From 5d623d409be60c7e8c345e30e6a9d23c66e75be4 Mon Sep 17 00:00:00 2001 From: Adrien Nader Date: Tue, 9 Dec 2014 10:07:06 +0100 Subject: binutils: patch CVE-2014-8501 (segfault in strings on corrupt PE). --- ...ls-fix-seg-fault-in-strings-on-corrupt-pe.patch | 55 ++++++++++++++++++++++ d/binutils/binutils.SlackBuild | 4 ++ 2 files changed, 59 insertions(+) create mode 100644 d/binutils/binutils-fix-seg-fault-in-strings-on-corrupt-pe.patch diff --git a/d/binutils/binutils-fix-seg-fault-in-strings-on-corrupt-pe.patch b/d/binutils/binutils-fix-seg-fault-in-strings-on-corrupt-pe.patch new file mode 100644 index 0000000..0bb95ad --- /dev/null +++ b/d/binutils/binutils-fix-seg-fault-in-strings-on-corrupt-pe.patch @@ -0,0 +1,55 @@ +From 7e1e19887abd24aeb15066b141cdff5541e0ec8e Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 27 Oct 2014 14:45:06 +0000 +Subject: [PATCH] Fix a seg-fault in strings and other binutuils when parsing a corrupt PE + executable with an invalid value in the NumberOfRvaAndSizes field of the + AOUT header. + + PR binutils/17512 + * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries + with an invalid value for NumberOfRvaAndSizes. +--- + bfd/ChangeLog | 4 ++++ + bfd/peXXigen.c | 12 ++++++++++++ + 2 files changed, 16 insertions(+), 0 deletions(-) + +diff --git a/bfd/ChangeLog b/bfd/ChangeLog +index 7ba4431..e1d9379 100644 +--- a/bfd/ChangeLog ++++ b/bfd/ChangeLog +@@ -1,5 +1,9 @@ + 2014-10-27 Nick Clifton + ++ PR binutils/17512 ++ * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries ++ with an invalid value for NumberOfRvaAndSizes. ++ + PR binutils/17510 + * elf.c (setup_group): Improve handling of corrupt group + sections. +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index 2fb631c..987be40 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -504,6 +504,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, + { + int idx; + ++ /* PR 17512: Corrupt PE binaries can cause seg-faults. */ ++ if (a->NumberOfRvaAndSizes > 16) ++ { ++ (*_bfd_error_handler) ++ (_("%B: aout header specifies an invalid number of data-directory entries: %d"), ++ abfd, a->NumberOfRvaAndSizes); ++ /* Paranoia: If the number is corrupt, then assume that the ++ actual entries themselves might be corrupt as well. */ ++ a->NumberOfRvaAndSizes = 0; ++ } ++ ++ + for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) + { + /* If data directory is empty, rva also should be 0. */ +-- +1.7.1 + diff --git a/d/binutils/binutils.SlackBuild b/d/binutils/binutils.SlackBuild index 28b153a..3caf741 100755 --- a/d/binutils/binutils.SlackBuild +++ b/d/binutils/binutils.SlackBuild @@ -89,6 +89,10 @@ zcat $CWD/binutils.export.demangle.h.diff.gz | patch -p1 --verbose || exit 1 # Don't check to see if "config.h" was included in the installed headers: zcat $CWD/binutils.no-config-h-check.diff.gz | patch -p1 --verbose || exit 1 +#! PATCH +# CVE-2014-8501 +patch -p1 --verbose < ${CWD}/binutils-fix-seg-fault-in-strings-on-corrupt-pe.patch + chown -R root:root . chmod -R u+w,go+r-w,a-s . -- cgit v1.2.3-70-g09d2