Accepting request 230407 from home:jones_tony:branches:Base:System

OBS-URL: https://build.opensuse.org/request/show/230407
OBS-URL: https://build.opensuse.org/package/show/Base:System/elfutils?expand=0&rev=58

elfutils-check-for-overflow-before-calling-malloc-to-uncompress-data.patch

@@ -0,0 +1,38 @@
+From: Mark Wielaard <mjw@redhat.com>
+Subject: Check for overflow before calling malloc to uncompress data.
+Date: Wed Apr 9 11:33:23 2014 +0200
+Git-commit: 7f1eec317db79627b473c5b149a22a1b20d1f68f
+References: CVE-2014-0172, bnc#872785
+Signed-off-by: Tony Jones <tonyj@suse.de>
+
+    CVE-2014-0172 Check for overflow before calling malloc to uncompress data.
+    
+    https://bugzilla.redhat.com/show_bug.cgi?id=1085663
+    
+    Reported-by: Florian Weimer <fweimer@redhat.com>
+    Signed-off-by: Mark Wielaard <mjw@redhat.com>
+
+diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
+index 79daeac..34ea373 100644
+--- a/libdw/dwarf_begin_elf.c
++++ b/libdw/dwarf_begin_elf.c
+@@ -1,5 +1,5 @@
+ /* Create descriptor from ELF descriptor for processing file.
+-   Copyright (C) 2002-2011 Red Hat, Inc.
++   Copyright (C) 2002-2011, 2014 Red Hat, Inc.
+    This file is part of elfutils.
+    Written by Ulrich Drepper <drepper@redhat.com>, 2002.
+ 
+@@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
+ 	    memcpy (&size, data->d_buf + 4, sizeof size);
+ 	    size = be64toh (size);
+ 
++	    /* Check for unsigned overflow so malloc always allocated
++	       enough memory for both the Elf_Data header and the
++	       uncompressed section data.  */
++	    if (unlikely (sizeof (Elf_Data) + size < size))
++	      break;
++
+ 	    Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
+ 	    if (unlikely (zdata == NULL))
+ 	      break;

elfutils.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Apr 15 18:56:25 UTC 2014 - tonyj@suse.com
+
+- Fix integer overflow in check_section (CVE-2014-0172, bnc#872785)
+
 -------------------------------------------------------------------
 Sat Mar 22 17:19:48 UTC 2014 - jengelh@inai.de
 

elfutils.spec

@@ -34,6 +34,7 @@ Patch5:         elfutils-uninitialized.diff
 Patch6:         elfutils-0.137-dwarf-header-check-fix.diff
 Patch7:         elfutils-0.148-dont-crash.diff
 Patch8:         elfutils-revert-portability-scanf.patch
+Patch9:         elfutils-check-for-overflow-before-calling-malloc-to-uncompress-data.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  flex
@@ -144,6 +145,7 @@ to develop applications that require these.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1 -R
+%patch9 -p1
 
 %build
 # Change DATE/TIME macros to use last change time of elfutils.changes
@@ -213,7 +215,6 @@ ls -lR $RPM_BUILD_ROOT%{_libdir}/libelf*
 %defattr(-,root,root)
 %{_libdir}/libelf.so
 %{_libdir}/libelf.a
-#%{_libdir}/libelf_pic.a
 %{_includedir}/libelf.h
 %{_includedir}/gelf.h
 %{_includedir}/nlist.h