[avr-binutils/f20] fix directory traversal vulnerability (#1162657)
Michal Hlavinka
mhlavink at fedoraproject.org
Wed Nov 12 12:18:50 UTC 2014
commit 57c14712bafe60d7cacd75443aa46986b4de253f
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Wed Nov 12 13:18:42 2014 +0100
fix directory traversal vulnerability (#1162657)
- fix CVE-2014-8501: out-of-bounds write when parsing specially crafted PE executable
- fix CVE-2014-8502: heap overflow in objdump
- fix CVE-2014-8503: stack overflow in objdump when parsing specially crafted ihex file
- fix CVE-2014-8504: stack overflow in the SREC parser
avr-binutils.spec | 23 ++-
binutils-2.24-cve_2014_8501.patch | 40 +++
binutils-2.24-cve_2014_8502a.patch | 84 ++++++
binutils-2.24-cve_2014_8502pre.patch | 499 ++++++++++++++++++++++++++++++++++
binutils-2.24-cve_2014_8503.patch | 27 ++
binutils-2.24-cve_2014_8504.patch | 33 +++
binutils-2.24-dirtravel.patch | 150 ++++++++++
7 files changed, 854 insertions(+), 2 deletions(-)
---
diff --git a/avr-binutils.spec b/avr-binutils.spec
index da33aa0..55b0287 100644
--- a/avr-binutils.spec
+++ b/avr-binutils.spec
@@ -2,8 +2,8 @@
Name: %{target}-binutils
Version: 2.24
-Release: 1%{?dist}
-Epoch: 1
+Release: 2%{?dist}
+Epoch: 1
Summary: Cross Compiling GNU binutils targeted at %{target}
Group: Development/Tools
License: GPLv2+
@@ -12,6 +12,12 @@ Source0: ftp://ftp.gnu.org/pub/gnu/binutils/binutils-%{version}.tar.bz2
Source1: README.fedora
#add widespread options to avr-size: --format=avr -mcu=XX
Patch1: http://distribute.atmel.no/tools/opensource/avr-gcc/binutils-2.20.1/30-binutils-2.20.1-avr-size.patch
+Patch2: binutils-2.24-cve_2014_8501.patch
+Patch3: binutils-2.24-cve_2014_8502pre.patch
+Patch4: binutils-2.24-cve_2014_8502a.patch
+Patch5: binutils-2.24-cve_2014_8503.patch
+Patch6: binutils-2.24-cve_2014_8504.patch
+Patch7: binutils-2.24-dirtravel.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u} -n)
BuildRequires: gawk texinfo
@@ -29,6 +35,12 @@ native %{_arch} platform.
%setup -q -c
pushd binutils-%{version}
%patch1 -p0 -b .avr-size
+%patch2 -p1 -b .cve_2014_8501
+%patch3 -p1 -b .cve_2014_8502pre
+%patch4 -p1 -b .cve_2014_8502
+%patch5 -p1 -b .cve_2014_8503
+%patch6 -p2 -b .cve_2014_8504
+%patch7 -p1 -b .dirtravel
popd
cp %{SOURCE1} .
@@ -70,6 +82,13 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Wed Nov 12 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.24-2
+- fix directory traversal vulnerability (#1162657)
+- fix CVE-2014-8501: out-of-bounds write when parsing specially crafted PE executable
+- fix CVE-2014-8502: heap overflow in objdump
+- fix CVE-2014-8503: stack overflow in objdump when parsing specially crafted ihex file
+- fix CVE-2014-8504: stack overflow in the SREC parser
+
* Wed Aug 13 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.24-1
- updated to 2.24
diff --git a/binutils-2.24-cve_2014_8501.patch b/binutils-2.24-cve_2014_8501.patch
new file mode 100644
index 0000000..8ee4ee5
--- /dev/null
+++ b/binutils-2.24-cve_2014_8501.patch
@@ -0,0 +1,40 @@
+From 7e1e19887abd24aeb15066b141cdff5541e0ec8e Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Mon, 27 Oct 2014 14:45:06 +0000
+Subject: [PATCH] Fix a seg-fault in strings and other binutuils when parsing a corrupt PE
+ executable with an invalid value in the NumberOfRvaAndSizes field of the
+ AOUT header.
+
+ PR binutils/17512
+ * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
+ with an invalid value for NumberOfRvaAndSizes.
+---
+ bfd/peXXigen.c | 12 ++++++++++++
+ 2 files changed, 16 insertions(+), 0 deletions(-)
+
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index 2fb631c..987be40 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -504,6 +504,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
+ {
+ int idx;
+
++ /* PR 17512: Corrupt PE binaries can cause seg-faults. */
++ if (a->NumberOfRvaAndSizes > 16)
++ {
++ (*_bfd_error_handler)
++ (_("%B: aout header specifies an invalid number of data-directory entries: %d"),
++ abfd, a->NumberOfRvaAndSizes);
++ /* Paranoia: If the number is corrupt, then assume that the
++ actual entries themselves might be corrupt as well. */
++ a->NumberOfRvaAndSizes = 0;
++ }
++
++
+ for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
+ {
+ /* If data directory is empty, rva also should be 0. */
+--
+1.7.1
+
diff --git a/binutils-2.24-cve_2014_8502a.patch b/binutils-2.24-cve_2014_8502a.patch
new file mode 100644
index 0000000..d21fbda
--- /dev/null
+++ b/binutils-2.24-cve_2014_8502a.patch
@@ -0,0 +1,84 @@
+From 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Tue, 28 Oct 2014 15:42:56 +0000
+Subject: [PATCH] More fixes for corrupt binaries crashing the binutils.
+
+ PR binutils/17512
+ * elf.c (bfd_section_from_shdr): Allocate and free the recursion
+ detection table on a per-bfd basis.
+ * peXXigen.c (pe_print_edata): Handle binaries with a truncated
+ export table.
+---
+ bfd/elf.c | 16 +++++++++++++---
+ bfd/peXXigen.c | 9 +++++++++
+ 3 files changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 949221f..b5fc84b 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -1580,6 +1580,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ const char *name;
+ bfd_boolean ret = TRUE;
+ static bfd_boolean * sections_being_created = NULL;
++ static bfd * sections_being_created_abfd = NULL;
+ static unsigned int nesting = 0;
+
+ if (shindex >= elf_numsections (abfd))
+@@ -1592,13 +1593,19 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ loop. Detect this here, by refusing to load a section that we are
+ already in the process of loading. We only trigger this test if
+ we have nested at least three sections deep as normal ELF binaries
+- can expect to recurse at least once. */
+-
++ can expect to recurse at least once.
++
++ FIXME: It would be better if this array was attached to the bfd,
++ rather than being held in a static pointer. */
++
++ if (sections_being_created_abfd != abfd)
++ sections_being_created = NULL;
+ if (sections_being_created == NULL)
+ {
+ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */
+ sections_being_created = (bfd_boolean *)
+ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
++ sections_being_created_abfd = abfd;
+ }
+ if (sections_being_created [shindex])
+ {
+@@ -2102,7 +2109,10 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ if (sections_being_created)
+ sections_being_created [shindex] = FALSE;
+ if (-- nesting == 0)
+- sections_being_created = NULL;
++ {
++ sections_being_created = NULL;
++ sections_being_created_abfd = abfd;
++ }
+ return ret;
+ }
+
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index 6129085..1a5cb31 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -1611,6 +1611,15 @@ pe_print_edata (bfd * abfd, void * vfile)
+ }
+ }
+
++ /* PR 17512: Handle corrupt PE binaries. */
++ if (datasize < 36)
++ {
++ fprintf (file,
++ _("\nThere is an export table in %s, but it is too small (%d)\n"),
++ section->name, (int) datasize);
++ return TRUE;
++ }
++
+ fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
+ section->name, (unsigned long) addr);
+
+--
+1.7.1
+
diff --git a/binutils-2.24-cve_2014_8502pre.patch b/binutils-2.24-cve_2014_8502pre.patch
new file mode 100644
index 0000000..df505da
--- /dev/null
+++ b/binutils-2.24-cve_2014_8502pre.patch
@@ -0,0 +1,499 @@
+From bf67003b4567600ed3022a439207ac8f26454f91 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Mon, 27 Oct 2014 18:05:37 +0000
+Subject: [PATCH] This fixes more seg-faults in tools like "strings" and "objdump" when
+ presented with corrupt binaries.
+
+ PR binutils/17512
+ * elf.c (bfd_section_from_shdr): Detect and warn about ELF
+ binaries with a group of sections linked by the string table
+ indicies.
+ * peXXigen.c (pe_print_edata): Detect out of range rvas and
+ entry counts for the Export Address table, Name Pointer table
+ and Ordinal table.
+---
+ bfd/elf.c | 194 +++++++++++++++++++++++++++++++++++++-------------------
+ bfd/peXXigen.c | 18 +++++-
+ 3 files changed, 150 insertions(+), 67 deletions(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index c8ac826..3fcf2d8 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -1578,38 +1578,67 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ Elf_Internal_Ehdr *ehdr;
+ const struct elf_backend_data *bed;
+ const char *name;
++ bfd_boolean ret = TRUE;
++ static bfd_boolean * sections_being_created = NULL;
++ static unsigned int nesting = 0;
+
+ if (shindex >= elf_numsections (abfd))
+ return FALSE;
+
++ if (++ nesting > 3)
++ {
++ /* PR17512: A corrupt ELF binary might contain a recursive group of
++ sections, each the string indicies pointing to the next in the
++ loop. Detect this here, by refusing to load a section that we are
++ already in the process of loading. We only trigger this test if
++ we have nested at least three sections deep as normal ELF binaries
++ can expect to recurse at least once. */
++
++ if (sections_being_created == NULL)
++ {
++ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */
++ sections_being_created = (bfd_boolean *)
++ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
++ }
++ if (sections_being_created [shindex])
++ {
++ (*_bfd_error_handler)
++ (_("%B: warning: loop in section dependencies detected"), abfd);
++ return FALSE;
++ }
++ sections_being_created [shindex] = TRUE;
++ }
++
+ hdr = elf_elfsections (abfd)[shindex];
+ ehdr = elf_elfheader (abfd);
+ name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx,
+ hdr->sh_name);
+ if (name == NULL)
+- return FALSE;
++ goto fail;
+
+ bed = get_elf_backend_data (abfd);
+ switch (hdr->sh_type)
+ {
+ case SHT_NULL:
+ /* Inactive section. Throw it away. */
+- return TRUE;
++ goto success;
+
+- case SHT_PROGBITS: /* Normal section with contents. */
+- case SHT_NOBITS: /* .bss section. */
+- case SHT_HASH: /* .hash section. */
+- case SHT_NOTE: /* .note section. */
++ case SHT_PROGBITS: /* Normal section with contents. */
++ case SHT_NOBITS: /* .bss section. */
++ case SHT_HASH: /* .hash section. */
++ case SHT_NOTE: /* .note section. */
+ case SHT_INIT_ARRAY: /* .init_array section. */
+ case SHT_FINI_ARRAY: /* .fini_array section. */
+ case SHT_PREINIT_ARRAY: /* .preinit_array section. */
+ case SHT_GNU_LIBLIST: /* .gnu.liblist section. */
+ case SHT_GNU_HASH: /* .gnu.hash section. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_DYNAMIC: /* Dynamic linking information. */
+ if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
+- return FALSE;
++ goto fail;
++
+ if (hdr->sh_link > elf_numsections (abfd))
+ {
+ /* PR 10478: Accept Solaris binaries with a sh_link
+@@ -1623,11 +1652,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ break;
+ /* Otherwise fall through. */
+ default:
+- return FALSE;
++ goto fail;
+ }
+ }
+ else if (elf_elfsections (abfd)[hdr->sh_link] == NULL)
+- return FALSE;
++ goto fail;
+ else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
+ {
+ Elf_Internal_Shdr *dynsymhdr;
+@@ -1656,24 +1685,26 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ }
+ }
+ }
+- break;
++ goto success;
+
+- case SHT_SYMTAB: /* A symbol table */
++ case SHT_SYMTAB: /* A symbol table. */
+ if (elf_onesymtab (abfd) == shindex)
+- return TRUE;
++ goto success;
+
+ if (hdr->sh_entsize != bed->s->sizeof_sym)
+- return FALSE;
++ goto fail;
++
+ if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size)
+ {
+ if (hdr->sh_size != 0)
+- return FALSE;
++ goto fail;
+ /* Some assemblers erroneously set sh_info to one with a
+ zero sh_size. ld sees this as a global symbol count
+ of (unsigned) -1. Fix it here. */
+ hdr->sh_info = 0;
+- return TRUE;
++ goto success;
+ }
++
+ BFD_ASSERT (elf_onesymtab (abfd) == 0);
+ elf_onesymtab (abfd) = shindex;
+ elf_tdata (abfd)->symtab_hdr = *hdr;
+@@ -1690,7 +1721,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ && (abfd->flags & DYNAMIC) != 0
+ && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+ shindex))
+- return FALSE;
++ goto fail;
+
+ /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we
+ can't read symbols without that section loaded as well. It
+@@ -1716,26 +1747,29 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ break;
+ }
+ if (i != shindex)
+- return bfd_section_from_shdr (abfd, i);
++ ret = bfd_section_from_shdr (abfd, i);
+ }
+- return TRUE;
++ goto success;
+
+- case SHT_DYNSYM: /* A dynamic symbol table */
++ case SHT_DYNSYM: /* A dynamic symbol table. */
+ if (elf_dynsymtab (abfd) == shindex)
+- return TRUE;
++ goto success;
+
+ if (hdr->sh_entsize != bed->s->sizeof_sym)
+- return FALSE;
++ goto fail;
++
+ if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size)
+ {
+ if (hdr->sh_size != 0)
+- return FALSE;
++ goto fail;
++
+ /* Some linkers erroneously set sh_info to one with a
+ zero sh_size. ld sees this as a global symbol count
+ of (unsigned) -1. Fix it here. */
+ hdr->sh_info = 0;
+- return TRUE;
++ goto success;
+ }
++
+ BFD_ASSERT (elf_dynsymtab (abfd) == 0);
+ elf_dynsymtab (abfd) = shindex;
+ elf_tdata (abfd)->dynsymtab_hdr = *hdr;
+@@ -1744,34 +1778,38 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+
+ /* Besides being a symbol table, we also treat this as a regular
+ section, so that objcopy can handle it. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+- case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections */
++ case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections. */
+ if (elf_symtab_shndx (abfd) == shindex)
+- return TRUE;
++ goto success;
+
+ BFD_ASSERT (elf_symtab_shndx (abfd) == 0);
+ elf_symtab_shndx (abfd) = shindex;
+ elf_tdata (abfd)->symtab_shndx_hdr = *hdr;
+ elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr;
+- return TRUE;
++ goto success;
+
+- case SHT_STRTAB: /* A string table */
++ case SHT_STRTAB: /* A string table. */
+ if (hdr->bfd_section != NULL)
+- return TRUE;
++ goto success;
++
+ if (ehdr->e_shstrndx == shindex)
+ {
+ elf_tdata (abfd)->shstrtab_hdr = *hdr;
+ elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr;
+- return TRUE;
++ goto success;
+ }
++
+ if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex)
+ {
+ symtab_strtab:
+ elf_tdata (abfd)->strtab_hdr = *hdr;
+ elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr;
+- return TRUE;
++ goto success;
+ }
++
+ if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex)
+ {
+ dynsymtab_strtab:
+@@ -1780,8 +1818,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ elf_elfsections (abfd)[shindex] = hdr;
+ /* We also treat this as a regular section, so that objcopy
+ can handle it. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+- shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++ shindex);
++ goto success;
+ }
+
+ /* If the string table isn't one of the above, then treat it as a
+@@ -1799,9 +1838,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ {
+ /* Prevent endless recursion on broken objects. */
+ if (i == shindex)
+- return FALSE;
++ goto fail;
+ if (! bfd_section_from_shdr (abfd, i))
+- return FALSE;
++ goto fail;
+ if (elf_onesymtab (abfd) == i)
+ goto symtab_strtab;
+ if (elf_dynsymtab (abfd) == i)
+@@ -1809,7 +1848,8 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ }
+ }
+ }
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_REL:
+ case SHT_RELA:
+@@ -1824,7 +1864,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ if (hdr->sh_entsize
+ != (bfd_size_type) (hdr->sh_type == SHT_REL
+ ? bed->s->sizeof_rel : bed->s->sizeof_rela))
+- return FALSE;
++ goto fail;
+
+ /* Check for a bogus link to avoid crashing. */
+ if (hdr->sh_link >= num_sec)
+@@ -1832,8 +1872,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ ((*_bfd_error_handler)
+ (_("%B: invalid link %lu for reloc section %s (index %u)"),
+ abfd, hdr->sh_link, name, shindex));
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+- shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++ shindex);
++ goto success;
+ }
+
+ /* For some incomprehensible reason Oracle distributes
+@@ -1874,7 +1915,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB
+ || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM)
+ && ! bfd_section_from_shdr (abfd, hdr->sh_link))
+- return FALSE;
++ goto fail;
+
+ /* If this reloc section does not use the main symbol table we
+ don't treat it as a reloc section. BFD can't adequately
+@@ -1889,14 +1930,18 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ || hdr->sh_info >= num_sec
+ || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
+ || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+- shindex);
++ {
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++ shindex);
++ goto success;
++ }
+
+ if (! bfd_section_from_shdr (abfd, hdr->sh_info))
+- return FALSE;
++ goto fail;
++
+ target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info);
+ if (target_sect == NULL)
+- return FALSE;
++ goto fail;
+
+ esdt = elf_section_data (target_sect);
+ if (hdr->sh_type == SHT_RELA)
+@@ -1908,7 +1953,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ amt = sizeof (*hdr2);
+ hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
+ if (hdr2 == NULL)
+- return FALSE;
++ goto fail;
+ *hdr2 = *hdr;
+ *p_hdr = hdr2;
+ elf_elfsections (abfd)[shindex] = hdr2;
+@@ -1924,34 +1969,40 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ target_sect->use_rela_p = 1;
+ }
+ abfd->flags |= HAS_RELOC;
+- return TRUE;
++ goto success;
+ }
+
+ case SHT_GNU_verdef:
+ elf_dynverdef (abfd) = shindex;
+ elf_tdata (abfd)->dynverdef_hdr = *hdr;
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_GNU_versym:
+ if (hdr->sh_entsize != sizeof (Elf_External_Versym))
+- return FALSE;
++ goto fail;
++
+ elf_dynversym (abfd) = shindex;
+ elf_tdata (abfd)->dynversym_hdr = *hdr;
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_GNU_verneed:
+ elf_dynverref (abfd) = shindex;
+ elf_tdata (abfd)->dynverref_hdr = *hdr;
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
+
+ case SHT_SHLIB:
+- return TRUE;
++ goto success;
+
+ case SHT_GROUP:
+ if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE))
+- return FALSE;
++ goto fail;
++
+ if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
+- return FALSE;
++ goto fail;
++
+ if (hdr->contents != NULL)
+ {
+ Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents;
+@@ -1977,7 +2028,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ }
+ }
+ }
+- break;
++ goto success;
+
+ default:
+ /* Possibly an attributes section. */
+@@ -1985,14 +2036,14 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ || hdr->sh_type == bed->obj_attrs_section_type)
+ {
+ if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
+- return FALSE;
++ goto fail;
+ _bfd_elf_parse_attributes (abfd, hdr);
+- return TRUE;
++ goto success;
+ }
+
+ /* Check for any processor-specific section types. */
+ if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex))
+- return TRUE;
++ goto success;
+
+ if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER)
+ {
+@@ -2004,9 +2055,12 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ "specific section `%s' [0x%8x]"),
+ abfd, name, hdr->sh_type);
+ else
+- /* Allow sections reserved for applications. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
+- shindex);
++ {
++ /* Allow sections reserved for applications. */
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
++ shindex);
++ goto success;
++ }
+ }
+ else if (hdr->sh_type >= SHT_LOPROC
+ && hdr->sh_type <= SHT_HIPROC)
+@@ -2027,8 +2081,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ "`%s' [0x%8x]"),
+ abfd, name, hdr->sh_type);
+ else
+- /* Otherwise it should be processed. */
+- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ {
++ /* Otherwise it should be processed. */
++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
++ goto success;
++ }
+ }
+ else
+ /* FIXME: We should handle this section. */
+@@ -2036,10 +2093,17 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
+ (_("%B: don't know how to handle section `%s' [0x%8x]"),
+ abfd, name, hdr->sh_type);
+
+- return FALSE;
++ goto fail;
+ }
+
+- return TRUE;
++ fail:
++ ret = FALSE;
++ success:
++ if (sections_being_created)
++ sections_being_created [shindex] = FALSE;
++ if (-- nesting == 0)
++ sections_being_created = NULL;
++ return ret;
+ }
+
+ /* Return the local symbol specified by ABFD, R_SYMNDX. */
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index 987be40..c7d6067 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -1705,7 +1705,12 @@ pe_print_edata (bfd * abfd, void * vfile)
+ _("\nExport Address Table -- Ordinal Base %ld\n"),
+ edt.base);
+
+- for (i = 0; i < edt.num_functions; ++i)
++ /* PR 17512: Handle corrupt PE binaries. */
++ if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize)
++ fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
++ (long) edt.eat_addr,
++ (long) edt.num_functions);
++ else for (i = 0; i < edt.num_functions; ++i)
+ {
+ bfd_vma eat_member = bfd_get_32 (abfd,
+ data + edt.eat_addr + (i * 4) - adj);
+@@ -1741,7 +1746,16 @@ pe_print_edata (bfd * abfd, void * vfile)
+ fprintf (file,
+ _("\n[Ordinal/Name Pointer] Table\n"));
+
+- for (i = 0; i < edt.num_names; ++i)
++ /* PR 17512: Handle corrupt PE binaries. */
++ if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize)
++ fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"),
++ (long) edt.npt_addr,
++ (long) edt.num_names);
++ else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize)
++ fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"),
++ (long) edt.ot_addr,
++ (long) edt.num_names);
++ else for (i = 0; i < edt.num_names; ++i)
+ {
+ bfd_vma name_ptr = bfd_get_32 (abfd,
+ data +
+--
+1.7.1
+
diff --git a/binutils-2.24-cve_2014_8503.patch b/binutils-2.24-cve_2014_8503.patch
new file mode 100644
index 0000000..24b55ef
--- /dev/null
+++ b/binutils-2.24-cve_2014_8503.patch
@@ -0,0 +1,27 @@
+From 0102ea8cec5fc509bba6c91df61b7ce23a799d32 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Thu, 30 Oct 2014 17:16:17 +0000
+Subject: [PATCH] Fixes a seg-fault in the ihex parser when it encounters a malformed ihex file.
+
+ PR binutils/17512
+ * ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte.
+---
+ bfd/ihex.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/bfd/ihex.c b/bfd/ihex.c
+index 8d3590d..9b3b813 100644
+--- a/bfd/ihex.c
++++ b/bfd/ihex.c
+@@ -321,7 +321,7 @@ ihex_scan (bfd *abfd)
+ {
+ if (! ISHEX (buf[i]))
+ {
+- ihex_bad_byte (abfd, lineno, hdr[i], error);
++ ihex_bad_byte (abfd, lineno, buf[i], error);
+ goto error_return;
+ }
+ }
+--
+1.7.1
+
diff --git a/binutils-2.24-cve_2014_8504.patch b/binutils-2.24-cve_2014_8504.patch
new file mode 100644
index 0000000..9adcc3d
--- /dev/null
+++ b/binutils-2.24-cve_2014_8504.patch
@@ -0,0 +1,33 @@
+diff -up avr-binutils-2.24/binutils-2.24/bfd/elf.c.cve_2014_8504 avr-binutils-2.24/binutils-2.24/bfd/elf.c
+diff -up avr-binutils-2.24/binutils-2.24/bfd/peXXigen.c.cve_2014_8504 avr-binutils-2.24/binutils-2.24/bfd/peXXigen.c
+--- avr-binutils-2.24/binutils-2.24/bfd/peXXigen.c.cve_2014_8504 2014-11-12 11:19:20.291350505 +0100
++++ avr-binutils-2.24/binutils-2.24/bfd/peXXigen.c 2014-11-12 11:19:20.313350092 +0100
+@@ -471,7 +471,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
+ a->NumberOfRvaAndSizes = 0;
+ }
+
+-
+ for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
+ {
+ /* If data directory is empty, rva also should be 0. */
+diff -up avr-binutils-2.24/binutils-2.24/bfd/srec.c.cve_2014_8504 avr-binutils-2.24/binutils-2.24/bfd/srec.c
+--- avr-binutils-2.24/binutils-2.24/bfd/srec.c.cve_2014_8504 2013-11-04 16:33:37.000000000 +0100
++++ avr-binutils-2.24/binutils-2.24/bfd/srec.c 2014-11-12 11:21:38.853748016 +0100
+@@ -248,7 +248,7 @@ srec_bad_byte (bfd *abfd,
+ }
+ else
+ {
+- char buf[10];
++ char buf[40];
+
+ if (! ISPRINT (c))
+ sprintf (buf, "\\%03o", (unsigned int) c);
+@@ -454,7 +454,7 @@ srec_scan (bfd *abfd)
+ case 'S':
+ {
+ file_ptr pos;
+- char hdr[3];
++ unsigned char hdr[3];
+ unsigned int bytes;
+ bfd_vma address;
+ bfd_byte *data;
diff --git a/binutils-2.24-dirtravel.patch b/binutils-2.24-dirtravel.patch
new file mode 100644
index 0000000..3375c6e
--- /dev/null
+++ b/binutils-2.24-dirtravel.patch
@@ -0,0 +1,150 @@
+From dd9b91de2149ee81d47f708e7b0bbf57da10ad42 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Thu, 6 Nov 2014 14:49:10 +0000
+Subject: [PATCH] Prevent archive memebers with illegal pathnames from being extracted from an archive.
+
+ PR binutils/17552, binutils/17533
+ * bucomm.c (is_valid_archive_path): New function. Returns false
+ for absolute pathnames and pathnames that include /../.
+ * bucomm.h (is_valid_archive_path): Add prototype.
+ * ar.c (extract_file): Use new function to check for valid
+ pathnames when extracting files from an archive.
+ * objcopy.c (copy_archive): Likewise.
+ * doc/binutils.texi: Update documentation to mention the
+ limitation on pathname of archive members.
+---
+ binutils/ar.c | 9 +++++++++
+ binutils/bucomm.c | 26 ++++++++++++++++++++++++++
+ binutils/bucomm.h | 12 ++++++++----
+ binutils/doc/binutils.texi | 3 ++-
+ binutils/objcopy.c | 6 ++++++
+ 6 files changed, 65 insertions(+), 7 deletions(-)
+
+diff --git a/binutils/ar.c b/binutils/ar.c
+index ebd9528..117826d 100644
+--- a/binutils/ar.c
++++ b/binutils/ar.c
+@@ -1034,6 +1034,15 @@ extract_file (bfd *abfd)
+ bfd_size_type size;
+ struct stat buf;
+
++ /* PR binutils/17533: Do not allow directory traversal
++ outside of the current directory tree. */
++ if (! is_valid_archive_path (bfd_get_filename (abfd)))
++ {
++ non_fatal (_("illegal pathname found in archive member: %s"),
++ bfd_get_filename (abfd));
++ return;
++ }
++
+ if (bfd_stat_arch_elt (abfd, &buf) != 0)
+ /* xgettext:c-format */
+ fatal (_("internal stat error on %s"), bfd_get_filename (abfd));
+diff --git a/binutils/bucomm.c b/binutils/bucomm.c
+index fd73070..b8deff5 100644
+--- a/binutils/bucomm.c
++++ b/binutils/bucomm.c
+@@ -624,3 +624,29 @@ bfd_get_archive_filename (const bfd *abfd)
+ bfd_get_filename (abfd));
+ return buf;
+ }
++
++/* Returns TRUE iff PATHNAME, a filename of an archive member,
++ is valid for writing. For security reasons absolute paths
++ and paths containing /../ are not allowed. See PR 17533. */
++
++bfd_boolean
++is_valid_archive_path (char const * pathname)
++{
++ const char * n = pathname;
++
++ if (IS_ABSOLUTE_PATH (n))
++ return FALSE;
++
++ while (*n)
++ {
++ if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n)))
++ return FALSE;
++
++ while (*n && ! IS_DIR_SEPARATOR (*n))
++ n++;
++ while (IS_DIR_SEPARATOR (*n))
++ n++;
++ }
++
++ return TRUE;
++}
+diff --git a/binutils/bucomm.h b/binutils/bucomm.h
+index a93c378..a71a8fb 100644
+--- a/binutils/bucomm.h
++++ b/binutils/bucomm.h
+@@ -21,6 +21,8 @@
+ #ifndef _BUCOMM_H
+ #define _BUCOMM_H
+
++/* In bucomm.c. */
++
+ /* Return the filename in a static buffer. */
+ const char *bfd_get_archive_filename (const bfd *);
+
+@@ -56,20 +58,22 @@ bfd_vma parse_vma (const char *, const char *);
+
+ off_t get_file_size (const char *);
+
++bfd_boolean is_valid_archive_path (char const *);
++
+ extern char *program_name;
+
+-/* filemode.c */
++/* In filemode.c. */
+ void mode_string (unsigned long, char *);
+
+-/* version.c */
++/* In version.c. */
+ extern void print_version (const char *);
+
+-/* rename.c */
++/* In rename.c. */
+ extern void set_times (const char *, const struct stat *);
+
+ extern int smart_rename (const char *, const char *, int);
+
+-/* libiberty. */
++/* In libiberty. */
+ void *xmalloc (size_t);
+
+ void *xrealloc (void *, size_t);
+diff --git a/binutils/doc/binutils.texi b/binutils/doc/binutils.texi
+index eee77b1..39eb1d2 100644
+--- a/binutils/doc/binutils.texi
++++ b/binutils/doc/binutils.texi
+@@ -234,7 +234,8 @@ a normal archive. Instead the elements of the first archive are added
+ individually to the second archive.
+
+ The paths to the elements of the archive are stored relative to the
+-archive itself.
++archive itself. For security reasons absolute paths and paths with a
++ at code{/../} component are not allowed.
+
+ @cindex compatibility, @command{ar}
+ @cindex @command{ar} compatibility
+diff --git a/binutils/objcopy.c b/binutils/objcopy.c
+index 3b353ad..8454bc6 100644
+--- a/binutils/objcopy.c
++++ b/binutils/objcopy.c
+@@ -2295,6 +2295,12 @@ copy_archive (bfd *ibfd, bfd *obfd, const char *output_target,
+ bfd_boolean del = TRUE;
+ bfd_boolean ok_object;
+
++ /* PR binutils/17533: Do not allow directory traversal
++ outside of the current directory tree by archive members. */
++ if (! is_valid_archive_path (bfd_get_filename (this_element)))
++ fatal (_("illegal pathname found in archive member: %s"),
++ bfd_get_filename (this_element));
++
+ /* Create an output file for this member. */
+ output_name = concat (dir, "/",
+ bfd_get_filename (this_element), (char *) 0);
+--
+1.7.1
+
More information about the scm-commits
mailing list