diff --git a/binutils-CVE-2018-12699-part6-PR28862.patch b/binutils-CVE-2018-12699-part6-PR28862.patch new file mode 100644 index 0000000..22c341b --- /dev/null +++ b/binutils-CVE-2018-12699-part6-PR28862.patch @@ -0,0 +1,22 @@ +--- binutils.orig/binutils/stabs.c 2024-11-06 17:39:57.460250962 +0000 ++++ binutils-2.30/binutils/stabs.c 2024-11-06 17:41:32.293848603 +0000 +@@ -1138,15 +1138,13 @@ parse_stab_string (void *dhandle, struct + case 'Y': + /* SUNPro C++ Namespace =Yn0. */ + /* Skip the namespace mapping, as it is not used now. */ +- if (*(++p) == 'n' && *(++p) == '0') ++ if (*p++ != 0 && *p++ == 'n' && *p++ == '0') + { + /* =Yn0name; */ +- while (*p != ';') ++ while (*p && *p != ';') + ++p; +- ++p; +- /* There is a potential resource leak here, but it is not important. */ +- /* coverity[leaked_storage: FALSE] */ +- return TRUE; ++ if (*p) ++ return TRUE; + } + /* TODO SUNPro C++ support: + Support default arguments after F,P parameters diff --git a/binutils-CVE-2018-12699-part7-PR28718.patch b/binutils-CVE-2018-12699-part7-PR28718.patch new file mode 100644 index 0000000..e938f15 --- /dev/null +++ b/binutils-CVE-2018-12699-part7-PR28718.patch @@ -0,0 +1,27 @@ +--- binutils.orig/binutils/debug.c 2024-11-06 17:39:57.452250912 +0000 ++++ binutils-2.30/binutils/debug.c 2024-11-06 17:44:37.951018606 +0000 +@@ -2483,8 +2483,22 @@ debug_write_type (struct debug_handle *i + case DEBUG_KIND_INDIRECT: + if (*type->u.kindirect->slot == DEBUG_TYPE_NULL) + return (*fns->empty_type) (fhandle); +- return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot, +- name); ++ /* PR 28718: Allow for malicious recursion. */ ++ { ++ static int recursion_depth = 0; ++ bfd_boolean result; ++ ++ if (recursion_depth > 256) ++ { ++ debug_error (_("debug_write_type: too many levels of nested indirection")); ++ return FALSE; ++ } ++ ++ recursion_depth; ++ result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot, ++ name); ++ -- recursion_depth; ++ return result; ++ } + case DEBUG_KIND_VOID: + return (*fns->void_type) (fhandle); + case DEBUG_KIND_INT: diff --git a/binutils.spec b/binutils.spec index e37b283..a3f3731 100644 --- a/binutils.spec +++ b/binutils.spec @@ -43,7 +43,7 @@ Summary: A GNU collection of binary utilities Name: binutils%{?name_cross}%{?_with_debug:-debug} Version: 2.30 -Release: 124%{?dist} +Release: 125%{?dist} License: GPLv3+ URL: https://sourceware.org/binutils @@ -659,6 +659,14 @@ Patch108: binutils-CVE-2018-12699-part4-PR16615.patch # Lifetime: 2.35 Patch109: binutils-CVE-2018-12699-part5-PR28694.patch +# Purpose: Fixes an illegal memory access parsing corrupt A.OUT files. +# Lifetime: 2.35 +Patch110: binutils-CVE-2018-12699-part6-PR28862.patch + +# Purpose: Fixes an illegal memory access parsing corrupt A.OUT files. +# Lifetime: 2.35 +Patch111: binutils-CVE-2018-12699-part7-PR28718.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -905,6 +913,8 @@ using libelf instead of BFD. %patch107 -p1 %patch108 -p1 %patch109 -p1 +%patch110 -p1 +%patch111 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. # FIXME - this is no longer true. Maybe try reinstating autotool use ? @@ -1354,6 +1364,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Wed Nov 06 2024 Nick Clifton - 2.30-125 +- Fix illegal memory accesses when parsing corrupt a.out format files. (RHEL-64927) + * Tue Oct 29 2024 Nick Clifton - 2.30-124 - Fix illegal memory accesses when parsing corrupt a.out format files. (RHEL-64927)