[avr-binutils/f19] fix CVE-2014-8738: out of bounds memory write
Michal Hlavinka
mhlavink at fedoraproject.org
Thu Nov 13 16:43:57 UTC 2014
commit 142ef8cebaaa928f8f48dec3269b413176327cae
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Thu Nov 13 17:43:51 2014 +0100
fix CVE-2014-8738: out of bounds memory write
avr-binutils.spec | 7 ++++-
binutils-2.24-cve_2014_8738.patch | 47 +++++++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+), 1 deletions(-)
---
diff --git a/avr-binutils.spec b/avr-binutils.spec
index 55b0287..f8c5955 100644
--- a/avr-binutils.spec
+++ b/avr-binutils.spec
@@ -2,7 +2,7 @@
Name: %{target}-binutils
Version: 2.24
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 1
Summary: Cross Compiling GNU binutils targeted at %{target}
Group: Development/Tools
@@ -18,6 +18,7 @@ Patch4: binutils-2.24-cve_2014_8502a.patch
Patch5: binutils-2.24-cve_2014_8503.patch
Patch6: binutils-2.24-cve_2014_8504.patch
Patch7: binutils-2.24-dirtravel.patch
+Patch8: binutils-2.24-cve_2014_8738.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u} -n)
BuildRequires: gawk texinfo
@@ -41,6 +42,7 @@ pushd binutils-%{version}
%patch5 -p1 -b .cve_2014_8503
%patch6 -p2 -b .cve_2014_8504
%patch7 -p1 -b .dirtravel
+%patch8 -p1 -b .cve_2014_8738
popd
cp %{SOURCE1} .
@@ -82,6 +84,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu Nov 13 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.24-3
+- fix CVE-2014-8738: out of bounds memory write
+
* Wed Nov 12 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.24-2
- fix directory traversal vulnerability (#1162657)
- fix CVE-2014-8501: out-of-bounds write when parsing specially crafted PE executable
diff --git a/binutils-2.24-cve_2014_8738.patch b/binutils-2.24-cve_2014_8738.patch
new file mode 100644
index 0000000..91cbabc
--- /dev/null
+++ b/binutils-2.24-cve_2014_8738.patch
@@ -0,0 +1,47 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Farchive.c;h=b9052135101d864082ec615053891e633f89da0c;hp=40a3395ba09be7cd60bc0220efa7b2ebe563e246;hb=bb0d867169d7e9743d229804106a8fbcab7f3b3f;hpb=ed9e98c214dde25cc9ff54bac7191c3824be3ffa
+
+diff --git a/bfd/archive.c b/bfd/archive.c
+index 40a3395..b905213 100644
+--- a/bfd/archive.c
++++ b/bfd/archive.c
+@@ -1293,6 +1293,9 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ amt = namedata->parsed_size;
+ if (amt + 1 == 0)
+ goto byebye;
++ /* PR binutils/17533: A corrupt archive can contain an invalid size. */
++ if (amt > (bfd_size_type) bfd_get_size (abfd))
++ goto byebye;
+
+ bfd_ardata (abfd)->extended_names_size = amt;
+ bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1);
+@@ -1300,6 +1303,8 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ {
+ byebye:
+ free (namedata);
++ bfd_ardata (abfd)->extended_names = NULL;
++ bfd_ardata (abfd)->extended_names_size = 0;
+ return FALSE;
+ }
+
+@@ -1308,7 +1313,6 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ if (bfd_get_error () != bfd_error_system_call)
+ bfd_set_error (bfd_error_malformed_archive);
+ bfd_release (abfd, (bfd_ardata (abfd)->extended_names));
+- bfd_ardata (abfd)->extended_names = NULL;
+ goto byebye;
+ }
+
+@@ -1316,11 +1320,12 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ text, the entries in the list are newline-padded, not null
+ padded. In SVR4-style archives, the names also have a
+ trailing '/'. DOS/NT created archive often have \ in them
+- We'll fix all problems here.. */
++ We'll fix all problems here. */
+ {
+ char *ext_names = bfd_ardata (abfd)->extended_names;
+ char *temp = ext_names;
+ char *limit = temp + namedata->parsed_size;
++
+ for (; temp < limit; ++temp)
+ {
+ if (*temp == ARFMAG[1])
More information about the scm-commits
mailing list