfd)[shindex];
+ ehdr = elf_elfheader (abfd);
+ name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx,
+ hdr->sh_name);
+ if (name == NULL)
+- return FALSE;
++ goto fail;
+
+ bed = get_elf_backend_data (abfd);
+ switch (hdr->sh_type)
+ {
+ case SHT_NULL:
+ /* Inactive section. Throw it away. */
+- return TRUE;
++ goto success;
+
+- case SHT_PROGBITS: /* Normal section with contents. */
+- case SHT_NOBITS: /* .bss section. */
+- case SHT_HASH: /* .hash section. */
+- case SHT_NOTE: /* .note section. */
++ case SHT_PROGBITS: /* Normal section with contents. */
++ case SHT_NOBITS: /* .bss section. */
++ case SHT_HASH: /* .hash section. */
++ case SHT_NOTE: /* .note section. */
+ case SHT_INIT_ARRAY: /* .init_array section. */
+ case SHT_FINI_ARRAY: /* .fini_array section. */
+ case SHT_PREINIT_ARRAY: /* .preinit_array section. */
+ case SHT_GNU_LIBLIST: /* .gnu.liblist section. */
+ case SHT_GNU_HASH: /* .gnu.hash section. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_DYNAMIC: /* Dynamic linking information. */
+ if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
+- return FALSE;
++ goto fail;
++
+ if (hdr->sh_link > elf_numsections (abfd))
+ {
+ /* PR 10478: Accept Solaris binaries with a sh_link
+@@ -1619,11 +1655,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ break;
+ /* Otherwise fall through. */
+ default:
+- return FALSE;
++ goto fail;
+ }
+ }
+ else if (elf_elfsections (abfd)[hdr->sh_link] == NULL)
+- return FALSE;
++ goto fail;
+ else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
+ {
+ Elf_Internal_Shdr *dynsymhdr;
+@@ -1652,24 +1688,26 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ }
+ }
+ }
+- break;
++ goto success;
+
+- case SHT_SYMTAB: /* A symbol table */
++ case SHT_SYMTAB: /* A symbol table. */
+ if (elf_onesymtab (abfd) == shindex)
+- return TRUE;
++ goto success;
+
+ if (hdr->sh_entsize != bed->s->sizeof_sym)
+- return FALSE;
++ goto fail;
++
+ if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size)
+ {
+ if (hdr->sh_size != 0)
+- return FALSE;
++ goto fail;
+ /* Some assemblers erroneously set sh_info to one with a
+ zero sh_size. ld sees this as a global symbol count
+ of (unsigned) -1. Fix it here. */
+ hdr->sh_info = 0;
+- return TRUE;
++ goto success;
+ }
++
+ BFD_ASSERT (elf_onesymtab (abfd) == 0);
+ elf_onesymtab (abfd) = shindex;
+ elf_tdata (abfd)->symtab_hdr = *hdr;
+@@ -1686,7 +1724,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ && (abfd->flags & DYNAMIC) != 0
+ && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+ shindex))
+- return FALSE;
++ goto fail;
+
+ /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we
+ can't read symbols without that section loaded as well. It
+@@ -1712,26 +1750,29 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ break;
+ }
+ if (i != shindex)
+- return bfd_section_from_shdr (abfd, i);
++ ret = bfd_section_from_shdr (abfd, i);
+ }
+- return TRUE;
++ goto success;
+
+- case SHT_DYNSYM: /* A dynamic symbol table */
++ case SHT_DYNSYM: /* A dynamic symbol table. */
+ if (elf_dynsymtab (abfd) == shindex)
+- return TRUE;
++ goto success;
+
+ if (hdr->sh_entsize != bed->s->sizeof_sym)
+- return FALSE;
++ goto fail;
++
+ if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size)
+ {
+ if (hdr->sh_size != 0)
+- return FALSE;
++ goto fail;
++
+ /* Some linkers erroneously set sh_info to one with a
+ zero sh_size. ld sees this as a global symbol count
+ of (unsigned) -1. Fix it here. */
+ hdr->sh_info = 0;
+- return TRUE;
++ goto success;
+ }
++
+ BFD_ASSERT (elf_dynsymtab (abfd) == 0);
+ elf_dynsymtab (abfd) = shindex;
+ elf_tdata (abfd)->dynsymtab_hdr = *hdr;
+@@ -1740,34 +1781,38 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+
+ /* Besides being a symbol table, we also treat this as a regular
+ section, so that objcopy can handle it. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+- case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections */
++ case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections. */
+ if (elf_symtab_shndx (abfd) == shindex)
+- return TRUE;
++ goto success;
+
+ BFD_ASSERT (elf_symtab_shndx (abfd) == 0);
+ elf_symtab_shndx (abfd) = shindex;
+ elf_tdata (abfd)->symtab_shndx_hdr = *hdr;
+ elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr;
+- return TRUE;
++ goto success;
+
+- case SHT_STRTAB: /* A string table */
++ case SHT_STRTAB: /* A string table. */
+ if (hdr->bfd_section != NULL)
+- return TRUE;
++ goto success;
++
+ if (ehdr->e_shstrndx == shindex)
+ {
+ elf_tdata (abfd)->shstrtab_hdr = *hdr;
+ elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr;
+- return TRUE;
++ goto success;
+ }
++
+ if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex)
+ {
+ symtab_strtab:
+ elf_tdata (abfd)->strtab_hdr = *hdr;
+ elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr;
+- return TRUE;
++ goto success;
+ }
++
+ if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex)
+ {
+ dynsymtab_strtab:
+@@ -1776,8 +1821,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ elf_elfsections (abfd)[shindex] = hdr;
+ /* We also treat this as a regular section, so that objcopy
+ can handle it. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+- shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++ shindex);
++ goto success;
+ }
+
+ /* If the string table isn't one of the above, then treat it as a
+@@ -1795,9 +1841,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ {
+ /* Prevent endless recursion on broken objects. */
+ if (i == shindex)
+- return FALSE;
++ goto fail;
+ if (! bfd_section_from_shdr (abfd, i))
+- return FALSE;
++ goto fail;
+ if (elf_onesymtab (abfd) == i)
+ goto symtab_strtab;
+ if (elf_dynsymtab (abfd) == i)
+@@ -1805,7 +1851,8 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ }
+ }
+ }
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_REL:
+ case SHT_RELA:
+@@ -1820,7 +1867,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ if (hdr->sh_entsize
+ != (bfd_size_type) (hdr->sh_type == SHT_REL
+ ? bed->s->sizeof_rel : bed->s->sizeof_rela))
+- return FALSE;
++ goto fail;
+
+ /* Check for a bogus link to avoid crashing. */
+ if (hdr->sh_link >= num_sec)
+@@ -1828,8 +1875,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ ((*_bfd_error_handler)
+ (_("%B: invalid link %lu for reloc section %s (index %u)"),
+ abfd, hdr->sh_link, name, shindex));
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+- shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++ shindex);
++ goto success;
+ }
+
+ /* For some incomprehensible reason Oracle distributes
+@@ -1870,7 +1918,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB
+ || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM)
+ && ! bfd_section_from_shdr (abfd, hdr->sh_link))
+- return FALSE;
++ goto fail;
+
+ /* If this reloc section does not use the main symbol table we
+ don't treat it as a reloc section. BFD can't adequately
+@@ -1885,14 +1933,18 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ || hdr->sh_info >= num_sec
+ || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
+ || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+- shindex);
++ {
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++ shindex);
++ goto success;
++ }
+
+ if (! bfd_section_from_shdr (abfd, hdr->sh_info))
+- return FALSE;
++ goto fail;
++
+ target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info);
+ if (target_sect == NULL)
+- return FALSE;
++ goto fail;
+
+ esdt = elf_section_data (target_sect);
+ if (hdr->sh_type == SHT_RELA)
+@@ -1904,7 +1956,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ amt = sizeof (*hdr2);
+ hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
+ if (hdr2 == NULL)
+- return FALSE;
++ goto fail;
+ *hdr2 = *hdr;
+ *p_hdr = hdr2;
+ elf_elfsections (abfd)[shindex] = hdr2;
+@@ -1920,34 +1972,40 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ target_sect->use_rela_p = 1;
+ }
+ abfd->flags |= HAS_RELOC;
+- return TRUE;
++ goto success;
+ }
+
+ case SHT_GNU_verdef:
+ elf_dynverdef (abfd) = shindex;
+ elf_tdata (abfd)->dynverdef_hdr = *hdr;
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_GNU_versym:
+ if (hdr->sh_entsize != sizeof (Elf_External_Versym))
+- return FALSE;
++ goto fail;
++
+ elf_dynversym (abfd) = shindex;
+ elf_tdata (abfd)->dynversym_hdr = *hdr;
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_GNU_verneed:
+ elf_dynverref (abfd) = shindex;
+ elf_tdata (abfd)->dynverref_hdr = *hdr;
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_SHLIB:
+- return TRUE;
++ goto success;
+
+ case SHT_GROUP:
+ if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE))
+- return FALSE;
++ goto fail;
++
+ if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
+- return FALSE;
++ goto fail;
++
+ if (hdr->contents != NULL)
+ {
+ Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents;
+@@ -1973,7 +2031,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ }
+ }
+ }
+- break;
++ goto success;
+
+ default:
+ /* Possibly an attributes section. */
+@@ -1981,14 +2039,14 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ || hdr->sh_type == bed->obj_attrs_section_type)
+ {
+ if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
+- return FALSE;
++ goto fail;
+ _bfd_elf_parse_attributes (abfd, hdr);
+- return TRUE;
++ goto success;
+ }
+
+ /* Check for any processor-specific section types. */
+ if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex))
+- return TRUE;
++ goto success;
+
+ if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER)
+ {
+@@ -2000,9 +2058,12 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ "specific section `%s' [0x%8x]"),
+ abfd, name, hdr->sh_type);
+ else
+- /* Allow sections reserved for applications. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+- shindex);
++ {
++ /* Allow sections reserved for applications. */
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++ shindex);
++ goto success;
++ }
+ }
+ else if (hdr->sh_type >= SHT_LOPROC
+ && hdr->sh_type <= SHT_HIPROC)
+@@ -2023,8 +2084,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ "`%s' [0x%8x]"),
+ abfd, name, hdr->sh_type);
+ else
+- /* Otherwise it should be processed. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ {
++ /* Otherwise it should be processed. */
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
++ }
+ }
+ else
+ /* FIXME: We should handle this section. */
+@@ -2032,10 +2096,20 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ (_("%B: don't know how to handle section `%s' [0x%8x]"),
+ abfd, name, hdr->sh_type);
+
+- return FALSE;
++ goto fail;
+ }
+
+- return TRUE;
++ fail:
++ ret = FALSE;
++ success:
++ if (sections_being_created)
++ sections_being_created [shindex] = FALSE;
++ if (-- nesting == 0)
++ {
++ sections_being_created = NULL;
++ sections_being_created_abfd = abfd;
++ }
++ return ret;
+ }
+
+ /* Return the local symbol specified by ABFD, R_SYMNDX. */
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index b7b32b2..76bb4ae 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -1438,6 +1438,15 @@ pe_print_edata (bfd * abfd, void * vfile)
+ }
+ }
+
++ /* PR 17512: Handle corrupt PE binaries. */
++ if (datasize < 36)
++ {
++ fprintf (file,
++ _("\nThere is an export table in %s, but it is too small (%d)\n"),
++ section->name, (int) datasize);
++ return TRUE;
++ }
++
+ fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
+ section->name, (unsigned long) addr);
+
+@@ -1528,7 +1537,12 @@ pe_print_edata (bfd * abfd, void * vfile)
+ _("\nExport Address Table -- Ordinal Base %ld\n"),
+ edt.base);
+
+- for (i = 0; i < edt.num_functions; ++i)
++ /* PR 17512: Handle corrupt PE binaries. */
++ if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize)
++ fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
++ (long) edt.eat_addr,
++ (long) edt.num_functions);
++ else for (i = 0; i < edt.num_functions; ++i)
+ {
+ bfd_vma eat_member = bfd_get_32 (abfd,
+ data + edt.eat_addr + (i * 4) - adj);
+@@ -1564,7 +1578,16 @@ pe_print_edata (bfd * abfd, void * vfile)
+ fprintf (file,
+ _("\n[Ordinal/Name Pointer] Table\n"));
+
+- for (i = 0; i < edt.num_names; ++i)
++ /* PR 17512: Handle corrupt PE binaries. */
++ if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize)
++ fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"),
++ (long) edt.npt_addr,
++ (long) edt.num_names);
++ else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize)
++ fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"),
++ (long) edt.ot_addr,
++ (long) edt.num_names);
++ else for (i = 0; i < edt.num_names; ++i)
+ {
+ bfd_vma name_ptr = bfd_get_32 (abfd,
+ data +
diff --git a/main/binutils/binutils-2.24-CVE-2014-8503.patch b/main/binutils/binutils-2.24-CVE-2014-8503.patch
new file mode 100644
index 0000000000..c889c695f7
--- /dev/null
+++ b/main/binutils/binutils-2.24-CVE-2014-8503.patch
@@ -0,0 +1,16 @@
+diff --git a/bfd/ihex.c b/bfd/ihex.c
+index 8d3590d..9b3b813 100644
+--- a/bfd/ihex.c
++++ b/bfd/ihex.c
+@@ -321,7 +321,7 @@ ihex_scan (bfd *abfd)
+ {
+ if (! ISHEX (buf[i]))
+ {
+- ihex_bad_byte (abfd, lineno, hdr[i], error);
++ ihex_bad_byte (abfd, lineno, buf[i], error);
+ goto error_return;
+ }
+ }
+--
+1.7.1
+
diff --git a/main/binutils/binutils-2.24-CVE-2014-8504.patch b/main/binutils/binutils-2.24-CVE-2014-8504.patch
new file mode 100644
index 0000000000..6dc3d497e4
--- /dev/null
+++ b/main/binutils/binutils-2.24-CVE-2014-8504.patch
@@ -0,0 +1,50 @@
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 3fcf2d8..949221f 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -629,7 +629,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
+ memset (shdr->contents, 0, amt);
+ continue;
+ }
+-
++
+ /* Translate raw contents, a flag word followed by an
+ array of elf section indices all in target byte order,
+ to the flag word followed by an array of elf section
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index c7d6067..6129085 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -515,7 +515,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
+ a->NumberOfRvaAndSizes = 0;
+ }
+
+-
+ for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
+ {
+ /* If data directory is empty, rva also should be 0. */
+diff --git a/bfd/srec.c b/bfd/srec.c
+index 9ed2080..5f9a546 100644
+--- a/bfd/srec.c
++++ b/bfd/srec.c
+@@ -246,7 +246,7 @@ srec_bad_byte (bfd *abfd,
+ }
+ else
+ {
+- char buf[10];
++ char buf[40];
+
+ if (! ISPRINT (c))
+ sprintf (buf, "\\%03o", (unsigned int) c);
+@@ -452,7 +452,7 @@ srec_scan (bfd *abfd)
+ case 'S':
+ {
+ file_ptr pos;
+- char hdr[3];
++ unsigned char hdr[3];
+ unsigned int bytes, min_bytes;
+ bfd_vma address;
+ bfd_byte *data;
+--
+1.7.1
+
diff --git a/main/binutils/binutils-2.24-CVE-2014-8737.patch b/main/binutils/binutils-2.24-CVE-2014-8737.patch
new file mode 100644
index 0000000000..7fafa8daf9
--- /dev/null
+++ b/main/binutils/binutils-2.24-CVE-2014-8737.patch
@@ -0,0 +1,128 @@
+diff --git a/binutils/ar.c b/binutils/ar.c
+index ebd9528..117826d 100644
+--- a/binutils/ar.c
++++ b/binutils/ar.c
+@@ -1034,6 +1034,15 @@ extract_file (bfd *abfd)
+ bfd_size_type size;
+ struct stat buf;
+
++ /* PR binutils/17533: Do not allow directory traversal
++ outside of the current directory tree. */
++ if (! is_valid_archive_path (bfd_get_filename (abfd)))
++ {
++ non_fatal (_("illegal pathname found in archive member: %s"),
++ bfd_get_filename (abfd));
++ return;
++ }
++
+ if (bfd_stat_arch_elt (abfd, &buf) != 0)
+ /* xgettext:c-format */
+ fatal (_("internal stat error on %s"), bfd_get_filename (abfd));
+diff --git a/binutils/bucomm.c b/binutils/bucomm.c
+index fd73070..b8deff5 100644
+--- a/binutils/bucomm.c
++++ b/binutils/bucomm.c
+@@ -624,3 +624,29 @@ bfd_get_archive_filename (const bfd *abfd)
+ bfd_get_filename (abfd));
+ return buf;
+ }
++
++/* Returns TRUE iff PATHNAME, a filename of an archive member,
++ is valid for writing. For security reasons absolute paths
++ and paths containing /../ are not allowed. See PR 17533. */
++
++bfd_boolean
++is_valid_archive_path (char const * pathname)
++{
++ const char * n = pathname;
++
++ if (IS_ABSOLUTE_PATH (n))
++ return FALSE;
++
++ while (*n)
++ {
++ if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n)))
++ return FALSE;
++
++ while (*n && ! IS_DIR_SEPARATOR (*n))
++ n++;
++ while (IS_DIR_SEPARATOR (*n))
++ n++;
++ }
++
++ return TRUE;
++}
+diff --git a/binutils/bucomm.h b/binutils/bucomm.h
+index a93c378..a71a8fb 100644
+--- a/binutils/bucomm.h
++++ b/binutils/bucomm.h
+@@ -21,6 +21,8 @@
+ #ifndef _BUCOMM_H
+ #define _BUCOMM_H
+
++/* In bucomm.c. */
++
+ /* Return the filename in a static buffer. */
+ const char *bfd_get_archive_filename (const bfd *);
+
+@@ -56,20 +58,22 @@ bfd_vma parse_vma (const char *, const char *);
+
+ off_t get_file_size (const char *);
+
++bfd_boolean is_valid_archive_path (char const *);
++
+ extern char *program_name;
+
+-/* filemode.c */
++/* In filemode.c. */
+ void mode_string (unsigned long, char *);
+
+-/* version.c */
++/* In version.c. */
+ extern void print_version (const char *);
+
+-/* rename.c */
++/* In rename.c. */
+ extern void set_times (const char *, const struct stat *);
+
+ extern int smart_rename (const char *, const char *, int);
+
+-/* libiberty. */
++/* In libiberty. */
+ void *xmalloc (size_t);
+
+ void *xrealloc (void *, size_t);
+diff --git a/binutils/doc/binutils.texi b/binutils/doc/binutils.texi
+index eee77b1..39eb1d2 100644
+--- a/binutils/doc/binutils.texi
++++ b/binutils/doc/binutils.texi
+@@ -234,7 +234,8 @@ a normal archive. Instead the elements of the first archive are added
+ individually to the second archive.
+
+ The paths to the elements of the archive are stored relative to the
+-archive itself.
++archive itself. For security reasons absolute paths and paths with a
++@code{/../} component are not allowed.
+
+ @cindex compatibility, @command{ar}
+ @cindex @command{ar} compatibility
+diff --git a/binutils/objcopy.c b/binutils/objcopy.c
+index 3b353ad..8454bc6 100644
+--- a/binutils/objcopy.c
++++ b/binutils/objcopy.c
+@@ -2295,6 +2295,12 @@ copy_archive (bfd *ibfd, bfd *obfd, const char *output_target,
+ bfd_boolean del = TRUE;
+ bfd_boolean ok_object;
+
++ /* PR binutils/17533: Do not allow directory traversal
++ outside of the current directory tree by archive members. */
++ if (! is_valid_archive_path (bfd_get_filename (this_element)))
++ fatal (_("illegal pathname found in archive member: %s"),
++ bfd_get_filename (this_element));
++
+ /* Create an output file for this member. */
+ output_name = concat (dir, "/",
+ bfd_get_filename (this_element), (char *) 0);
+--
+1.7.1
+
diff --git a/main/binutils/binutils-2.24-CVE-2014-8738.patch b/main/binutils/binutils-2.24-CVE-2014-8738.patch
new file mode 100644
index 0000000000..d671ed241b
--- /dev/null
+++ b/main/binutils/binutils-2.24-CVE-2014-8738.patch
@@ -0,0 +1,48 @@
+diff --git a/bfd/archive.c b/bfd/archive.c
+index 40a3395..b905213 100644
+--- a/bfd/archive.c
++++ b/bfd/archive.c
+@@ -1293,6 +1293,9 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ amt = namedata->parsed_size;
+ if (amt + 1 == 0)
+ goto byebye;
++ /* PR binutils/17533: A corrupt archive can contain an invalid size. */
++ if (amt > (bfd_size_type) bfd_get_size (abfd))
++ goto byebye;
+
+ bfd_ardata (abfd)->extended_names_size = amt;
+ bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1);
+@@ -1300,6 +1303,8 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ {
+ byebye:
+ free (namedata);
++ bfd_ardata (abfd)->extended_names = NULL;
++ bfd_ardata (abfd)->extended_names_size = 0;
+ return FALSE;
+ }
+
+@@ -1308,7 +1313,6 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ if (bfd_get_error () != bfd_error_system_call)
+ bfd_set_error (bfd_error_malformed_archive);
+ bfd_release (abfd, (bfd_ardata (abfd)->extended_names));
+- bfd_ardata (abfd)->extended_names = NULL;
+ goto byebye;
+ }
+
+@@ -1316,11 +1320,12 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ text, the entries in the list are newline-padded, not null
+ padded. In SVR4-style archives, the names also have a
+ trailing '/'. DOS/NT created archive often have \ in them
+- We'll fix all problems here.. */
++ We'll fix all problems here. */
+ {
+ char *ext_names = bfd_ardata (abfd)->extended_names;
+ char *temp = ext_names;
+ char *limit = temp + namedata->parsed_size;
++
+ for (; temp < limit; ++temp)
+ {
+ if (*temp == ARFMAG[1])
+--
+1.7.1
+