git: 9c4ee12ed3cd - 2021Q3 - devel/binutils: Add fix for CVE-2021-3487
Fernando Apesteguía
fernape at FreeBSD.org
Fri Aug 13 11:07:59 UTC 2021
The branch 2021Q3 has been updated by fernape:
URL: https://cgit.FreeBSD.org/ports/commit/?id=9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6
commit 9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6
Author: Yasuhiro Kimura <yasu at utahime.org>
AuthorDate: 2021-08-13 10:55:57 +0000
Commit: Fernando Apesteguía <fernape at FreeBSD.org>
CommitDate: 2021-08-13 10:55:57 +0000
devel/binutils: Add fix for CVE-2021-3487
The CVE is fixed in main in a0e752df8013. Merging that would mean merging other
changes to other ports and doing more exp-runs, so we just backport the fix in
the quarterly branch to avoid too much disruption.
VuXML entry to be handled in PR 256133.
PR: 255368, 251385
Reported by: diizzy@
Security: CVE-2021-3487
---
devel/binutils/Makefile | 2 +-
devel/binutils/files/patch-CVE-2021-3487 | 75 ++++++++++++++++++++++++++++++++
2 files changed, 76 insertions(+), 1 deletion(-)
diff --git a/devel/binutils/Makefile b/devel/binutils/Makefile
index 2b8517bc4d9b..3d3762653bd7 100644
--- a/devel/binutils/Makefile
+++ b/devel/binutils/Makefile
@@ -2,7 +2,7 @@
PORTNAME= binutils
PORTVERSION= 2.33.1
-PORTREVISION= 4
+PORTREVISION= 5
PORTEPOCH?= 1
CATEGORIES?= devel
MASTER_SITES= SOURCEWARE/binutils/releases
diff --git a/devel/binutils/files/patch-CVE-2021-3487 b/devel/binutils/files/patch-CVE-2021-3487
new file mode 100644
index 000000000000..05e9d63642f9
--- /dev/null
+++ b/devel/binutils/files/patch-CVE-2021-3487
@@ -0,0 +1,75 @@
+From a782e724be101be550bb47b4e6a2a0c92475c494 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Thu, 26 Nov 2020 17:08:33 +0000
+Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
+ DWARF debug sections.
+
+ PR 26946
+ * dwarf2.c (read_section): Check for debug sections with excessive
+ sizes.
+---
+ bfd/dwarf2.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git bfd/dwarf2.c bfd/dwarf2.c
+index ed6dcd48c7f..348e69cb063 100644
+--- bfd/dwarf2.c
++++ bfd/dwarf2.c
+@@ -527,22 +527,24 @@ read_section (bfd * abfd,
+ bfd_byte ** section_buffer,
+ bfd_size_type * section_size)
+ {
+- asection *msec;
+ const char *section_name = sec->uncompressed_name;
+ bfd_byte *contents = *section_buffer;
+- bfd_size_type amt;
+
+ /* The section may have already been read. */
+ if (contents == NULL)
+ {
++ bfd_size_type amt;
++ asection *msec;
++ ufile_ptr filesize;
++
+ msec = bfd_get_section_by_name (abfd, section_name);
+- if (! msec)
++ if (msec == NULL)
+ {
+ section_name = sec->compressed_name;
+ if (section_name != NULL)
+ msec = bfd_get_section_by_name (abfd, section_name);
+ }
+- if (! msec)
++ if (msec == NULL)
+ {
+ _bfd_error_handler (_("DWARF error: can't find %s section."),
+ sec->uncompressed_name);
+@@ -550,12 +552,23 @@ read_section (bfd * abfd,
+ return FALSE;
+ }
+
+- *section_size = msec->rawsize ? msec->rawsize : msec->size;
++ amt = bfd_get_section_limit_octets (abfd, msec);
++ filesize = bfd_get_file_size (abfd);
++ if (amt >= filesize)
++ {
++ /* PR 26946 */
++ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
++ section_name, (long) amt, (long) filesize);
++ bfd_set_error (bfd_error_bad_value);
++ return FALSE;
++ }
++ *section_size = amt;
+ /* Paranoia - alloc one extra so that we can make sure a string
+ section is NUL terminated. */
+- amt = *section_size + 1;
++ amt += 1;
+ if (amt == 0)
+ {
++ /* Paranoia - this should never happen. */
+ bfd_set_error (bfd_error_no_memory);
+ return FALSE;
+ }
+--
+2.31.1
+
More information about the dev-commits-ports-branches
mailing list