From 0777f350e2f2d31ea68edb6d97aa79ccb3b77f61 Mon Sep 17 00:00:00 2001 From: Bruno Larsen Date: Thu, 30 Mar 2023 12:09:21 +0200 Subject: [PATCH] Backport "libiberty: prevent buffer overflow when decoding user input" Resolves: rhbz#2132600 --- _gdb.spec.Patch.include | 4 +++ _gdb.spec.patch.include | 1 + _patch_order | 1 + gdb.spec | 6 ++++- ...rhbz-2132600-prevent-buffer-overflow.patch | 27 +++++++++++++++++++ 5 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 libiberty-rhbz-2132600-prevent-buffer-overflow.patch diff --git a/_gdb.spec.Patch.include b/_gdb.spec.Patch.include index 6692ef2..8750a11 100644 --- a/_gdb.spec.Patch.include +++ b/_gdb.spec.Patch.include @@ -475,3 +475,7 @@ Patch114: gdb-fix-gdb.base-printcmds-s390x-regressions.patch # (Tom de Vries, RHBZ2130624) Patch115: gdb-rhbz-2130624-assert_in_jit_event_handler.patch +# Backport libiberty: prevent buffer overflow when decoding user input +# (Luís Ferreira, RHBZ2132600) +Patch116: libiberty-rhbz-2132600-prevent-buffer-overflow.patch + diff --git a/_gdb.spec.patch.include b/_gdb.spec.patch.include index b65d5b4..f0da001 100644 --- a/_gdb.spec.patch.include +++ b/_gdb.spec.patch.include @@ -113,3 +113,4 @@ %patch113 -p1 %patch114 -p1 %patch115 -p1 +%patch116 -p1 diff --git a/_patch_order b/_patch_order index 1ddd7c9..0ba4bab 100644 --- a/_patch_order +++ b/_patch_order @@ -113,3 +113,4 @@ gdb-rhbz2086761-unknown-cfa-rule.patch gdb-rhbz2155439-assert-failure-copy_type.patch gdb-fix-gdb.base-printcmds-s390x-regressions.patch gdb-rhbz-2130624-assert_in_jit_event_handler.patch +libiberty-rhbz-2132600-prevent-buffer-overflow.patch diff --git a/gdb.spec b/gdb.spec index ad40399..2d5a0d4 100644 --- a/gdb.spec +++ b/gdb.spec @@ -37,7 +37,7 @@ Version: 10.2 # The release always contains a leading reserved number, start it at 1. # `upstream' is not a part of `name' to stay fully rpm dependencies compatible for the testing. -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL # Do not provide URL for snapshots as the file lasts there only for 2 days. @@ -1158,6 +1158,10 @@ fi %endif %changelog +* Wed Mar 29 2023 Bruno Larsen - 10.2-11.el9 +- Backport "libiberty: prevent buffer overflow when decoding user input" + (Luís Ferreira, RHBZ2132600) + * Mon Mar 27 2023 Bruno Larsen - Backport "[gdb/breakpoint] Fix assert in jit_event_handler" (Tom de Vries, RHBZ 2130624) diff --git a/libiberty-rhbz-2132600-prevent-buffer-overflow.patch b/libiberty-rhbz-2132600-prevent-buffer-overflow.patch new file mode 100644 index 0000000..a0f5076 --- /dev/null +++ b/libiberty-rhbz-2132600-prevent-buffer-overflow.patch @@ -0,0 +1,27 @@ +From FEDORA_PATCHES Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= +Date: Thu, 23 Sep 2021 11:33:47 -0400 +Subject: libiberty-rhbz-2132600-prevent-buffer-overflow.patch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +;; Backport libiberty: prevent buffer overflow when decoding user input +;; (Luís Ferreira, RHBZ2132600) + +libiberty/ + * d-demangle.c (dlang_symbol_backref): Ensure strlen of + string is less than length computed by dlang_number. + +diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c +--- a/libiberty/d-demangle.c ++++ b/libiberty/d-demangle.c +@@ -380,7 +380,7 @@ dlang_symbol_backref (string *decl, const char *mangled, + + /* Must point to a simple identifier. */ + backref = dlang_number (backref, &len); +- if (backref == NULL) ++ if (backref == NULL || strlen (backref) < len) + return NULL; + + backref = dlang_lname (decl, backref, len);