Date: Fri, 13 Aug 2021 11:07:59 GMT From: =?utf-8?Q?Fernando Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: 9c4ee12ed3cd - 2021Q3 - devel/binutils: Add fix for CVE-2021-3487 Message-ID: <202108131107.17DB7xam060746@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch 2021Q3 has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6 commit 9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6 Author: Yasuhiro Kimura <yasu@utahime.org> AuthorDate: 2021-08-13 10:55:57 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2021-08-13 10:55:57 +0000 devel/binutils: Add fix for CVE-2021-3487 The CVE is fixed in main in a0e752df8013. Merging that would mean merging other changes to other ports and doing more exp-runs, so we just backport the fix in the quarterly branch to avoid too much disruption. VuXML entry to be handled in PR 256133. PR: 255368, 251385 Reported by: diizzy@ Security: CVE-2021-3487 --- devel/binutils/Makefile | 2 +- devel/binutils/files/patch-CVE-2021-3487 | 75 ++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 1 deletion(-) diff --git a/devel/binutils/Makefile b/devel/binutils/Makefile index 2b8517bc4d9b..3d3762653bd7 100644 --- a/devel/binutils/Makefile +++ b/devel/binutils/Makefile @@ -2,7 +2,7 @@ PORTNAME= binutils PORTVERSION= 2.33.1 -PORTREVISION= 4 +PORTREVISION= 5 PORTEPOCH?= 1 CATEGORIES?= devel MASTER_SITES= SOURCEWARE/binutils/releases diff --git a/devel/binutils/files/patch-CVE-2021-3487 b/devel/binutils/files/patch-CVE-2021-3487 new file mode 100644 index 000000000000..05e9d63642f9 --- /dev/null +++ b/devel/binutils/files/patch-CVE-2021-3487 @@ -0,0 +1,75 @@ +From a782e724be101be550bb47b4e6a2a0c92475c494 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 26 Nov 2020 17:08:33 +0000 +Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt + DWARF debug sections. + + PR 26946 + * dwarf2.c (read_section): Check for debug sections with excessive + sizes. +--- + bfd/dwarf2.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git bfd/dwarf2.c bfd/dwarf2.c +index ed6dcd48c7f..348e69cb063 100644 +--- bfd/dwarf2.c ++++ bfd/dwarf2.c +@@ -527,22 +527,24 @@ read_section (bfd * abfd, + bfd_byte ** section_buffer, + bfd_size_type * section_size) + { +- asection *msec; + const char *section_name = sec->uncompressed_name; + bfd_byte *contents = *section_buffer; +- bfd_size_type amt; + + /* The section may have already been read. */ + if (contents == NULL) + { ++ bfd_size_type amt; ++ asection *msec; ++ ufile_ptr filesize; ++ + msec = bfd_get_section_by_name (abfd, section_name); +- if (! msec) ++ if (msec == NULL) + { + section_name = sec->compressed_name; + if (section_name != NULL) + msec = bfd_get_section_by_name (abfd, section_name); + } +- if (! msec) ++ if (msec == NULL) + { + _bfd_error_handler (_("DWARF error: can't find %s section."), + sec->uncompressed_name); +@@ -550,12 +552,23 @@ read_section (bfd * abfd, + return FALSE; + } + +- *section_size = msec->rawsize ? msec->rawsize : msec->size; ++ amt = bfd_get_section_limit_octets (abfd, msec); ++ filesize = bfd_get_file_size (abfd); ++ if (amt >= filesize) ++ { ++ /* PR 26946 */ ++ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"), ++ section_name, (long) amt, (long) filesize); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ *section_size = amt; + /* Paranoia - alloc one extra so that we can make sure a string + section is NUL terminated. */ +- amt = *section_size + 1; ++ amt += 1; + if (amt == 0) + { ++ /* Paranoia - this should never happen. */ + bfd_set_error (bfd_error_no_memory); + return FALSE; + } +-- +2.31.1 +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108131107.17DB7xam060746>