From e6866032366ba749f1255724e6ef1114058e9390 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= Date: Mon, 7 Jan 2019 09:16:55 +0100 Subject: main/elfutils: security fix for CVE-2018-18310 --- main/elfutils/APKBUILD | 6 +++-- main/elfutils/CVE-2018-18310.patch | 53 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 main/elfutils/CVE-2018-18310.patch diff --git a/main/elfutils/APKBUILD b/main/elfutils/APKBUILD index 2f962d5426..be8a28fd47 100644 --- a/main/elfutils/APKBUILD +++ b/main/elfutils/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=elfutils pkgver=0.168 -pkgrel=1 +pkgrel=2 pkgdesc="A collection of utilities and DSOs to handle ELF files and DWARF data" url="http://elfutils.org/" arch="all" @@ -24,6 +24,7 @@ source="https://sourceware.org/elfutils/ftp/$pkgver/elfutils-$pkgver.tar.bz2 no-werror.patch CVE-2017-7607.patch CVE-2017-7608.patch + CVE-2018-18310.patch " builddir="$srcdir/elfutils-$pkgver" @@ -115,4 +116,5 @@ f025d6479c8782275090783ff4dd09eb70a7c3eec1126d3176c02d01124f22864d81e08cb96ac4d2 a0d986100c8ff2ef0595645ec1b2eeb1d517b7442aef5f349ebf27fcb66c76e51fadeda25bed5f04b4bb16a61aa23ac6e86a1f34a0087d2136acf0f64c3fa4d1 musl-strerror_r.patch 26aff757de8c0c67ae7922888c4a842939fb9b4022f3d2fa916591b44921c109f74154175afd431a0e31cf7c876f6d4fbaae26ef283985ae98d96854ea02dce0 no-werror.patch 81c6f19ed3e39aa6f2437e2da09be2952627efccda4769cccdd2616c728205ecdac1ece8a97ead7614a528d161c3885a050980a07436de7bdbc6f2988b348784 CVE-2017-7607.patch -20088019a3cb17d1d9155c421b20e47907d2bdbea31fdd0e469f02c03f8dfe1e7da5c29f0bb0a35be79470a40d7c2df92d2402e32b20d090526bb1f8a71e0707 CVE-2017-7608.patch" +20088019a3cb17d1d9155c421b20e47907d2bdbea31fdd0e469f02c03f8dfe1e7da5c29f0bb0a35be79470a40d7c2df92d2402e32b20d090526bb1f8a71e0707 CVE-2017-7608.patch +f8654b29eea3777f0a1c752ec927a09163dc711ad52520e01b64e5976f2943b7141868cbe4ce4b8af8cc2fbfba4a98e8d4840d605067186532f4142298c1fc73 CVE-2018-18310.patch" diff --git a/main/elfutils/CVE-2018-18310.patch b/main/elfutils/CVE-2018-18310.patch new file mode 100644 index 0000000000..e6078116f8 --- /dev/null +++ b/main/elfutils/CVE-2018-18310.patch @@ -0,0 +1,53 @@ +From b6e1a48cca51aa246cba78e99f7e2dfa200b9d26 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sun, 14 Oct 2018 16:45:48 +0200 +Subject: [PATCH] libdwfl: Sanity check partial core file data reads. + +There were two issues when reading note data from a core file. +We didn't check if the data we already had in a buffer was big +enough. And if we did get the data, we should check if we got +everything, or just a part of the data. + +https://sourceware.org/bugzilla/show_bug.cgi?id=23752 + +Signed-off-by: Mark Wielaard +--- + libdwfl/dwfl_segment_report_module.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c +index 36e5c823..87498846 100644 +--- a/libdwfl/dwfl_segment_report_module.c ++++ b/libdwfl/dwfl_segment_report_module.c +@@ -1,5 +1,5 @@ + /* Sniff out modules from ELF headers visible in memory segments. +- Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc. ++ Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc. + This file is part of elfutils. + + This file is free software; you can redistribute it and/or modify +@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, + inline bool read_portion (void **data, size_t *data_size, + GElf_Addr vaddr, size_t filesz) + { +- if (vaddr - start + filesz > buffer_available ++ /* Check whether we will have to read the segment data, or if it ++ can be returned from the existing buffer. */ ++ if (filesz > buffer_available ++ || vaddr - start > buffer_available - filesz + /* If we're in string mode, then don't consider the buffer we have + sufficient unless it contains the terminator of the string. */ + || (filesz == 0 && memchr (vaddr - start + buffer, '\0', +@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, + if (read_portion (&data, &data_size, vaddr, filesz)) + return; + ++ /* data_size will be zero if we got everything from the initial ++ buffer, otherwise it will be the size of the new buffer that ++ could be read. */ ++ if (data_size != 0) ++ filesz = data_size; ++ + assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr)); + + void *notes; -- cgit v1.2.3