From 6e866d5d899e7e93df6525c24b5560383ff34453 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Mon, 8 Dec 2014 14:47:27 +0000 Subject: main/binutils: various security fixes ref #3544 Adresses: CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502 CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 CVE-2014-8738 --- main/binutils/APKBUILD | 40 +- main/binutils/binutils-2.24-CVE-2014-8484.patch | 31 ++ main/binutils/binutils-2.24-CVE-2014-8485.patch | 70 ++++ main/binutils/binutils-2.24-CVE-2014-8501.patch | 26 ++ main/binutils/binutils-2.24-CVE-2014-8502.patch | 504 ++++++++++++++++++++++++ main/binutils/binutils-2.24-CVE-2014-8503.patch | 16 + main/binutils/binutils-2.24-CVE-2014-8504.patch | 50 +++ main/binutils/binutils-2.24-CVE-2014-8737.patch | 128 ++++++ main/binutils/binutils-2.24-CVE-2014-8738.patch | 48 +++ 9 files changed, 909 insertions(+), 4 deletions(-) create mode 100644 main/binutils/binutils-2.24-CVE-2014-8484.patch create mode 100644 main/binutils/binutils-2.24-CVE-2014-8485.patch create mode 100644 main/binutils/binutils-2.24-CVE-2014-8501.patch create mode 100644 main/binutils/binutils-2.24-CVE-2014-8502.patch create mode 100644 main/binutils/binutils-2.24-CVE-2014-8503.patch create mode 100644 main/binutils/binutils-2.24-CVE-2014-8504.patch create mode 100644 main/binutils/binutils-2.24-CVE-2014-8737.patch create mode 100644 main/binutils/binutils-2.24-CVE-2014-8738.patch diff --git a/main/binutils/APKBUILD b/main/binutils/APKBUILD index a85e84b065..797b2cf8e8 100644 --- a/main/binutils/APKBUILD +++ b/main/binutils/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=binutils pkgver=2.24 -pkgrel=2 +pkgrel=3 pkgdesc="Tools necessary to build programs" url="http://www.gnu.org/software/binutils/" depends="" @@ -20,6 +20,14 @@ source="http://ftp.gnu.org/gnu/binutils/binutils-$pkgver.tar.bz2 binutils-ld-fix-static-linking.patch 02_fix-opcodes-configure-bfd-version-on-busybox-ash.patch bfd-version.patch + binutils-2.24-CVE-2014-8484.patch + binutils-2.24-CVE-2014-8485.patch + binutils-2.24-CVE-2014-8501.patch + binutils-2.24-CVE-2014-8502.patch + binutils-2.24-CVE-2014-8503.patch + binutils-2.24-CVE-2014-8504.patch + binutils-2.24-CVE-2014-8737.patch + binutils-2.24-CVE-2014-8738.patch " _builddir="$srcdir/$pkgname-$pkgver" @@ -85,12 +93,36 @@ libs() { md5sums="e0f71a7b2ddab0f8612336ac81d9636b binutils-2.24.tar.bz2 c9f308494b87c243f121a56d58f2da87 binutils-ld-fix-static-linking.patch 26210092adc0e0d7b236eb464dea543a 02_fix-opcodes-configure-bfd-version-on-busybox-ash.patch -56c179892fa33cd0bac127761834e5d9 bfd-version.patch" +56c179892fa33cd0bac127761834e5d9 bfd-version.patch +125d8ce675ced84814d5f068106dbaa3 binutils-2.24-CVE-2014-8484.patch +6923e5279a84cb7134b07e2cf6686434 binutils-2.24-CVE-2014-8485.patch +4c590dc70829d8f4fc190f0fe7e3add8 binutils-2.24-CVE-2014-8501.patch +339fd5a7b79f973e0eb57e9616cfb1e5 binutils-2.24-CVE-2014-8502.patch +70540e2c6418a54ad88ab9c6b988d075 binutils-2.24-CVE-2014-8503.patch +acce1f1d28db6bdb84b430a05f331366 binutils-2.24-CVE-2014-8504.patch +12fb3e860203a06b5d1f4b023c06dcec binutils-2.24-CVE-2014-8737.patch +d35b0ccb79d565757821b3e0206f3873 binutils-2.24-CVE-2014-8738.patch" sha256sums="e5e8c5be9664e7f7f96e0d09919110ab5ad597794f5b1809871177a0f0f14137 binutils-2.24.tar.bz2 d5c5581d0ba04ef2e3690f6fb57435bf7ce343f2376fe972a2a693c5429eec9c binutils-ld-fix-static-linking.patch 0bbd84e3e761e482e5a78ca126964b2af3b492dad66f49b62603f653bb795ea5 02_fix-opcodes-configure-bfd-version-on-busybox-ash.patch -79cea3abac2fc544494853b03a5fbf92489969397286d201b25706359e0862bb bfd-version.patch" +79cea3abac2fc544494853b03a5fbf92489969397286d201b25706359e0862bb bfd-version.patch +f4eb21ee16f34d7d60f9dd2d6a45616a78e60c79ae40a2a691316ed73704f8a1 binutils-2.24-CVE-2014-8484.patch +8bab2ee0dba00bccf78f3a9fee492342c6d6e362b43bdebe20b5226bbc76d3e7 binutils-2.24-CVE-2014-8485.patch +15d8878af78a26bc7ff9e40312c3265d8172328d505c03d2429177c981ab4397 binutils-2.24-CVE-2014-8501.patch +cdd5bc44831eb58b00ae374e39102a24870ca14f0eb8c40fc18d94b89c14b3bd binutils-2.24-CVE-2014-8502.patch +03261cba91e0a93a71d1554660d7dadf0735f6ec358ca6ad1443eb66b92b45ae binutils-2.24-CVE-2014-8503.patch +47b092c472373d60655f1cde6d8f83dcf4e2ccdc818fb4c335b141ea2f472a02 binutils-2.24-CVE-2014-8504.patch +86fc02360f3c93ab73e2cc7df4f9516611220185fb543f9be4d87b10bc1d73f4 binutils-2.24-CVE-2014-8737.patch +51e116f55dd72ae8b8af6d8f9755ff557953857251e5490532840cca4a6fae51 binutils-2.24-CVE-2014-8738.patch" sha512sums="5ec95ad47d49b12c4558a8db0ca2109d3ee1955e3776057f3330c4506f8f4d1cf5e505fbf8a16b98403a0fcdeaaf986fe0a22be6456247dbdace63ce1f776b12 binutils-2.24.tar.bz2 ecee33b0e435aa704af1c334e560f201638ff79e199aa11ed78a72f7c9b46f85fbb227af5748e735fd681d1965fcc42ac81b0c8824e540430ce0c706c81e8b49 binutils-ld-fix-static-linking.patch f7c2d19c4fce831d5f2791e4daadde70a1286bcf27074e24e635224fc9f39f47b6d95cbf2860eea1be1362f995e348fca0a0c2d9fe2d491dfe5d674c82f83bfb 02_fix-opcodes-configure-bfd-version-on-busybox-ash.patch -2fce2bbb667e643d090898d221f896ef7c192e858edbda3d460cb2067b130ce6d44730a47e332cae4c7bacf1a858dcc33715246fd209c7d98d2eda4aeb3f5b6c bfd-version.patch" +2fce2bbb667e643d090898d221f896ef7c192e858edbda3d460cb2067b130ce6d44730a47e332cae4c7bacf1a858dcc33715246fd209c7d98d2eda4aeb3f5b6c bfd-version.patch +e5b136a63c2c402c52dc07383cff0247560aedee541f05144ceba7aaa27ec5eeccf94cd6be36cc7389a597349f02277efff06465a3ae6ea4eecd3169f6794124 binutils-2.24-CVE-2014-8484.patch +df3d20083118fa7bd42d95356478af43cdf24d0ffd54aaefc11806bf7cfddd0c8a3d639846e6087b6a7134e6984894cb3044195babc47e48ac1899e4b8384a08 binutils-2.24-CVE-2014-8485.patch +87e56bd9a0d491465202ffac22c732e4c490186c78d366d90130db8ba9882bf0047782fd6873fd1585ce3a336dd75c4cdc830508baeb3e6ec52f1655e6743f21 binutils-2.24-CVE-2014-8501.patch +b1e89da52483df8b8156d9c778c22eda50c6c5d2838c89257ec3118f01895a60c47a3120f1a6e59e083490bcaa5c4baaf16ab41625a115b47254a7e4b62ae387 binutils-2.24-CVE-2014-8502.patch +ad9c2774c824d4eaf2c99e539786e740f71937aca9af043c05bec422367cc3461904d7c5ca37ba57dc9502170d2082759b1786e5b4024c67be7188632d6349f1 binutils-2.24-CVE-2014-8503.patch +c54400678d742a2033036c85ce062cce3b65a32be6656ce39921291d39ccb237fdd20dadf12c20982d372a7cec46d32b07fcaad845c0d1986fc388e7b773af12 binutils-2.24-CVE-2014-8504.patch +85de4bb4646d6b20872337ae452ab9c514661d998b9633e45b1e3d3f267adbc210f9ca35ae71e80f769fb033f2ff6fa8a7d06a7fbc72255076be4006c2e9abca binutils-2.24-CVE-2014-8737.patch +364efbd7f0e98f3796fce4cab8c54f67a2d410c7eb05cbf206aa72911ca7c904f8e5ca929b105a2a23bf0887026bee29086e32f522a39bce8c6547751895b8eb binutils-2.24-CVE-2014-8738.patch" diff --git a/main/binutils/binutils-2.24-CVE-2014-8484.patch b/main/binutils/binutils-2.24-CVE-2014-8484.patch new file mode 100644 index 0000000000..69a5e85064 --- /dev/null +++ b/main/binutils/binutils-2.24-CVE-2014-8484.patch @@ -0,0 +1,31 @@ +--- binutils-2.24/bfd/srec.c 2013-11-04 16:33:37.000000000 +0100 ++++ binutils-2.24-1/bfd/srec.c 2014-10-24 21:46:38.973046641 +0200 +@@ -455,7 +455,7 @@ + { + file_ptr pos; + char hdr[3]; +- unsigned int bytes; ++ unsigned int bytes, min_bytes; + bfd_vma address; + bfd_byte *data; + unsigned char check_sum; +@@ -478,6 +478,19 @@ + } + + check_sum = bytes = HEX (hdr + 1); ++ min_bytes = 3; ++ if (hdr[0] == '2' || hdr[0] == '8') ++ min_bytes = 4; ++ else if (hdr[0] == '3' || hdr[0] == '7') ++ min_bytes = 5; ++ if (bytes < min_bytes) ++ { ++ (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"), ++ abfd, lineno, bytes); ++ bfd_set_error (bfd_error_bad_value); ++ goto error_return; ++ } ++ + if (bytes * 2 > bufsize) + { + if (buf != NULL) diff --git a/main/binutils/binutils-2.24-CVE-2014-8485.patch b/main/binutils/binutils-2.24-CVE-2014-8485.patch new file mode 100644 index 0000000000..705c74835b --- /dev/null +++ b/main/binutils/binutils-2.24-CVE-2014-8485.patch @@ -0,0 +1,70 @@ +diff --git a/bfd/elf.c b/bfd/elf.c +index c884d1d..c8ac826 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) + if (shdr->contents == NULL) + { + _bfd_error_handler +- (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); ++ (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); + bfd_set_error (bfd_error_bad_value); +- return FALSE; ++ -- num_group; ++ continue; + } + + memset (shdr->contents, 0, amt); +@@ -618,8 +619,17 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) + if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 + || (bfd_bread (shdr->contents, shdr->sh_size, abfd) + != shdr->sh_size)) +- return FALSE; +- ++ { ++ _bfd_error_handler ++ (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size); ++ bfd_set_error (bfd_error_bad_value); ++ -- num_group; ++ /* PR 17510: If the group contents are even partially ++ corrupt, do not allow any of the contents to be used. */ ++ memset (shdr->contents, 0, amt); ++ continue; ++ } ++ + /* Translate raw contents, a flag word followed by an + array of elf section indices all in target byte order, + to the flag word followed by an array of elf section +@@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) + } + } + } ++ ++ /* PR 17510: Corrupt binaries might contain invalid groups. */ ++ if (num_group != (unsigned) elf_tdata (abfd)->num_group) ++ { ++ elf_tdata (abfd)->num_group = num_group; ++ ++ /* If all groups are invalid then fail. */ ++ if (num_group == 0) ++ { ++ elf_tdata (abfd)->group_sect_ptr = NULL; ++ elf_tdata (abfd)->num_group = num_group = -1; ++ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd); ++ bfd_set_error (bfd_error_bad_value); ++ } ++ } + } + } + +@@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) + { + (*_bfd_error_handler) (_("%B: no group info for section %A"), + abfd, newsect); ++ return FALSE; + } + return TRUE; + } +-- +1.7.1 + diff --git a/main/binutils/binutils-2.24-CVE-2014-8501.patch b/main/binutils/binutils-2.24-CVE-2014-8501.patch new file mode 100644 index 0000000000..1312885854 --- /dev/null +++ b/main/binutils/binutils-2.24-CVE-2014-8501.patch @@ -0,0 +1,26 @@ +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index 2fb631c..987be40 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -504,6 +504,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, + { + int idx; + ++ /* PR 17512: Corrupt PE binaries can cause seg-faults. */ ++ if (a->NumberOfRvaAndSizes > 16) ++ { ++ (*_bfd_error_handler) ++ (_("%B: aout header specifies an invalid number of data-directory entries: %d"), ++ abfd, a->NumberOfRvaAndSizes); ++ /* Paranoia: If the number is corrupt, then assume that the ++ actual entries themselves might be corrupt as well. */ ++ a->NumberOfRvaAndSizes = 0; ++ } ++ ++ + for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) + { + /* If data directory is empty, rva also should be 0. */ +-- +1.7.1 + diff --git a/main/binutils/binutils-2.24-CVE-2014-8502.patch b/main/binutils/binutils-2.24-CVE-2014-8502.patch new file mode 100644 index 0000000000..4cb1dd012e --- /dev/null +++ b/main/binutils/binutils-2.24-CVE-2014-8502.patch @@ -0,0 +1,504 @@ +diff --git a/bfd/elf.c b/bfd/elf.c +index 4679268..48e1dca 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -1574,38 +1574,74 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + Elf_Internal_Ehdr *ehdr; + const struct elf_backend_data *bed; + const char *name; ++ bfd_boolean ret = TRUE; ++ static bfd_boolean * sections_being_created = NULL; ++ static bfd * sections_being_created_abfd = NULL; ++ static unsigned int nesting = 0; + + if (shindex >= elf_numsections (abfd)) + return FALSE; + ++ if (++ nesting > 3) ++ { ++ /* PR17512: A corrupt ELF binary might contain a recursive group of ++ sections, each the string indicies pointing to the next in the ++ loop. Detect this here, by refusing to load a section that we are ++ already in the process of loading. We only trigger this test if ++ we have nested at least three sections deep as normal ELF binaries ++ can expect to recurse at least once. ++ ++ FIXME: It would be better if this array was attached to the bfd, ++ rather than being held in a static pointer. */ ++ ++ if (sections_being_created_abfd != abfd) ++ sections_being_created = NULL; ++ if (sections_being_created == NULL) ++ { ++ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ ++ sections_being_created = (bfd_boolean *) ++ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); ++ sections_being_created_abfd = abfd; ++ } ++ if (sections_being_created [shindex]) ++ { ++ (*_bfd_error_handler) ++ (_("%B: warning: loop in section dependencies detected"), abfd); ++ return FALSE; ++ } ++ sections_being_created [shindex] = TRUE; ++ } ++ + hdr = elf_elfsections (abfd)[shindex]; + ehdr = elf_elfheader (abfd); + name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx, + hdr->sh_name); + if (name == NULL) +- return FALSE; ++ goto fail; + + bed = get_elf_backend_data (abfd); + switch (hdr->sh_type) + { + case SHT_NULL: + /* Inactive section. Throw it away. */ +- return TRUE; ++ goto success; + +- case SHT_PROGBITS: /* Normal section with contents. */ +- case SHT_NOBITS: /* .bss section. */ +- case SHT_HASH: /* .hash section. */ +- case SHT_NOTE: /* .note section. */ ++ case SHT_PROGBITS: /* Normal section with contents. */ ++ case SHT_NOBITS: /* .bss section. */ ++ case SHT_HASH: /* .hash section. */ ++ case SHT_NOTE: /* .note section. */ + case SHT_INIT_ARRAY: /* .init_array section. */ + case SHT_FINI_ARRAY: /* .fini_array section. */ + case SHT_PREINIT_ARRAY: /* .preinit_array section. */ + case SHT_GNU_LIBLIST: /* .gnu.liblist section. */ + case SHT_GNU_HASH: /* .gnu.hash section. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_DYNAMIC: /* Dynamic linking information. */ + if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +- return FALSE; ++ goto fail; ++ + if (hdr->sh_link > elf_numsections (abfd)) + { + /* PR 10478: Accept Solaris binaries with a sh_link +@@ -1619,11 +1655,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + break; + /* Otherwise fall through. */ + default: +- return FALSE; ++ goto fail; + } + } + else if (elf_elfsections (abfd)[hdr->sh_link] == NULL) +- return FALSE; ++ goto fail; + else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) + { + Elf_Internal_Shdr *dynsymhdr; +@@ -1652,24 +1688,26 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + } + } + } +- break; ++ goto success; + +- case SHT_SYMTAB: /* A symbol table */ ++ case SHT_SYMTAB: /* A symbol table. */ + if (elf_onesymtab (abfd) == shindex) +- return TRUE; ++ goto success; + + if (hdr->sh_entsize != bed->s->sizeof_sym) +- return FALSE; ++ goto fail; ++ + if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) + { + if (hdr->sh_size != 0) +- return FALSE; ++ goto fail; + /* Some assemblers erroneously set sh_info to one with a + zero sh_size. ld sees this as a global symbol count + of (unsigned) -1. Fix it here. */ + hdr->sh_info = 0; +- return TRUE; ++ goto success; + } ++ + BFD_ASSERT (elf_onesymtab (abfd) == 0); + elf_onesymtab (abfd) = shindex; + elf_tdata (abfd)->symtab_hdr = *hdr; +@@ -1686,7 +1724,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + && (abfd->flags & DYNAMIC) != 0 + && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name, + shindex)) +- return FALSE; ++ goto fail; + + /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we + can't read symbols without that section loaded as well. It +@@ -1712,26 +1750,29 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + break; + } + if (i != shindex) +- return bfd_section_from_shdr (abfd, i); ++ ret = bfd_section_from_shdr (abfd, i); + } +- return TRUE; ++ goto success; + +- case SHT_DYNSYM: /* A dynamic symbol table */ ++ case SHT_DYNSYM: /* A dynamic symbol table. */ + if (elf_dynsymtab (abfd) == shindex) +- return TRUE; ++ goto success; + + if (hdr->sh_entsize != bed->s->sizeof_sym) +- return FALSE; ++ goto fail; ++ + if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) + { + if (hdr->sh_size != 0) +- return FALSE; ++ goto fail; ++ + /* Some linkers erroneously set sh_info to one with a + zero sh_size. ld sees this as a global symbol count + of (unsigned) -1. Fix it here. */ + hdr->sh_info = 0; +- return TRUE; ++ goto success; + } ++ + BFD_ASSERT (elf_dynsymtab (abfd) == 0); + elf_dynsymtab (abfd) = shindex; + elf_tdata (abfd)->dynsymtab_hdr = *hdr; +@@ -1740,34 +1781,38 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + + /* Besides being a symbol table, we also treat this as a regular + section, so that objcopy can handle it. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + +- case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections */ ++ case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections. */ + if (elf_symtab_shndx (abfd) == shindex) +- return TRUE; ++ goto success; + + BFD_ASSERT (elf_symtab_shndx (abfd) == 0); + elf_symtab_shndx (abfd) = shindex; + elf_tdata (abfd)->symtab_shndx_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr; +- return TRUE; ++ goto success; + +- case SHT_STRTAB: /* A string table */ ++ case SHT_STRTAB: /* A string table. */ + if (hdr->bfd_section != NULL) +- return TRUE; ++ goto success; ++ + if (ehdr->e_shstrndx == shindex) + { + elf_tdata (abfd)->shstrtab_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr; +- return TRUE; ++ goto success; + } ++ + if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex) + { + symtab_strtab: + elf_tdata (abfd)->strtab_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr; +- return TRUE; ++ goto success; + } ++ + if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex) + { + dynsymtab_strtab: +@@ -1776,8 +1821,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + elf_elfsections (abfd)[shindex] = hdr; + /* We also treat this as a regular section, so that objcopy + can handle it. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +- shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, ++ shindex); ++ goto success; + } + + /* If the string table isn't one of the above, then treat it as a +@@ -1795,9 +1841,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + { + /* Prevent endless recursion on broken objects. */ + if (i == shindex) +- return FALSE; ++ goto fail; + if (! bfd_section_from_shdr (abfd, i)) +- return FALSE; ++ goto fail; + if (elf_onesymtab (abfd) == i) + goto symtab_strtab; + if (elf_dynsymtab (abfd) == i) +@@ -1805,7 +1851,8 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + } + } + } +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_REL: + case SHT_RELA: +@@ -1820,7 +1867,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + if (hdr->sh_entsize + != (bfd_size_type) (hdr->sh_type == SHT_REL + ? bed->s->sizeof_rel : bed->s->sizeof_rela)) +- return FALSE; ++ goto fail; + + /* Check for a bogus link to avoid crashing. */ + if (hdr->sh_link >= num_sec) +@@ -1828,8 +1875,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + ((*_bfd_error_handler) + (_("%B: invalid link %lu for reloc section %s (index %u)"), + abfd, hdr->sh_link, name, shindex)); +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +- shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, ++ shindex); ++ goto success; + } + + /* For some incomprehensible reason Oracle distributes +@@ -1870,7 +1918,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB + || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM) + && ! bfd_section_from_shdr (abfd, hdr->sh_link)) +- return FALSE; ++ goto fail; + + /* If this reloc section does not use the main symbol table we + don't treat it as a reloc section. BFD can't adequately +@@ -1885,14 +1933,18 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + || hdr->sh_info >= num_sec + || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL + || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +- shindex); ++ { ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, ++ shindex); ++ goto success; ++ } + + if (! bfd_section_from_shdr (abfd, hdr->sh_info)) +- return FALSE; ++ goto fail; ++ + target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); + if (target_sect == NULL) +- return FALSE; ++ goto fail; + + esdt = elf_section_data (target_sect); + if (hdr->sh_type == SHT_RELA) +@@ -1904,7 +1956,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + amt = sizeof (*hdr2); + hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); + if (hdr2 == NULL) +- return FALSE; ++ goto fail; + *hdr2 = *hdr; + *p_hdr = hdr2; + elf_elfsections (abfd)[shindex] = hdr2; +@@ -1920,34 +1972,40 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + target_sect->use_rela_p = 1; + } + abfd->flags |= HAS_RELOC; +- return TRUE; ++ goto success; + } + + case SHT_GNU_verdef: + elf_dynverdef (abfd) = shindex; + elf_tdata (abfd)->dynverdef_hdr = *hdr; +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_GNU_versym: + if (hdr->sh_entsize != sizeof (Elf_External_Versym)) +- return FALSE; ++ goto fail; ++ + elf_dynversym (abfd) = shindex; + elf_tdata (abfd)->dynversym_hdr = *hdr; +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_GNU_verneed: + elf_dynverref (abfd) = shindex; + elf_tdata (abfd)->dynverref_hdr = *hdr; +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_SHLIB: +- return TRUE; ++ goto success; + + case SHT_GROUP: + if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE)) +- return FALSE; ++ goto fail; ++ + if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +- return FALSE; ++ goto fail; ++ + if (hdr->contents != NULL) + { + Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents; +@@ -1973,7 +2031,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + } + } + } +- break; ++ goto success; + + default: + /* Possibly an attributes section. */ +@@ -1981,14 +2039,14 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + || hdr->sh_type == bed->obj_attrs_section_type) + { + if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +- return FALSE; ++ goto fail; + _bfd_elf_parse_attributes (abfd, hdr); +- return TRUE; ++ goto success; + } + + /* Check for any processor-specific section types. */ + if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex)) +- return TRUE; ++ goto success; + + if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER) + { +@@ -2000,9 +2058,12 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + "specific section `%s' [0x%8x]"), + abfd, name, hdr->sh_type); + else +- /* Allow sections reserved for applications. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +- shindex); ++ { ++ /* Allow sections reserved for applications. */ ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, ++ shindex); ++ goto success; ++ } + } + else if (hdr->sh_type >= SHT_LOPROC + && hdr->sh_type <= SHT_HIPROC) +@@ -2023,8 +2084,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + "`%s' [0x%8x]"), + abfd, name, hdr->sh_type); + else +- /* Otherwise it should be processed. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ { ++ /* Otherwise it should be processed. */ ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; ++ } + } + else + /* FIXME: We should handle this section. */ +@@ -2032,10 +2096,20 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + (_("%B: don't know how to handle section `%s' [0x%8x]"), + abfd, name, hdr->sh_type); + +- return FALSE; ++ goto fail; + } + +- return TRUE; ++ fail: ++ ret = FALSE; ++ success: ++ if (sections_being_created) ++ sections_being_created [shindex] = FALSE; ++ if (-- nesting == 0) ++ { ++ sections_being_created = NULL; ++ sections_being_created_abfd = abfd; ++ } ++ return ret; + } + + /* Return the local symbol specified by ABFD, R_SYMNDX. */ +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index b7b32b2..76bb4ae 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -1438,6 +1438,15 @@ pe_print_edata (bfd * abfd, void * vfile) + } + } + ++ /* PR 17512: Handle corrupt PE binaries. */ ++ if (datasize < 36) ++ { ++ fprintf (file, ++ _("\nThere is an export table in %s, but it is too small (%d)\n"), ++ section->name, (int) datasize); ++ return TRUE; ++ } ++ + fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"), + section->name, (unsigned long) addr); + +@@ -1528,7 +1537,12 @@ pe_print_edata (bfd * abfd, void * vfile) + _("\nExport Address Table -- Ordinal Base %ld\n"), + edt.base); + +- for (i = 0; i < edt.num_functions; ++i) ++ /* PR 17512: Handle corrupt PE binaries. */ ++ if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize) ++ fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), ++ (long) edt.eat_addr, ++ (long) edt.num_functions); ++ else for (i = 0; i < edt.num_functions; ++i) + { + bfd_vma eat_member = bfd_get_32 (abfd, + data + edt.eat_addr + (i * 4) - adj); +@@ -1564,7 +1578,16 @@ pe_print_edata (bfd * abfd, void * vfile) + fprintf (file, + _("\n[Ordinal/Name Pointer] Table\n")); + +- for (i = 0; i < edt.num_names; ++i) ++ /* PR 17512: Handle corrupt PE binaries. */ ++ if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize) ++ fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"), ++ (long) edt.npt_addr, ++ (long) edt.num_names); ++ else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize) ++ fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"), ++ (long) edt.ot_addr, ++ (long) edt.num_names); ++ else for (i = 0; i < edt.num_names; ++i) + { + bfd_vma name_ptr = bfd_get_32 (abfd, + data + diff --git a/main/binutils/binutils-2.24-CVE-2014-8503.patch b/main/binutils/binutils-2.24-CVE-2014-8503.patch new file mode 100644 index 0000000000..c889c695f7 --- /dev/null +++ b/main/binutils/binutils-2.24-CVE-2014-8503.patch @@ -0,0 +1,16 @@ +diff --git a/bfd/ihex.c b/bfd/ihex.c +index 8d3590d..9b3b813 100644 +--- a/bfd/ihex.c ++++ b/bfd/ihex.c +@@ -321,7 +321,7 @@ ihex_scan (bfd *abfd) + { + if (! ISHEX (buf[i])) + { +- ihex_bad_byte (abfd, lineno, hdr[i], error); ++ ihex_bad_byte (abfd, lineno, buf[i], error); + goto error_return; + } + } +-- +1.7.1 + diff --git a/main/binutils/binutils-2.24-CVE-2014-8504.patch b/main/binutils/binutils-2.24-CVE-2014-8504.patch new file mode 100644 index 0000000000..6dc3d497e4 --- /dev/null +++ b/main/binutils/binutils-2.24-CVE-2014-8504.patch @@ -0,0 +1,50 @@ +diff --git a/bfd/elf.c b/bfd/elf.c +index 3fcf2d8..949221f 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -629,7 +629,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) + memset (shdr->contents, 0, amt); + continue; + } +- ++ + /* Translate raw contents, a flag word followed by an + array of elf section indices all in target byte order, + to the flag word followed by an array of elf section +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index c7d6067..6129085 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -515,7 +515,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, + a->NumberOfRvaAndSizes = 0; + } + +- + for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) + { + /* If data directory is empty, rva also should be 0. */ +diff --git a/bfd/srec.c b/bfd/srec.c +index 9ed2080..5f9a546 100644 +--- a/bfd/srec.c ++++ b/bfd/srec.c +@@ -246,7 +246,7 @@ srec_bad_byte (bfd *abfd, + } + else + { +- char buf[10]; ++ char buf[40]; + + if (! ISPRINT (c)) + sprintf (buf, "\\%03o", (unsigned int) c); +@@ -452,7 +452,7 @@ srec_scan (bfd *abfd) + case 'S': + { + file_ptr pos; +- char hdr[3]; ++ unsigned char hdr[3]; + unsigned int bytes, min_bytes; + bfd_vma address; + bfd_byte *data; +-- +1.7.1 + diff --git a/main/binutils/binutils-2.24-CVE-2014-8737.patch b/main/binutils/binutils-2.24-CVE-2014-8737.patch new file mode 100644 index 0000000000..7fafa8daf9 --- /dev/null +++ b/main/binutils/binutils-2.24-CVE-2014-8737.patch @@ -0,0 +1,128 @@ +diff --git a/binutils/ar.c b/binutils/ar.c +index ebd9528..117826d 100644 +--- a/binutils/ar.c ++++ b/binutils/ar.c +@@ -1034,6 +1034,15 @@ extract_file (bfd *abfd) + bfd_size_type size; + struct stat buf; + ++ /* PR binutils/17533: Do not allow directory traversal ++ outside of the current directory tree. */ ++ if (! is_valid_archive_path (bfd_get_filename (abfd))) ++ { ++ non_fatal (_("illegal pathname found in archive member: %s"), ++ bfd_get_filename (abfd)); ++ return; ++ } ++ + if (bfd_stat_arch_elt (abfd, &buf) != 0) + /* xgettext:c-format */ + fatal (_("internal stat error on %s"), bfd_get_filename (abfd)); +diff --git a/binutils/bucomm.c b/binutils/bucomm.c +index fd73070..b8deff5 100644 +--- a/binutils/bucomm.c ++++ b/binutils/bucomm.c +@@ -624,3 +624,29 @@ bfd_get_archive_filename (const bfd *abfd) + bfd_get_filename (abfd)); + return buf; + } ++ ++/* Returns TRUE iff PATHNAME, a filename of an archive member, ++ is valid for writing. For security reasons absolute paths ++ and paths containing /../ are not allowed. See PR 17533. */ ++ ++bfd_boolean ++is_valid_archive_path (char const * pathname) ++{ ++ const char * n = pathname; ++ ++ if (IS_ABSOLUTE_PATH (n)) ++ return FALSE; ++ ++ while (*n) ++ { ++ if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n))) ++ return FALSE; ++ ++ while (*n && ! IS_DIR_SEPARATOR (*n)) ++ n++; ++ while (IS_DIR_SEPARATOR (*n)) ++ n++; ++ } ++ ++ return TRUE; ++} +diff --git a/binutils/bucomm.h b/binutils/bucomm.h +index a93c378..a71a8fb 100644 +--- a/binutils/bucomm.h ++++ b/binutils/bucomm.h +@@ -21,6 +21,8 @@ + #ifndef _BUCOMM_H + #define _BUCOMM_H + ++/* In bucomm.c. */ ++ + /* Return the filename in a static buffer. */ + const char *bfd_get_archive_filename (const bfd *); + +@@ -56,20 +58,22 @@ bfd_vma parse_vma (const char *, const char *); + + off_t get_file_size (const char *); + ++bfd_boolean is_valid_archive_path (char const *); ++ + extern char *program_name; + +-/* filemode.c */ ++/* In filemode.c. */ + void mode_string (unsigned long, char *); + +-/* version.c */ ++/* In version.c. */ + extern void print_version (const char *); + +-/* rename.c */ ++/* In rename.c. */ + extern void set_times (const char *, const struct stat *); + + extern int smart_rename (const char *, const char *, int); + +-/* libiberty. */ ++/* In libiberty. */ + void *xmalloc (size_t); + + void *xrealloc (void *, size_t); +diff --git a/binutils/doc/binutils.texi b/binutils/doc/binutils.texi +index eee77b1..39eb1d2 100644 +--- a/binutils/doc/binutils.texi ++++ b/binutils/doc/binutils.texi +@@ -234,7 +234,8 @@ a normal archive. Instead the elements of the first archive are added + individually to the second archive. + + The paths to the elements of the archive are stored relative to the +-archive itself. ++archive itself. For security reasons absolute paths and paths with a ++@code{/../} component are not allowed. + + @cindex compatibility, @command{ar} + @cindex @command{ar} compatibility +diff --git a/binutils/objcopy.c b/binutils/objcopy.c +index 3b353ad..8454bc6 100644 +--- a/binutils/objcopy.c ++++ b/binutils/objcopy.c +@@ -2295,6 +2295,12 @@ copy_archive (bfd *ibfd, bfd *obfd, const char *output_target, + bfd_boolean del = TRUE; + bfd_boolean ok_object; + ++ /* PR binutils/17533: Do not allow directory traversal ++ outside of the current directory tree by archive members. */ ++ if (! is_valid_archive_path (bfd_get_filename (this_element))) ++ fatal (_("illegal pathname found in archive member: %s"), ++ bfd_get_filename (this_element)); ++ + /* Create an output file for this member. */ + output_name = concat (dir, "/", + bfd_get_filename (this_element), (char *) 0); +-- +1.7.1 + diff --git a/main/binutils/binutils-2.24-CVE-2014-8738.patch b/main/binutils/binutils-2.24-CVE-2014-8738.patch new file mode 100644 index 0000000000..d671ed241b --- /dev/null +++ b/main/binutils/binutils-2.24-CVE-2014-8738.patch @@ -0,0 +1,48 @@ +diff --git a/bfd/archive.c b/bfd/archive.c +index 40a3395..b905213 100644 +--- a/bfd/archive.c ++++ b/bfd/archive.c +@@ -1293,6 +1293,9 @@ _bfd_slurp_extended_name_table (bfd *abfd) + amt = namedata->parsed_size; + if (amt + 1 == 0) + goto byebye; ++ /* PR binutils/17533: A corrupt archive can contain an invalid size. */ ++ if (amt > (bfd_size_type) bfd_get_size (abfd)) ++ goto byebye; + + bfd_ardata (abfd)->extended_names_size = amt; + bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1); +@@ -1300,6 +1303,8 @@ _bfd_slurp_extended_name_table (bfd *abfd) + { + byebye: + free (namedata); ++ bfd_ardata (abfd)->extended_names = NULL; ++ bfd_ardata (abfd)->extended_names_size = 0; + return FALSE; + } + +@@ -1308,7 +1313,6 @@ _bfd_slurp_extended_name_table (bfd *abfd) + if (bfd_get_error () != bfd_error_system_call) + bfd_set_error (bfd_error_malformed_archive); + bfd_release (abfd, (bfd_ardata (abfd)->extended_names)); +- bfd_ardata (abfd)->extended_names = NULL; + goto byebye; + } + +@@ -1316,11 +1320,12 @@ _bfd_slurp_extended_name_table (bfd *abfd) + text, the entries in the list are newline-padded, not null + padded. In SVR4-style archives, the names also have a + trailing '/'. DOS/NT created archive often have \ in them +- We'll fix all problems here.. */ ++ We'll fix all problems here. */ + { + char *ext_names = bfd_ardata (abfd)->extended_names; + char *temp = ext_names; + char *limit = temp + namedata->parsed_size; ++ + for (; temp < limit; ++temp) + { + if (*temp == ARFMAG[1]) +-- +1.7.1 + -- cgit v1.2.3