[arm-none-eabi-binutils-cs/f21] fix CVE-2014-8738: out of bounds memory write
Michal Hlavinka
mhlavink at fedoraproject.org
Thu Nov 13 16:44:06 UTC 2014
commit e903517d2dcbf6d7475b159a8d5f013b7df05d02
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Thu Nov 13 17:44:01 2014 +0100
fix CVE-2014-8738: out of bounds memory write
arm-none-eabi-binutils-cs.spec | 7 ++++-
binutils-2.24-cve_2014_8738.patch | 47 +++++++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+), 1 deletions(-)
---
diff --git a/arm-none-eabi-binutils-cs.spec b/arm-none-eabi-binutils-cs.spec
index e0344ef..587c26d 100644
--- a/arm-none-eabi-binutils-cs.spec
+++ b/arm-none-eabi-binutils-cs.spec
@@ -10,7 +10,7 @@
Name: %{target}-binutils-cs
Version: %{cs_date}.%{cs_rel}
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: GNU Binutils for cross-compilation for %{target} target
Group: Development/Tools
# Most of the sources are licensed under GPLv3+ with these exceptions:
@@ -34,6 +34,7 @@ Patch4: binutils-2.24-cve_2014_8502a.patch
Patch5: binutils-2.24-cve_2014_8503.patch
Patch6: binutils-2.24-cve_2014_8504.patch
Patch7: binutils-2.24-dirtravel.patch
+Patch8: binutils-2.24-cve_2014_8738.patch
BuildRequires: flex bison ppl-devel cloog-ppl-devel
BuildRequires: texinfo texinfo-tex perl-podlators
Provides: %{target}-binutils = %{binutils_ver}
@@ -59,6 +60,7 @@ rm -rf gdb sim
%patch5 -p1 -b .cve_2014_8503
%patch6 -p2 -b .cve_2014_8504
%patch7 -p1 -b .dirtravel
+%patch8 -p1 -b .cve_2014_8738
%build
./configure CFLAGS="$RPM_OPT_FLAGS" \
@@ -100,6 +102,9 @@ rm -r %{buildroot}%{_infodir}
%changelog
+* Thu Nov 13 2014 Michal Hlavinka <mhlavink at redhat.com> - 2014.05.28-3
+- fix CVE-2014-8738: out of bounds memory write
+
* Wed Nov 12 2014 Michal Hlavinka <mhlavink at redhat.com> - 2014.05.28-2
- fix directory traversal vulnerability (#1162657)
- fix CVE-2014-8501: out-of-bounds write when parsing specially crafted PE executable
diff --git a/binutils-2.24-cve_2014_8738.patch b/binutils-2.24-cve_2014_8738.patch
new file mode 100644
index 0000000..91cbabc
--- /dev/null
+++ b/binutils-2.24-cve_2014_8738.patch
@@ -0,0 +1,47 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Farchive.c;h=b9052135101d864082ec615053891e633f89da0c;hp=40a3395ba09be7cd60bc0220efa7b2ebe563e246;hb=bb0d867169d7e9743d229804106a8fbcab7f3b3f;hpb=ed9e98c214dde25cc9ff54bac7191c3824be3ffa
+
+diff --git a/bfd/archive.c b/bfd/archive.c
+index 40a3395..b905213 100644
+--- a/bfd/archive.c
++++ b/bfd/archive.c
+@@ -1293,6 +1293,9 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ amt = namedata->parsed_size;
+ if (amt + 1 == 0)
+ goto byebye;
++ /* PR binutils/17533: A corrupt archive can contain an invalid size. */
++ if (amt > (bfd_size_type) bfd_get_size (abfd))
++ goto byebye;
+
+ bfd_ardata (abfd)->extended_names_size = amt;
+ bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1);
+@@ -1300,6 +1303,8 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ {
+ byebye:
+ free (namedata);
++ bfd_ardata (abfd)->extended_names = NULL;
++ bfd_ardata (abfd)->extended_names_size = 0;
+ return FALSE;
+ }
+
+@@ -1308,7 +1313,6 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ if (bfd_get_error () != bfd_error_system_call)
+ bfd_set_error (bfd_error_malformed_archive);
+ bfd_release (abfd, (bfd_ardata (abfd)->extended_names));
+- bfd_ardata (abfd)->extended_names = NULL;
+ goto byebye;
+ }
+
+@@ -1316,11 +1320,12 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ text, the entries in the list are newline-padded, not null
+ padded. In SVR4-style archives, the names also have a
+ trailing '/'. DOS/NT created archive often have \ in them
+- We'll fix all problems here.. */
++ We'll fix all problems here. */
+ {
+ char *ext_names = bfd_ardata (abfd)->extended_names;
+ char *temp = ext_names;
+ char *limit = temp + namedata->parsed_size;
++
+ for (; temp < limit; ++temp)
+ {
+ if (*temp == ARFMAG[1])
More information about the scm-commits
mailing list