diff --git a/binutils-CVE-2019-9075.patch b/binutils-CVE-2019-9075.patch new file mode 100644 index 0000000..ec3e8ca --- /dev/null +++ b/binutils-CVE-2019-9075.patch @@ -0,0 +1,73 @@ +diff -rup binutils.orig/bfd/archive64.c binutils-2.31.1/bfd/archive64.c +--- binutils.orig/bfd/archive64.c 2019-02-26 11:17:11.882530151 +0000 ++++ binutils-2.31.1/bfd/archive64.c 2019-02-26 11:19:18.422488805 +0000 +@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab + return FALSE; + carsyms = ardata->symdefs; + stringbase = ((char *) ardata->symdefs) + carsym_size; +- stringbase[stringsize] = 0; +- stringend = stringbase + stringsize; + + raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); + if (raw_armap == NULL) +@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab + goto release_raw_armap; + } + ++ stringend = stringbase + stringsize; ++ *stringend = 0; + for (i = 0; i < nsymz; i++) + { + carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); + carsyms->name = stringbase; +- if (stringbase < stringend) +- stringbase += strlen (stringbase) + 1; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + ++carsyms; + } +- *stringbase = '\0'; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); +diff -rup binutils.orig/bfd/archive.c binutils-2.31.1/bfd/archive.c +--- binutils.orig/bfd/archive.c 2019-02-26 11:17:11.884530134 +0000 ++++ binutils-2.31.1/bfd/archive.c 2019-02-26 11:18:33.354859687 +0000 +@@ -1014,6 +1014,7 @@ do_slurp_coff_armap (bfd *abfd) + int *raw_armap, *rawptr; + struct artdata *ardata = bfd_ardata (abfd); + char *stringbase; ++ char *stringend; + bfd_size_type stringsize; + bfd_size_type parsed_size; + carsym *carsyms; +@@ -1073,22 +1074,20 @@ do_slurp_coff_armap (bfd *abfd) + } + + /* OK, build the carsyms. */ +- for (i = 0; i < nsymz && stringsize > 0; i++) ++ stringend = stringbase + stringsize; ++ *stringend = 0; ++ for (i = 0; i < nsymz; i++) + { + bfd_size_type len; + + rawptr = raw_armap + i; + carsyms->file_offset = swap ((bfd_byte *) rawptr); + carsyms->name = stringbase; +- /* PR 17512: file: 4a1d50c1. */ +- len = strnlen (stringbase, stringsize); +- if (len < stringsize) +- len ++; +- stringbase += len; +- stringsize -= len; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + carsyms++; + } +- *stringbase = 0; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); diff --git a/binutils.spec b/binutils.spec index 967b7fa..0790e00 100644 --- a/binutils.spec +++ b/binutils.spec @@ -75,7 +75,7 @@ Summary: A GNU collection of binary utilities Name: %{?cross}binutils%{?_with_debug:-debug} Version: 2.32 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv3+ URL: https://sourceware.org/binutils @@ -180,6 +180,10 @@ Patch14: binutils-CVE-2019-9073.patch # Lifetime: Fixed in 2.33 Patch15: binutils-CVE-2019-9074.patch +# Purpose: Stop illegal memory access parsing corrupt archives. +# Lifetime: Fixed in 2.33 +Patch16: binutils-CVE-2019-9075.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -313,6 +317,7 @@ using libelf instead of BFD. %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. # FIXME - this is no longer true. Maybe try reinstating autotool use ? @@ -714,6 +719,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Tue Feb 26 2019 Nick Clifton - 2.32-5 +- Stop potential illegal memory access when parsing corrupt archives. (#1680670) + * Mon Feb 25 2019 Nick Clifton - 2.32-4 - Stop potential illegal memory access when parsing corrupt PE files. (#1680682)