summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-08-19 21:43:11 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-08-21 21:52:59 +0100
commit7ef44dbd3b99a2150b552cbe8941dd592197eb43 (patch)
treede74e25485d458c8fe2355b7eff8cd6289abe4ac
parenteaa58d850adde0460697ab44653a5a99cb58ccc2 (diff)
downloadopenembedded-core-contrib-7ef44dbd3b99a2150b552cbe8941dd592197eb43.tar.gz
openembedded-core-contrib-7ef44dbd3b99a2150b552cbe8941dd592197eb43.tar.bz2
openembedded-core-contrib-7ef44dbd3b99a2150b552cbe8941dd592197eb43.zip
binutils: fix CVE-2019-14250 CVE-2019-14444
(From OE-Core rev: abdc51527988afdcfd2db6dc08ebb6083a341be9) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.32.inc2
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch33
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch28
3 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 31c24a37f5..d3c52936d1 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -50,6 +50,8 @@ SRC_URI = "\
file://CVE-2019-9077.patch \
file://CVE-2019-9071.patch \
file://CVE-2019-12972.patch \
+ file://CVE-2019-14250.patch \
+ file://CVE-2019-14444.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
new file mode 100644
index 0000000000..c915a832b0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
@@ -0,0 +1,33 @@
+From df78be05daf4eb07f60f50ec1080cb979af32ec0 Mon Sep 17 00:00:00 2001
+From: marxin <marxin@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Tue, 23 Jul 2019 07:33:32 +0000
+Subject: [PATCH] libiberty: Check zero value shstrndx in simple-object-elf.c
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@273718 138bc75d-0d04-0410-961f-82ee72b054a4
+
+CVE: CVE-2019-14250
+Upstream-Status: Backport [from gcc: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=273718]
+[Removed Changelog entry]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
+index 502388991a08..bdee963634d6 100644
+--- a/libiberty/simple-object-elf.c
++++ b/libiberty/simple-object-elf.c
+@@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
+ XDELETE (eor);
+ return NULL;
+ }
+-
++
++ if (eor->shstrndx == 0)
++ {
++ *errmsg = "invalid ELF shstrndx == 0";
++ *err = 0;
++ XDELETE (eor);
++ return NULL;
++ }
++
+ return (void *) eor;
+ }
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
new file mode 100644
index 0000000000..85b9a9f916
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
@@ -0,0 +1,28 @@
+From e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 5 Aug 2019 10:40:35 +0100
+Subject: [PATCH] Catch potential integer overflow in readelf when processing
+ corrupt binaries.
+
+ PR 24829
+ * readelf.c (apply_relocations): Catch potential integer overflow
+ whilst checking reloc location against section size.
+
+CVE: CVE-2019-14444
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7]
+[Removed Changelog entry]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index b896ad9f406..e785fde43e7 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -13366,7 +13366,7 @@ apply_relocations (Filedata * filedata,
+ }
+
+ rloc = start + rp->r_offset;
+- if ((rloc + reloc_size) > end || (rloc < start))
++ if (rloc >= end || (rloc + reloc_size) > end || (rloc < start))
+ {
+ warn (_("skipping invalid relocation offset 0x%lx in section %s\n"),
+ (unsigned long) rp->r_offset,