main/elfutils: security fixes #7160

3 files changed, 140 insertions, 2 deletions

diff --git a/main/elfutils/APKBUILD b/main/elfutils/APKBUILD
index 686813cdb4..7e3b2a0683 100644
--- a/main/elfutils/APKBUILD
+++ b/main/elfutils/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=elfutils
 pkgver=0.168
-pkgrel=0
+pkgrel=1
 pkgdesc="A collection of utilities and DSOs to handle ELF files and DWARF data"
 url="http://elfutils.org/"
 arch="all"
@@ -22,9 +22,16 @@ source="https://sourceware.org/elfutils/ftp/$pkgver/elfutils-$pkgver.tar.bz2
 	musl-qsort_r.patch
 	musl-strerror_r.patch
 	no-werror.patch
+	CVE-2017-7607.patch
+	CVE-2017-7608.patch
 	"
 builddir="$srcdir/elfutils-$pkgver"
 
+# secfixes:
+#   0.168-r1:
+#   - CVE-2017-7607
+#   - CVE-2017-7608
+
 prepare() {
 	cd "$builddir"
 	default_prepare || return 1
@@ -106,4 +113,6 @@ b9ba55e1b56a8abf694b6d02f022d9a3a0ae6ab53a8c4a71e49552e32411ef410d3a7512fbd1a729
 886ab23301f1872d94bcfc3590621196c811252c9a993738e5e480e666c7c3359f25e94c0e873c8fe16dc283e193dba0532a7ced3951e673185dcbb1d062b7c6  musl-macros.patch
 f025d6479c8782275090783ff4dd09eb70a7c3eec1126d3176c02d01124f22864d81e08cb96ac4d255e0316205658459b617f5b661b16dbaf1636591720605f4  musl-qsort_r.patch
 a0d986100c8ff2ef0595645ec1b2eeb1d517b7442aef5f349ebf27fcb66c76e51fadeda25bed5f04b4bb16a61aa23ac6e86a1f34a0087d2136acf0f64c3fa4d1  musl-strerror_r.patch
-26aff757de8c0c67ae7922888c4a842939fb9b4022f3d2fa916591b44921c109f74154175afd431a0e31cf7c876f6d4fbaae26ef283985ae98d96854ea02dce0  no-werror.patch"
+26aff757de8c0c67ae7922888c4a842939fb9b4022f3d2fa916591b44921c109f74154175afd431a0e31cf7c876f6d4fbaae26ef283985ae98d96854ea02dce0  no-werror.patch
+81c6f19ed3e39aa6f2437e2da09be2952627efccda4769cccdd2616c728205ecdac1ece8a97ead7614a528d161c3885a050980a07436de7bdbc6f2988b348784  CVE-2017-7607.patch
+20088019a3cb17d1d9155c421b20e47907d2bdbea31fdd0e469f02c03f8dfe1e7da5c29f0bb0a35be79470a40d7c2df92d2402e32b20d090526bb1f8a71e0707  CVE-2017-7608.patch"
diff --git a/main/elfutils/CVE-2017-7607.patch b/main/elfutils/CVE-2017-7607.patch
new file mode 100644
index 0000000000..b4af2fe3db
--- /dev/null
+++ b/main/elfutils/CVE-2017-7607.patch
@@ -0,0 +1,34 @@
+From: Mark Wielaard <mark at klomp dot org>
+To: elfutils-devel at sourceware dot org
+Cc: Mark Wielaard <mark at klomp dot org>
+Subject: [PATCH] readelf: Fix off by one sanity check in handle_gnu_hash.
+Date: Fri, 24 Mar 2017 12:15:02 +0100
+Message-Id: <1490354102-21353-1-git-send-email-mark@klomp.org>
+X-Mailer: git-send-email 1.8.3.1
+
+We sanity check to make sure we don't index outside the chain array
+by testing inner > max_nsyms. But inner is a zero-based index, while
+max_nsyms is the maximum number. Change the check to inner >= max_nsyms.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=21299
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ src/readelf.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/readelf.c b/src/readelf.c
+index 8d96ba3..490b6d5 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
+ 	    ++nsyms;
+ 	    if (maxlength < ++lengths[cnt])
+ 	      ++maxlength;
+-	    if (inner > max_nsyms)
++	    if (inner >= max_nsyms)
+ 	      goto invalid_data;
+ 	  }
+ 	while ((chain[inner++] & 1) == 0);
+-- 
+1.8.3.1
diff --git a/main/elfutils/CVE-2017-7608.patch b/main/elfutils/CVE-2017-7608.patch
new file mode 100644
index 0000000000..dc3223605b
--- /dev/null
+++ b/main/elfutils/CVE-2017-7608.patch
@@ -0,0 +1,95 @@
+From: Mark Wielaard <mark at klomp dot org>
+To: elfutils-devel at sourceware dot org
+Cc: Mark Wielaard <mark at klomp dot org>
+Subject: [PATCH] Use the empty string for note names with zero size (without any data).
+Date: Fri, 24 Mar 2017 14:10:26 +0100
+Message-Id: <1490361026-7608-1-git-send-email-mark@klomp.org>
+X-Mailer: git-send-email 1.8.3.1
+
+ELF notes can have a zero sized name. In which case there is no data at
+all (so also no zero terminator). Make sure to use the empty string for
+such notes if the code does not otherwise explicitly check n_namesz.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=21300
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ libdwfl/linux-core-attach.c | 9 ++++++---
+ src/elfcmp.c                | 6 ++++--
+ src/readelf.c               | 2 +-
+ 5 files changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
+index 93d0e46..f82ed03 100644
+--- a/libdwfl/linux-core-attach.c
++++ b/libdwfl/linux-core-attach.c
+@@ -125,7 +125,8 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
+ 							  &desc_offset)) > 0)
+     {
+       /* Do not check NAME for now, help broken Linux kernels.  */
+-      const char *name = note_data->d_buf + name_offset;
++      const char *name = (nhdr.n_namesz == 0
++			  ? "" : note_data->d_buf + name_offset);
+       const char *desc = note_data->d_buf + desc_offset;
+       GElf_Word regs_offset;
+       size_t nregloc;
+@@ -178,7 +179,8 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
+   /* __libdwfl_attach_state_for_core already verified the note is there.  */
+   assert (getnote_err != 0);
+   /* Do not check NAME for now, help broken Linux kernels.  */
+-  const char *name = note_data->d_buf + name_offset;
++  const char *name = (nhdr.n_namesz == 0
++		      ? "" : note_data->d_buf + name_offset);
+   const char *desc = note_data->d_buf + desc_offset;
+   GElf_Word regs_offset;
+   size_t nregloc;
+@@ -367,7 +369,8 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
+ 				    &nhdr, &name_offset, &desc_offset)) > 0)
+     {
+       /* Do not check NAME for now, help broken Linux kernels.  */
+-      const char *name = note_data->d_buf + name_offset;
++      const char *name = (nhdr.n_namesz == 0
++			  ? "" : note_data->d_buf + name_offset);
+       const char *desc = note_data->d_buf + desc_offset;
+       GElf_Word regs_offset;
+       size_t nregloc;
+ 
+diff --git a/src/elfcmp.c b/src/elfcmp.c
+index 7673cf2..5046420 100644
+--- a/src/elfcmp.c
++++ b/src/elfcmp.c
+@@ -419,7 +419,8 @@ main (int argc, char *argv[])
+ 		   && (off1 = gelf_getnote (data1, off1, &note1,
+ 					    &name_offset, &desc_offset)) > 0)
+ 	      {
+-		const char *name1 = data1->d_buf + name_offset;
++		const char *name1 = (note1.n_namesz == 0
++				     ? "" : data1->d_buf + name_offset);
+ 		const void *desc1 = data1->d_buf + desc_offset;
+ 		if (off2 >= data2->d_size)
+ 		  {
+@@ -435,7 +436,8 @@ main (int argc, char *argv[])
+ 		  error (2, 0, gettext ("\
+ cannot read note section [%zu] '%s' in '%s': %s"),
+ 			 elf_ndxscn (scn2), sname2, fname2, elf_errmsg (-1));
+-		const char *name2 = data2->d_buf + name_offset;
++		const char *name2 = (note2.n_namesz == 0
++				     ? "" : data2->d_buf + name_offset);
+ 		const void *desc2 = data2->d_buf + desc_offset;
+ 
+ 		if (note1.n_namesz != note2.n_namesz
+diff --git a/src/readelf.c b/src/readelf.c
+index 490b6d5..97a43b0 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -9365,7 +9365,7 @@ handle_notes_data (Ebl *ebl, const GElf_Ehdr *ehdr,
+ 	 && (offset = gelf_getnote (data, offset,
+ 				    &nhdr, &name_offset, &desc_offset)) > 0)
+     {
+-      const char *name = data->d_buf + name_offset;
++      const char *name = nhdr.n_namesz == 0 ? "" : data->d_buf + name_offset;
+       const char *desc = data->d_buf + desc_offset;
+ 
+       char buf[100];
+-- 
+1.8.3.1