Fix illegal memory accesses when parsing corrupt a.out format files. [part 2]

Resolves: RHEL-64927

binutils-CVE-2018-12699-part6-PR28862.patch

@@ -0,0 +1,22 @@
+--- binutils.orig/binutils/stabs.c	2024-11-06 17:39:57.460250962 +0000
++++ binutils-2.30/binutils/stabs.c	2024-11-06 17:41:32.293848603 +0000
+@@ -1138,15 +1138,13 @@ parse_stab_string (void *dhandle, struct
+     case 'Y':
+       /* SUNPro C++ Namespace =Yn0.  */
+       /* Skip the namespace mapping, as it is not used now.  */
+-      if (*(++p) == 'n' && *(++p) == '0')
++      if (*p++ != 0 && *p++ == 'n' && *p++ == '0')
+ 	{
+ 	  /* =Yn0name; */
+-	  while (*p != ';')
++	  while (*p && *p != ';')
+ 	    ++p;
+-	  ++p;
+-	  /* There is a potential resource leak here, but it is not important.  */
+-	  /* coverity[leaked_storage: FALSE] */
+-	  return TRUE;
++	  if (*p)
++	    return TRUE;
+ 	}
+       /* TODO SUNPro C++ support:
+          Support default arguments after F,P parameters

binutils-CVE-2018-12699-part7-PR28718.patch

@@ -0,0 +1,27 @@
+--- binutils.orig/binutils/debug.c	2024-11-06 17:39:57.452250912 +0000
++++ binutils-2.30/binutils/debug.c	2024-11-06 17:44:37.951018606 +0000
+@@ -2483,8 +2483,22 @@ debug_write_type (struct debug_handle *i
+     case DEBUG_KIND_INDIRECT:
+       if (*type->u.kindirect->slot == DEBUG_TYPE_NULL)
+ 	return (*fns->empty_type) (fhandle);
+-      return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
+-			       name);
++      /* PR 28718: Allow for malicious recursion.  */
++      {
++	static int recursion_depth = 0;
++	bfd_boolean result;
++
++	if (recursion_depth > 256)
++	  {
++	    debug_error (_("debug_write_type: too many levels of nested indirection"));
++	    return FALSE;
++	  }
++	++ recursion_depth;
++	result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
++				  name);
++	-- recursion_depth;
++	return result;
++      }
+     case DEBUG_KIND_VOID:
+       return (*fns->void_type) (fhandle);
+     case DEBUG_KIND_INT:

binutils.spec

@@ -43,7 +43,7 @@
 Summary: A GNU collection of binary utilities
 Name: binutils%{?name_cross}%{?_with_debug:-debug}
 Version: 2.30
-Release: 124%{?dist}
+Release: 125%{?dist}
 License: GPLv3+
 URL: https://sourceware.org/binutils
 
@@ -659,6 +659,14 @@ Patch108: binutils-CVE-2018-12699-part4-PR16615.patch
 # Lifetime: 2.35
 Patch109: binutils-CVE-2018-12699-part5-PR28694.patch
 
+# Purpose:  Fixes an illegal memory access parsing corrupt A.OUT files.
+# Lifetime: 2.35
+Patch110: binutils-CVE-2018-12699-part6-PR28862.patch
+
+# Purpose:  Fixes an illegal memory access parsing corrupt A.OUT files.
+# Lifetime: 2.35
+Patch111: binutils-CVE-2018-12699-part7-PR28718.patch
+
 #----------------------------------------------------------------------------
 
 Provides: bundled(libiberty)
@@ -905,6 +913,8 @@ using libelf instead of BFD.
 %patch107 -p1
 %patch108 -p1
 %patch109 -p1
+%patch110 -p1
+%patch111 -p1
 
 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 # FIXME - this is no longer true.  Maybe try reinstating autotool use ?
@@ -1354,6 +1364,9 @@ exit 0
 
 #----------------------------------------------------------------------------
 %changelog
+* Wed Nov 06 2024 Nick Clifton  <nickc@redhat.com> - 2.30-125
+- Fix illegal memory accesses when parsing corrupt a.out format files.  (RHEL-64927)
+
 * Tue Oct 29 2024 Nick Clifton  <nickc@redhat.com> - 2.30-124
 - Fix illegal memory accesses when parsing corrupt a.out format files.  (RHEL-64927)