binutils: CVE-2017-12448

Source: git://sourceware.org/git/binutils-gdb.git
MR: 73880
Type: Security Fix
Disposition: Backport from binutils-2_29-branch
ChangeID: 6ef7c8e941d7a1c069b29e4671178c0d02427e3f
Description:

Fix use-after-free error when parsing a corrupt nested archive.

PR 21787
* archive.c (bfd_generic_archive_p): If the bfd does not have the
  correct magic bytes at the start, set the error to wrong format
  and clear the format selector before returning NULL.

Affects: <= 2.29

Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 3c29f660cda22529afeb2f268f7a31a30bab9e07..772df0af300bffefdce6b944144ae950b1102a55 100644 (file)
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -53,6 +53,7 @@ SRC_URI = "\
      file://CVE-2017-9041_1.patch \
      file://CVE-2017-9041_2.patch \
      file://CVE-2017-7226.patch \
+     file://CVE-2017-12448.patch \
 "
 S  = "${WORKDIR}/git"
 

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12448.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12448.patch
new file mode 100644 (file)
index 0000000..039166c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12448.patch
@@ -0,0 +1,49 @@
+commit 909e4e716c4d77e33357bbe9bc902bfaf2e1af24
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Wed Jul 19 14:49:12 2017 +0100
+
+    Fix use-after-free error when parsing a corrupt nested archive.
+    
+       PR 21787
+       * archive.c (bfd_generic_archive_p): If the bfd does not have the
+       correct magic bytes at the start, set the error to wrong format
+       and clear the format selector before returning NULL.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-12448
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/archive.c
+===================================================================
+--- git.orig/bfd/archive.c     2017-08-30 16:44:10.848601412 +0530
++++ git/bfd/archive.c  2017-08-30 16:44:21.400855758 +0530
+@@ -834,7 +834,12 @@
+   if (strncmp (armag, ARMAG, SARMAG) != 0
+       && strncmp (armag, ARMAGB, SARMAG) != 0
+       && ! bfd_is_thin_archive (abfd))
+-    return NULL;
++    {
++      bfd_set_error (bfd_error_wrong_format);
++      if (abfd->format == bfd_archive)
++      abfd->format = bfd_unknown;
++      return NULL;
++    }
+ 
+   tdata_hold = bfd_ardata (abfd);
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog     2017-08-30 16:44:21.340854320 +0530
++++ git/bfd/ChangeLog  2017-08-30 16:46:48.716143277 +0530
+@@ -1,3 +1,10 @@
++2017-07-19  Nick Clifton  <nickc@redhat.com>
++
++       PR 21787
++       * archive.c (bfd_generic_archive_p): If the bfd does not have the
++       correct magic bytes at the start, set the error to wrong format
++       and clear the format selector before returning NULL.
++
+ 2017-04-25  Maciej W. Rozycki  <macro@imgtec.com>
+ 
+        * readelf.c (process_mips_specific): Remove error reporting from