From 43787a25930d3851a48edd273f1478c82a8dca92287945c915480d1f427c3b8f Mon Sep 17 00:00:00 2001 From: Tony Jones Date: Wed, 16 Apr 2014 22:27:28 +0000 Subject: [PATCH 1/2] Accepting request 230407 from home:jones_tony:branches:Base:System OBS-URL: https://build.opensuse.org/request/show/230407 OBS-URL: https://build.opensuse.org/package/show/Base:System/elfutils?expand=0&rev=58 --- ...re-calling-malloc-to-uncompress-data.patch | 38 +++++++++++++++++++ elfutils.changes | 5 +++ elfutils.spec | 3 +- 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 elfutils-check-for-overflow-before-calling-malloc-to-uncompress-data.patch diff --git a/elfutils-check-for-overflow-before-calling-malloc-to-uncompress-data.patch b/elfutils-check-for-overflow-before-calling-malloc-to-uncompress-data.patch new file mode 100644 index 0000000..bbe3ba5 --- /dev/null +++ b/elfutils-check-for-overflow-before-calling-malloc-to-uncompress-data.patch @@ -0,0 +1,38 @@ +From: Mark Wielaard +Subject: Check for overflow before calling malloc to uncompress data. +Date: Wed Apr 9 11:33:23 2014 +0200 +Git-commit: 7f1eec317db79627b473c5b149a22a1b20d1f68f +References: CVE-2014-0172, bnc#872785 +Signed-off-by: Tony Jones + + CVE-2014-0172 Check for overflow before calling malloc to uncompress data. + + https://bugzilla.redhat.com/show_bug.cgi?id=1085663 + + Reported-by: Florian Weimer + Signed-off-by: Mark Wielaard + +diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c +index 79daeac..34ea373 100644 +--- a/libdw/dwarf_begin_elf.c ++++ b/libdw/dwarf_begin_elf.c +@@ -1,5 +1,5 @@ + /* Create descriptor from ELF descriptor for processing file. +- Copyright (C) 2002-2011 Red Hat, Inc. ++ Copyright (C) 2002-2011, 2014 Red Hat, Inc. + This file is part of elfutils. + Written by Ulrich Drepper , 2002. + +@@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp) + memcpy (&size, data->d_buf + 4, sizeof size); + size = be64toh (size); + ++ /* Check for unsigned overflow so malloc always allocated ++ enough memory for both the Elf_Data header and the ++ uncompressed section data. */ ++ if (unlikely (sizeof (Elf_Data) + size < size)) ++ break; ++ + Elf_Data *zdata = malloc (sizeof (Elf_Data) + size); + if (unlikely (zdata == NULL)) + break; diff --git a/elfutils.changes b/elfutils.changes index 18aad5d..53552bd 100644 --- a/elfutils.changes +++ b/elfutils.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Apr 15 18:56:25 UTC 2014 - tonyj@suse.com + +- Fix integer overflow in check_section (CVE-2014-0172, bnc#872785) + ------------------------------------------------------------------- Sat Mar 22 17:19:48 UTC 2014 - jengelh@inai.de diff --git a/elfutils.spec b/elfutils.spec index ec63ad4..9e404e4 100644 --- a/elfutils.spec +++ b/elfutils.spec @@ -34,6 +34,7 @@ Patch5: elfutils-uninitialized.diff Patch6: elfutils-0.137-dwarf-header-check-fix.diff Patch7: elfutils-0.148-dont-crash.diff Patch8: elfutils-revert-portability-scanf.patch +Patch9: elfutils-check-for-overflow-before-calling-malloc-to-uncompress-data.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: flex @@ -144,6 +145,7 @@ to develop applications that require these. %patch6 -p1 %patch7 -p1 %patch8 -p1 -R +%patch9 -p1 %build # Change DATE/TIME macros to use last change time of elfutils.changes @@ -213,7 +215,6 @@ ls -lR $RPM_BUILD_ROOT%{_libdir}/libelf* %defattr(-,root,root) %{_libdir}/libelf.so %{_libdir}/libelf.a -#%{_libdir}/libelf_pic.a %{_includedir}/libelf.h %{_includedir}/gelf.h %{_includedir}/nlist.h From 4e84e757bf5f10a02d9738e167293c48e28d606299b598a48fa71f7d47261885 Mon Sep 17 00:00:00 2001 From: Tony Jones Date: Thu, 17 Apr 2014 00:00:51 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/Base:System/elfutils?expand=0&rev=59 --- elfutils.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/elfutils.changes b/elfutils.changes index 53552bd..cbccc3e 100644 --- a/elfutils.changes +++ b/elfutils.changes @@ -2,6 +2,7 @@ Tue Apr 15 18:56:25 UTC 2014 - tonyj@suse.com - Fix integer overflow in check_section (CVE-2014-0172, bnc#872785) + Add patch: elfutils-check-for-overflow-before-calling-malloc-to-uncompress-data.patch ------------------------------------------------------------------- Sat Mar 22 17:19:48 UTC 2014 - jengelh@inai.de