binutls: Security fix for CVE-2017-16832

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index d5db6e8da43b4f5c89a4a6c9e2e16d9ffc0b3795..6611fdc3a6218549dfbce624580290f448236b94 100644 (file)
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -59,6 +59,7 @@ SRC_URI = "\
      file://CVE-2017-16829.patch \
      file://CVE-2017-16830.patch \
      file://CVE-2017-16831.patch \
+     file://CVE-2017-16832.patch \
 "
 S  = "${WORKDIR}/git"
 

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch
new file mode 100644 (file)
index 0000000..9044bcc
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch
@@ -0,0 +1,61 @@
+From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 31 Oct 2017 14:29:40 +0000
+Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary
+ with a corrupt data dictionary.
+
+       PR 22373
+       * peicode.h (pe_bfd_read_buildid): Check for invalid size and data
+       offset values.
+
+Upstrem-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16832
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/peicode.h | 9 ++++++---
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+Index: git/bfd/peicode.h
+===================================================================
+--- git.orig/bfd/peicode.h
++++ git/bfd/peicode.h
+@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)
+   bfd_byte *data = 0;
+   bfd_size_type dataoff;
+   unsigned int i;
+-
+   bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;
+   bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;
+ 
+@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)
+ 
+   dataoff = addr - section->vma;
+ 
+-  /* PR 20605: Make sure that the data is really there.  */
+-  if (dataoff + size > section->size)
++  /* PR 20605 and 22373: Make sure that the data is really there.
++     Note - since we are dealing with unsigned quantities we have
++     to be careful to check for potential overflows.  */
++  if (dataoff > section->size
++      || size > section->size
++      || dataoff + size > section->size)
+     {
+       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
+                         abfd);
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-10-31  Nick Clifton  <nickc@redhat.com>
++
++       PR 22373
++       * peicode.h (pe_bfd_read_buildid): Check for invalid size and data
++       offset values.
++
+ 2017-11-03  Mingi Cho  <mgcho.minic@gmail.com>
+            Nick Clifton  <nickc@redhat.com>
+