diff options
author | Armin Kuster <akuster@mvista.com> | 2018-08-06 15:29:00 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-15 10:22:28 +0100 |
commit | 03fb0028d76d18bac48b333f743ce27e21324d59 (patch) | |
tree | fc766ebd5b8ddeda2458fb192e2c9cfce6f24d50 | |
parent | 45de3690367c8e0adf443a2f2630ecf8791789d6 (diff) | |
download | openembedded-core-contrib-03fb0028d76d18bac48b333f743ce27e21324d59.tar.gz |
binutls: Security fix for CVE-2017-14939
Affects: <= 2.29.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch | 56 |
2 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index c7c755fcb3..4abfbbf76b 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc @@ -42,6 +42,7 @@ SRC_URI = "\ file://CVE-2017-14933_p2.patch \ file://CVE-2017-14934.patch \ file://CVE-2017-14938.patch \ + file://CVE-2017-14939.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch new file mode 100644 index 0000000000..d1e4c3e609 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch @@ -0,0 +1,56 @@ +From 515f23e63c0074ab531bc954f84ca40c6281a724 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 24 Sep 2017 14:36:16 +0930 +Subject: [PATCH] PR22169, heap-based buffer overflow in read_1_byte + +The .debug_line header length field doesn't include the length field +itself, ie. it's the size of the rest of .debug_line. + + PR 22169 + * dwarf2.c (decode_line_info): Correct .debug_line unit_length check. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14939 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 5 +++++ + bfd/dwarf2.c | 7 ++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -2084,12 +2084,13 @@ decode_line_info (struct comp_unit *unit + offset_size = 8; + } + +- if (unit->line_offset + lh.total_length > stash->dwarf_line_size) ++ if (lh.total_length > (size_t) (line_end - line_ptr)) + { + _bfd_error_handler + /* xgettext: c-format */ +- (_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"), +- lh.total_length, stash->dwarf_line_size - unit->line_offset); ++ (_("Dwarf Error: Line info data is bigger (%#Lx)" ++ " than the space remaining in the section (%#lx)"), ++ lh.total_length, (unsigned long) (line_end - line_ptr)); + bfd_set_error (bfd_error_bad_value); + return NULL; + } +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,9 @@ + 2017-09-24 Alan Modra <amodra@gmail.com> ++ ++ PR 22169 ++ * dwarf2.c (decode_line_info): Correct .debug_line unit_length check. ++ ++2017-09-24 Alan Modra <amodra@gmail.com> + + PR 22166 + * elf.c (_bfd_elf_slurp_version_tables): Test sh_info on |