Your message dated Sat, 17 Sep 2016 13:08:06 +0100 with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk> and subject line Closing p-u bugs for updates in 8.6 has caused the Debian Bug report #834745, regarding jessie-pu: package dwarfutils/20120410-2+deb8u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 834745: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834745 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu Dear release team, I would like to propose the following changes to the dwarfutils package in jessie: * New maintainer. * Add patch CVE-2015-8538.patch to fix CVE-2015-8538 (Closes: #807817). * Add patch CVE-2015-8750.patch to fix CVE-2015-8750 (Closes: #813182). * Add patch CVE-2016-2050.patch to fix CVE-2016-2050. * Add patch CVE-2016-2091.patch to fix CVE-2016-2091 (Closes: #813148). * Add patch CVE-2016-5034.patch to fix CVE-2016-5034. * Add patch CVE-2016-5036.patch to fix CVE-2016-5036. * Add patch CVE-2016-5038.patch to fix CVE-2016-5038. * Add patch CVE-2016-5039.patch to fix CVE-2016-5039. * Add patch CVE-2016-5042.patch to fix CVE-2016-5042. The current version in stable is rather old and still has Troy Heber listed as the package maintainer, who orphaned the package a few years ago. I am the new maintainer. Because of the rather large number of patches, I have decided against replicating them in this bug report, but each one of them features a DEP-3 conformant header with information regarding its origin and, if applicable, the corresponding Debian bug, so I hope you won't have much trouble navigating them. I have attached the debdiff I would like to apply to the current version in stable. Thank you! Kind regards, Fabiandiff -u dwarfutils-20120410/debian/changelog dwarfutils-20120410/debian/changelog --- dwarfutils-20120410/debian/changelog +++ dwarfutils-20120410/debian/changelog @@ -1,3 +1,18 @@ +dwarfutils (20120410-2+deb8u1) stable; urgency=medium + + * New maintainer. + * Add patch CVE-2015-8538.patch to fix CVE-2015-8538 (Closes: #807817). + * Add patch CVE-2015-8750.patch to fix CVE-2015-8750 (Closes: #813182). + * Add patch CVE-2016-2050.patch to fix CVE-2016-2050. + * Add patch CVE-2016-2091.patch to fix CVE-2016-2091 (Closes: #813148). + * Add patch CVE-2016-5034.patch to fix CVE-2016-5034. + * Add patch CVE-2016-5036.patch to fix CVE-2016-5036. + * Add patch CVE-2016-5038.patch to fix CVE-2016-5038. + * Add patch CVE-2016-5039.patch to fix CVE-2016-5039. + * Add patch CVE-2016-5042.patch to fix CVE-2016-5042. + + -- Fabian Wolff <fabi.wo...@arcor.de> Tue, 16 Aug 2016 15:27:35 +0200 + dwarfutils (20120410-2) unstable; urgency=low * Fix FTBFS on Debian GNU/Hurd by Barry deFreese <bdefre...@debian.org> diff -u dwarfutils-20120410/debian/control dwarfutils-20120410/debian/control --- dwarfutils-20120410/debian/control +++ dwarfutils-20120410/debian/control @@ -1,8 +1,7 @@ Source: dwarfutils Section: libs Priority: optional -Maintainer: Troy Heber <tr...@debian.org> -Uploaders: +Maintainer: Fabian Wolff <fabi.wo...@arcor.de> Build-Depends: debhelper (>> 9), quilt (>= 0.47), libelf-dev, binutils-dev Standards-Version: 3.9.3.1 diff -u dwarfutils-20120410/debian/patches/series dwarfutils-20120410/debian/patches/series --- dwarfutils-20120410/debian/patches/series +++ dwarfutils-20120410/debian/patches/series @@ -2,0 +3,9 @@ +CVE-2016-5034.patch +CVE-2016-2050.patch +CVE-2015-8538.patch +CVE-2015-8750.patch +CVE-2016-2091.patch +CVE-2016-5042.patch +CVE-2016-5039.patch +CVE-2016-5038.patch +CVE-2016-5036.patch only in patch2: unchanged: --- dwarfutils-20120410.orig/debian/patches/CVE-2015-8538.patch +++ dwarfutils-20120410/debian/patches/CVE-2015-8538.patch @@ -0,0 +1,340 @@ +Description: Fix for CVE-2015-8538 (OOB read) +Origin: http://sourceforge.net/p/libdwarf/code/ci/da724a0bc5eec8e9ec0b0cb0c238a80e34466459/ +Bug-Debian: https://bugs.debian.org/807817 + +--- a/libdwarf/dwarf_abbrev.c ++++ b/libdwarf/dwarf_abbrev.c +@@ -126,6 +126,10 @@ + attr = (Dwarf_Half) utmp2; + DECODE_LEB128_UWORD(abbrev_ptr, utmp2); + attr_form = (Dwarf_Half) utmp2; ++ if (!_dwarf_valid_form_we_know(dbg,attr_form,attr)) { ++ _dwarf_error(NULL, error, DW_DLE_UNKNOWN_FORM); ++ return DW_DLV_ERROR; ++ } + + if (attr != 0) + (labbr_count)++; +--- a/libdwarf/dwarf_die_deliv.c ++++ b/libdwarf/dwarf_die_deliv.c +@@ -657,13 +657,15 @@ + Dwarf_Byte_Ptr info_ptr = 0; + Dwarf_Byte_Ptr abbrev_ptr = 0; + Dwarf_Word abbrev_code = 0; +- Dwarf_Abbrev_List abbrev_list; ++ Dwarf_Abbrev_List abbrev_list = 0; + Dwarf_Half attr = 0; + Dwarf_Half attr_form = 0; + Dwarf_Unsigned offset = 0; + Dwarf_Word leb128_length = 0; + Dwarf_Unsigned utmp = 0; + Dwarf_Debug dbg = 0; ++ Dwarf_Error error = 0; ++ int lres = 0; + + info_ptr = die_info_ptr; + DECODE_LEB128_UWORD(info_ptr, utmp); +@@ -673,8 +675,8 @@ + } + + +- abbrev_list = _dwarf_get_abbrev_for_code(cu_context, abbrev_code); +- if (abbrev_list == NULL) { ++ lres = _dwarf_get_abbrev_for_code(cu_context, abbrev_code, &abbrev_list, &error); ++ if (lres == DW_DLV_ERROR || lres == DW_DLV_NO_ENTRY) { + return (NULL); + } + dbg = cu_context->cc_dbg; +@@ -833,6 +835,7 @@ + Dwarf_Byte_Ptr die_info_end = 0; + Dwarf_Word abbrev_code = 0; + Dwarf_Unsigned utmp = 0; ++ int lres = 0; + /* Since die may be NULL, we rely on the input argument. */ + Dwarf_Debug_InfoTypes dis = is_info? &dbg->de_info_reading: + &dbg->de_types_reading; +@@ -962,9 +965,13 @@ + return (DW_DLV_NO_ENTRY); + } + ret_die->di_abbrev_code = abbrev_code; +- ret_die->di_abbrev_list = +- _dwarf_get_abbrev_for_code(ret_die->di_cu_context, abbrev_code); +- if (ret_die->di_abbrev_list == NULL ) { ++ lres = _dwarf_get_abbrev_for_code(ret_die->di_cu_context, abbrev_code, ++ &ret_die->di_abbrev_list, error); ++ if (lres == DW_DLV_ERROR) { ++ dwarf_dealloc(dbg, ret_die, DW_DLA_DIE); ++ return lres; ++ } ++ if (lres == DW_DLV_NO_ENTRY) { + dwarf_dealloc(dbg, ret_die, DW_DLA_DIE); + _dwarf_error(dbg, error, DW_DLE_DIE_ABBREV_LIST_NULL); + return (DW_DLV_ERROR); +@@ -1073,12 +1080,19 @@ + return DW_DLV_NO_ENTRY; + } + ret_die->di_abbrev_code = abbrev_code; +- ret_die->di_abbrev_list = +- _dwarf_get_abbrev_for_code(die->di_cu_context, abbrev_code); +- if (ret_die->di_abbrev_list == NULL) { +- dwarf_dealloc(dbg, ret_die, DW_DLA_DIE); +- _dwarf_error(dbg, error, DW_DLE_DIE_BAD); +- return (DW_DLV_ERROR); ++ ++ { ++ int lres = _dwarf_get_abbrev_for_code(die->di_cu_context, abbrev_code, ++ &ret_die->di_abbrev_list, error); ++ if (lres == DW_DLV_ERROR) { ++ dwarf_dealloc(dbg, ret_die, DW_DLA_DIE); ++ return lres; ++ } ++ if (lres == DW_DLV_NO_ENTRY) { ++ dwarf_dealloc(dbg, ret_die, DW_DLA_DIE); ++ _dwarf_error(dbg, error, DW_DLE_DIE_BAD); ++ return (DW_DLV_ERROR); ++ } + } + + *caller_ret_die = ret_die; +@@ -1111,6 +1125,7 @@ + Dwarf_Byte_Ptr info_ptr = 0; + Dwarf_Unsigned abbrev_code = 0; + Dwarf_Unsigned utmp = 0; ++ int lres = 0; + Dwarf_Debug_InfoTypes dis = 0; + + +@@ -1201,9 +1216,13 @@ + return DW_DLV_NO_ENTRY; + } + die->di_abbrev_code = abbrev_code; +- die->di_abbrev_list = +- _dwarf_get_abbrev_for_code(cu_context, abbrev_code); +- if (die->di_abbrev_list == NULL) { ++ lres = _dwarf_get_abbrev_for_code(cu_context, abbrev_code, ++ &die->di_abbrev_list, error); ++ if (lres == DW_DLV_ERROR) { ++ dwarf_dealloc(dbg, die, DW_DLA_DIE); ++ return lres; ++ } ++ if (lres == DW_DLV_NO_ENTRY) { + dwarf_dealloc(dbg, die, DW_DLA_DIE); + _dwarf_error(dbg, error, DW_DLE_DIE_ABBREV_LIST_NULL); + return (DW_DLV_ERROR); +--- a/libdwarf/dwarf_error.c ++++ b/libdwarf/dwarf_error.c +@@ -328,6 +328,7 @@ + "DW_DLE_DEBUG_TYPEOFFSET_BAD (239)", + "DW_DLE_GNU_OPCODE_ERROR (240)", + "DW_DLE_RELOC_INVALID (241)", ++ "DW_DLE_UNKNOWN_FORM (242) Possibly corrupt DWARF data", + }; + + +--- a/libdwarf/dwarf_query.c ++++ b/libdwarf/dwarf_query.c +@@ -189,14 +189,19 @@ + Dwarf_Attribute *attr_ptr = 0; + Dwarf_Debug dbg = 0; + Dwarf_Byte_Ptr info_ptr = 0; ++ int lres = 0; + + CHECK_DIE(die, DW_DLV_ERROR); + dbg = die->di_cu_context->cc_dbg; + +- abbrev_list = _dwarf_get_abbrev_for_code(die->di_cu_context, +- die->di_abbrev_list->ab_code); +- if (abbrev_list == NULL) { +- _dwarf_error(dbg, error, DW_DLE_DIE_ABBREV_BAD); ++ lres = _dwarf_get_abbrev_for_code(die->di_cu_context, ++ die->di_abbrev_list->ab_code, ++ &abbrev_list,error); ++ if (lres == DW_DLV_ERROR) { ++ return lres; ++ } ++ if (lres == DW_DLV_NO_ENTRY) { ++ _dwarf_error(dbg, error, DW_DLE_DIE_BAD); + return (DW_DLV_ERROR); + } + abbrev_ptr = abbrev_list->ab_abbrev_ptr; +@@ -211,6 +216,10 @@ + attr = (Dwarf_Half) utmp2; + DECODE_LEB128_UWORD(abbrev_ptr, utmp2); + attr_form = (Dwarf_Half) utmp2; ++ if (!_dwarf_valid_form_we_know(dbg,attr_form,attr)) { ++ _dwarf_error(dbg, error, DW_DLE_UNKNOWN_FORM); ++ return DW_DLV_ERROR; ++ } + + if (attr != 0) { + new_attr = +@@ -298,10 +307,14 @@ + Dwarf_Half curr_attr = 0; + Dwarf_Half curr_attr_form = 0; + Dwarf_Byte_Ptr info_ptr = 0; ++ Dwarf_Error error = 0; ++ int lres = 0; + +- abbrev_list = _dwarf_get_abbrev_for_code(die->di_cu_context, +- die->di_abbrev_list->ab_code); +- if (abbrev_list == NULL) { ++ lres = _dwarf_get_abbrev_for_code(die->di_cu_context, ++ die->di_abbrev_list->ab_code, ++ &abbrev_list, ++ &error); ++ if (lres == DW_DLV_NO_ENTRY || lres == DW_DLV_ERROR) { + *attr_form = 0; + return (NULL); + } +--- a/libdwarf/dwarf_util.c ++++ b/libdwarf/dwarf_util.c +@@ -222,6 +222,23 @@ + } + } + ++#define TRUE 1 ++#define FALSE 0 ++ ++int _dwarf_valid_form_we_know (Dwarf_Debug dbg, Dwarf_Unsigned at_form, Dwarf_Unsigned at_name) ++{ ++ if (at_form == 0 && at_name == 0) { ++ return TRUE; ++ } ++ if (at_name == 0) { ++ return FALSE; ++ } ++ if (at_form <= DW_FORM_ref_sig8) { ++ return TRUE; ++ } ++ return FALSE; ++} ++ + /* This function returns a pointer to a Dwarf_Abbrev_List_s + struct for the abbrev with the given code. It puts the + struct on the appropriate hash table. It also adds all +@@ -247,8 +264,8 @@ + never moves once allocated, so the pointer is safe to return. + + Returns NULL on error. */ +-Dwarf_Abbrev_List +-_dwarf_get_abbrev_for_code(Dwarf_CU_Context cu_context, Dwarf_Unsigned code) ++int _dwarf_get_abbrev_for_code(Dwarf_CU_Context cu_context, Dwarf_Unsigned code, ++ Dwarf_Abbrev_List *list_out, Dwarf_Error *error) + { + Dwarf_Debug dbg = cu_context->cc_dbg; + Dwarf_Hash_Table hash_table_base = cu_context->cc_abbrev_hash_table; +@@ -276,7 +293,7 @@ + DW_DLA_HASH_TABLE_ENTRY, + hash_table_base->tb_table_entry_count); + if(! hash_table_base->tb_entries) { +- return NULL; ++ return DW_DLV_NO_ENTRY; + } + + } else if (hash_table_base->tb_total_abbrev_count > +@@ -290,7 +307,7 @@ + newht.tb_table_entry_count); + + if(! newht.tb_entries) { +- return NULL; ++ return DW_DLV_NO_ENTRY; + } + /* Copy the existing entries to the new table, + rehashing each. */ +@@ -318,7 +335,8 @@ + if (hash_abbrev_entry != NULL) { + /* This returns a pointer to an abbrev list entry, not + the list itself. */ +- return (hash_abbrev_entry); ++ *list_out = hash_abbrev_entry; ++ return DW_DLV_OK; + } + + abbrev_ptr = cu_context->cc_last_abbrev_ptr != NULL ? +@@ -330,22 +348,23 @@ + /* End of abbrev's as we are past the end entirely. + THis can happen */ + if (abbrev_ptr > end_abbrev_ptr) { +- return (NULL); ++ return DW_DLV_NO_ENTRY; + } + /* End of abbrev's for this cu, since abbrev code is 0. */ + if (*abbrev_ptr == 0) { +- return (NULL); ++ return DW_DLV_NO_ENTRY; + } + + do { + unsigned new_hashable_val = 0; + DECODE_LEB128_UWORD(abbrev_ptr, abbrev_code); + DECODE_LEB128_UWORD(abbrev_ptr, abbrev_tag); ++ unsigned long abcount = 0; + + inner_list_entry = (Dwarf_Abbrev_List) + _dwarf_get_alloc(cu_context->cc_dbg, DW_DLA_ABBREV_LIST, 1); + if (inner_list_entry == NULL) { +- return (NULL); ++ return DW_DLV_NO_ENTRY; + } + + new_hashable_val = abbrev_code; +@@ -363,11 +382,17 @@ + inner_list_entry->ab_has_child = *(abbrev_ptr++); + inner_list_entry->ab_abbrev_ptr = abbrev_ptr; + ++ hash_table_base->tb_total_abbrev_count++; ++ + /* Cycle thru the abbrev content, ignoring the content except + to find the end of the content. */ + do { + DECODE_LEB128_UWORD(abbrev_ptr, attr_name); + DECODE_LEB128_UWORD(abbrev_ptr, attr_form); ++ if (!_dwarf_valid_form_we_know(dbg,attr_form,attr_name)) { ++ _dwarf_error(dbg,error,DW_DLE_UNKNOWN_FORM); ++ return DW_DLV_ERROR; ++ } + } while (attr_name != 0 && attr_form != 0); + + /* We may have fallen off the end of content, that is not +@@ -377,7 +402,11 @@ + *abbrev_ptr != 0 && abbrev_code != code); + + cu_context->cc_last_abbrev_ptr = abbrev_ptr; +- return (abbrev_code == code ? inner_list_entry : NULL); ++ if(abbrev_code == code) { ++ *list_out = inner_list_entry; ++ return DW_DLV_OK; ++ } ++ return DW_DLV_NO_ENTRY; + } + + +--- a/libdwarf/dwarf_util.h ++++ b/libdwarf/dwarf_util.h +@@ -300,9 +300,8 @@ + + + +-Dwarf_Abbrev_List +-_dwarf_get_abbrev_for_code(Dwarf_CU_Context cu_context, +- Dwarf_Unsigned code); ++int _dwarf_get_abbrev_for_code(Dwarf_CU_Context cu_context, Dwarf_Unsigned code, ++ Dwarf_Abbrev_List *list_out, Dwarf_Error *error); + + + /* return 1 if string ends before 'endptr' else +--- a/libdwarf/libdwarf.h ++++ b/libdwarf/libdwarf.h +@@ -1062,10 +1062,11 @@ + #define DW_DLE_DEBUG_TYPEOFFSET_BAD 239 + #define DW_DLE_GNU_OPCODE_ERROR 240 + #define DW_DLE_RELOC_INVALID 241 ++#define DW_DLE_UNKNOWN_FORM 242 + + + /* DW_DLE_LAST MUST EQUAL LAST ERROR NUMBER */ +-#define DW_DLE_LAST 241 ++#define DW_DLE_LAST 242 + #define DW_DLE_LO_USER 0x10000 + + /* Taken as meaning 'undefined value', this is not only in patch2: unchanged: --- dwarfutils-20120410.orig/debian/patches/CVE-2015-8750.patch +++ dwarfutils-20120410/debian/patches/CVE-2015-8750.patch @@ -0,0 +1,17 @@ +Description: Fix for CVE-2015-8750 (NULL dereference) +Origin: https://github.com/tomhughes/libdwarf/commit/11750a2838e52953013e3114ef27b3c7b1780697 +Bug-Debian: https://bugs.debian.org/813182 + +--- a/libdwarf/dwarf_elf_access.c ++++ b/libdwarf/dwarf_elf_access.c +@@ -932,6 +932,10 @@ + *error = DW_DLE_MDE; + return DW_DLV_ERROR; + } ++ if (!data->d_buf) { ++ *error = DW_DLE_MDE; ++ return DW_DLV_ERROR; ++ } + *section_data = data->d_buf; + } + return DW_DLV_OK; only in patch2: unchanged: --- dwarfutils-20120410.orig/debian/patches/CVE-2016-2050.patch +++ dwarfutils-20120410/debian/patches/CVE-2016-2050.patch @@ -0,0 +1,14 @@ +Description: Fix for CVE-2016-2050 (OOB write in get_abbrev_array_info) +Origin: https://sourceforge.net/p/libdwarf/code/ci/a05f5e2ae6a5f34daa566975894fc2803d6ec684 + +--- a/dwarfdump/print_abbrevs.c ++++ b/dwarfdump/print_abbrevs.c +@@ -252,7 +252,7 @@ + } else { + /* Valid abbreviation code */ + if (abbrev_code > 0) { +- if (abbrev_code > abbrev_array_size) { ++ while (abbrev_code > abbrev_array_size) { + /* Resize abbreviation array */ + abbrev_array_size *= 2; + abbrev_array = (Dwarf_Signed *) only in patch2: unchanged: --- dwarfutils-20120410.orig/debian/patches/CVE-2016-2091.patch +++ dwarfutils-20120410/debian/patches/CVE-2016-2091.patch @@ -0,0 +1,33 @@ +Description: Fix for CVE-2016-2091 + The dwarf_read_cie_fde_prefix function in dwarf_frame2.c in libdwarf + allows attackers to cause a denial of service (out-of-bounds read) + via a crafted ELF object file. +Origin: https://sourceforge.net/p/libdwarf/code/ci/9565964f26966d8391fe2cfa8e6e8e59278c5f91 +Bug-Debian: https://bugs.debian.org/813148 + +--- a/libdwarf/dwarf_frame2.c ++++ b/libdwarf/dwarf_frame2.c +@@ -939,7 +939,12 @@ + Dwarf_Small *frame_ptr = frame_ptr_in; + Dwarf_Small *cie_ptr_addr = 0; + Dwarf_Unsigned cie_id = 0; ++ Dwarf_Small *section_end = section_ptr_in + section_length_in; + ++ if (section_end < (frame_ptr + 4)) { ++ _dwarf_error (dbg, error, DW_DLE_DEBUG_FRAME_LENGTH_BAD); ++ return DW_DLV_ERROR; ++ } + /* READ_AREA_LENGTH updates frame_ptr for consumed bytes */ + READ_AREA_LENGTH(dbg, length, Dwarf_Unsigned, + frame_ptr, local_length_size, +@@ -951,6 +956,10 @@ + data. We should be very close to end of section. */ + return DW_DLV_NO_ENTRY; + } ++ if ((frame_ptr + local_length_size) >= section_end) { ++ _dwarf_error (dbg, error, DW_DLE_DEBUG_FRAME_LENGTH_BAD); ++ return DW_DLV_ERROR; ++ } + + cie_ptr_addr = frame_ptr; + READ_UNALIGNED(dbg, cie_id, Dwarf_Unsigned, only in patch2: unchanged: --- dwarfutils-20120410.orig/debian/patches/CVE-2016-5034.patch +++ dwarfutils-20120410/debian/patches/CVE-2016-5034.patch @@ -0,0 +1,93 @@ +Description: Fix for CVE-2016-5034 (OOB write from relocation records) +Origin: https://sourceforge.net/p/libdwarf/code/ci/10ca310f64368dc083efacac87732c02ef560a92 + +--- a/libdwarf/dwarf_elf_access.c ++++ b/libdwarf/dwarf_elf_access.c +@@ -617,7 +617,8 @@ + update_entry(Dwarf_Debug dbg, + Dwarf_Bool is_64bit, Dwarf_Endianness endianess, + Dwarf_Half machine, struct Dwarf_Elf_Rela *rela, +- Dwarf_Small *target_section, ++ Dwarf_Small *target_section, ++ Dwarf_Unsigned target_section_size, + Dwarf_Small *symtab_section_data, + Dwarf_Unsigned symtab_section_size, + Dwarf_Unsigned symtab_section_entrysize, +@@ -654,7 +655,10 @@ + return DW_DLV_ERROR; + } + +- ++ if (offset >= target_section_size) { ++ *error = DW_DLE_RELOC_INVALID; ++ return DW_DLV_ERROR; ++ } + + if (is_64bit) { + #ifdef HAVE_ELF64_SYM +@@ -685,6 +689,14 @@ + return DW_DLV_ERROR; + } + ++ if ( (offset + reloc_size) < offset) { ++ *error = DW_DLE_RELOC_INVALID; ++ return DW_DLV_ERROR; ++ } ++ if ( (offset + reloc_size) > target_section_size) { ++ *error = DW_DLE_RELOC_INVALID; ++ return DW_DLV_ERROR; ++ } + + { + /* Assuming we do not need to do a READ_UNALIGNED here +@@ -709,6 +721,7 @@ + Dwarf_Endianness endianess, + Dwarf_Half machine, + Dwarf_Small *target_section, ++ Dwarf_Unsigned target_section_size, + Dwarf_Small *symtab_section, + Dwarf_Unsigned symtab_section_size, + Dwarf_Unsigned symtab_section_entrysize, +@@ -732,6 +745,7 @@ + machine, + &(relas)[i], + target_section, ++ target_section_size, + symtab_section, + symtab_section_size, + symtab_section_entrysize, +@@ -796,7 +810,8 @@ + dbg, + obj->is_64bit, + obj->endianness, obj->machine, +- target_section, ++ target_section, ++ relocatablesec->dss_size, + symtab_section, + symtab_section_size, + symtab_section_entrysize, +--- a/libdwarf/libdwarf.h ++++ b/libdwarf/libdwarf.h +@@ -1061,10 +1061,11 @@ + #define DW_DLE_DEBUG_TYPES_ONLY_DWARF4 238 + #define DW_DLE_DEBUG_TYPEOFFSET_BAD 239 + #define DW_DLE_GNU_OPCODE_ERROR 240 ++#define DW_DLE_RELOC_INVALID 241 + + + /* DW_DLE_LAST MUST EQUAL LAST ERROR NUMBER */ +-#define DW_DLE_LAST 239 ++#define DW_DLE_LAST 241 + #define DW_DLE_LO_USER 0x10000 + + /* Taken as meaning 'undefined value', this is not +--- a/libdwarf/dwarf_error.c ++++ b/libdwarf/dwarf_error.c +@@ -327,6 +327,7 @@ + "DW_DLE_DEBUG_TYPES_ONLY_DWARF4 (238)", + "DW_DLE_DEBUG_TYPEOFFSET_BAD (239)", + "DW_DLE_GNU_OPCODE_ERROR (240)", ++ "DW_DLE_RELOC_INVALID (241)", + }; + + only in patch2: unchanged: --- dwarfutils-20120410.orig/debian/patches/CVE-2016-5036.patch +++ dwarfutils-20120410/debian/patches/CVE-2016-5036.patch @@ -0,0 +1,15 @@ +Description: fix of CVE-2016-5036 (OOB read bug in dump_block) +Author: Fabian Wolff <fabi.wo...@arcor.de> +Origin: backport, https://sourceforge.net/p/libdwarf/code/ci/82d8e007851805af0dcaaff41f49a2d48473334b/ + +--- a/dwarfdump2/dieholder.h ++++ b/dwarfdump2/dieholder.h +@@ -45,7 +45,7 @@ + (*refcount_)--; + if( (*refcount_) == 0) { + delete refcount_; +- if(die_) dwarf_dealloc(dbg_,die_,DW_DLA_DIE); ++ //if(die_) dwarf_dealloc(dbg_,die_,DW_DLA_DIE); + } + }; + DieHolder(const DieHolder & d):dbg_(d.dbg_),die_(d.die_), only in patch2: unchanged: --- dwarfutils-20120410.orig/debian/patches/CVE-2016-5038.patch +++ dwarfutils-20120410/debian/patches/CVE-2016-5038.patch @@ -0,0 +1,208 @@ +Description: Fix for CVE-2016-5038 (OOB read in dwarf_get_macro_startend_file()) +Author: Fabian Wolff <fabi.wo...@arcor.de> +Origin: backport, https://sourceforge.net/p/libdwarf/code/ci/82d8e007851805af0dcaaff41f49a2d48473334b/ + +--- a/libdwarf/dwarf_die_deliv.c ++++ b/libdwarf/dwarf_die_deliv.c +@@ -655,7 +655,7 @@ + Dwarf_Bool * has_die_child) + { + Dwarf_Byte_Ptr info_ptr = 0; +- Dwarf_Byte_Ptr abbrev_ptr = 0; ++ Dwarf_Byte_Ptr abbrev_ptr = 0, abbrev_end = 0; + Dwarf_Word abbrev_code = 0; + Dwarf_Abbrev_List abbrev_list = 0; + Dwarf_Half attr = 0; +@@ -684,12 +684,14 @@ + *has_die_child = abbrev_list->ab_has_child; + + abbrev_ptr = abbrev_list->ab_abbrev_ptr; ++ abbrev_end = (&dbg->de_debug_abbrev)->dss_data ++ + (&dbg->de_debug_abbrev)->dss_size; + do { + Dwarf_Unsigned utmp2; + +- DECODE_LEB128_UWORD(abbrev_ptr, utmp2); ++ DECODE_LEB128_UWORD_CK(abbrev_ptr, utmp2,dbg,&error,abbrev_end); + attr = (Dwarf_Half) utmp2; +- DECODE_LEB128_UWORD(abbrev_ptr, utmp2); ++ DECODE_LEB128_UWORD_CK(abbrev_ptr, utmp2,dbg,&error,abbrev_end); + attr_form = (Dwarf_Half) utmp2; + if (attr_form == DW_FORM_indirect) { + Dwarf_Unsigned utmp6; +@@ -1032,7 +1034,7 @@ + _dwarf_next_die_info_ptr(die_info_ptr, die->di_cu_context, + die_info_end, NULL, false, + &has_die_child); +- if (die_info_ptr == NULL) { ++ if ((die_info_ptr == NULL) || (die_info_ptr == (void *) 1)) { + _dwarf_error(dbg, error, DW_DLE_NEXT_DIE_PTR_NULL); + return (DW_DLV_ERROR); + } +--- a/libdwarf/dwarf_error.c ++++ b/libdwarf/dwarf_error.c +@@ -332,6 +332,7 @@ + "DW_DLE_READ_LITTLEENDIAN_ERROR (243)", + "DW_DLE_READ_BIGENDIAN_ERROR (244)", + "DW_DLE_ARANGES_HEADER_ERROR (245)", ++ "DW_DLE_LEB_IMPROPER (246)", + }; + + +--- a/libdwarf/dwarf_leb.c ++++ b/libdwarf/dwarf_leb.c +@@ -108,6 +108,85 @@ + } + } + ++#define BYTESLEBMAX 10 ++ ++/* Decode ULEB with checking */ ++int ++_dwarf_decode_u_leb128_chk(Dwarf_Small * leb128, Dwarf_Word * leb128_length, ++ Dwarf_Unsigned *outval,Dwarf_Byte_Ptr endptr) ++{ ++ unsigned char byte = 0; ++ Dwarf_Word word_number = 0; ++ Dwarf_Unsigned number = 0; ++ Dwarf_Sword shift = 0; ++ /* The byte_length value will be a small non-negative integer. */ ++ unsigned byte_length = 0; ++ ++ if (leb128 >=endptr) { ++ return DW_DLV_ERROR; ++ } ++ /* The following unrolls-the-loop for the first two bytes and ++ unpacks into 32 bits to make this as fast as possible. ++ word_number is assumed big enough that the shift has a defined ++ result. */ ++ if ((*leb128 & 0x80) == 0) { ++ if (leb128_length) { ++ *leb128_length = 1; ++ } ++ *outval = *leb128; ++ return DW_DLV_OK; ++ } else { ++ if ((leb128+1) >=endptr) { ++ return DW_DLV_ERROR; ++ } ++ if ((*(leb128 + 1) & 0x80) == 0) { ++ if (leb128_length) { ++ *leb128_length = 2; ++ } ++ word_number = *leb128 & 0x7f; ++ word_number |= (*(leb128 + 1) & 0x7f) << 7; ++ *outval = word_number; ++ return DW_DLV_OK; ++ } ++ /* Gets messy to hand-inline more byte checking. */ ++ } ++ ++ /* The rest handles long numbers Because the 'number' may be larger ++ than the default int/unsigned, we must cast the 'byte' before ++ the shift for the shift to have a defined result. */ ++ number = 0; ++ shift = 0; ++ byte_length = 1; ++ byte = *leb128; ++ for (;;) { ++ number |= ((Dwarf_Unsigned) (byte & 0x7f)) << shift; ++ ++ if ((byte & 0x80) == 0) { ++ if (leb128_length) { ++ *leb128_length = byte_length; ++ } ++ *outval = number; ++ return DW_DLV_OK; ++ } ++ shift += 7; ++ ++ byte_length++; ++ if (byte_length > BYTESLEBMAX) { ++ /* Erroneous input. */ ++ if( leb128_length) { ++ *leb128_length = BYTESLEBMAX; ++ } ++ break; ++ } ++ ++leb128; ++ if ((leb128) >=endptr) { ++ return DW_DLV_ERROR; ++ } ++ byte = *leb128; ++ } ++ return DW_DLV_ERROR; ++} ++ + #define BITSINBYTE 8 + + /* decode SLEB */ +--- a/libdwarf/dwarf_util.h ++++ b/libdwarf/dwarf_util.h +@@ -43,7 +43,19 @@ + */ + + +- ++#define DECODE_LEB128_UWORD_CK(ptr, value,dbg,errptr,endptr) \ ++ do { \ ++ Dwarf_Word lu_leblen = 0; \ ++ Dwarf_Unsigned lu_local = 0; \ ++ int lu_res = 0; \ ++ lu_res = _dwarf_decode_u_leb128_chk(ptr,&lu_leblen,&lu_local,endptr); \ ++ if (lu_res == DW_DLV_ERROR) { \ ++ _dwarf_error(dbg, errptr, DW_DLE_LEB_IMPROPER); \ ++ return DW_DLV_ERROR; \ ++ } \ ++ value = lu_local; \ ++ ptr += lu_leblen; \ ++ } while (0) + + /* + Decodes unsigned leb128 encoded numbers. +--- a/libdwarf/libdwarf.h ++++ b/libdwarf/libdwarf.h +@@ -1066,10 +1066,11 @@ + #define DW_DLE_READ_LITTLEENDIAN_ERROR 243 + #define DW_DLE_READ_BIGENDIAN_ERROR 244 + #define DW_DLE_ARANGES_HEADER_ERROR 245 ++#define DW_DLE_LEB_IMPROPER 246 + + + /* DW_DLE_LAST MUST EQUAL LAST ERROR NUMBER */ +-#define DW_DLE_LAST 245 ++#define DW_DLE_LAST 246 + #define DW_DLE_LO_USER 0x10000 + + /* Taken as meaning 'undefined value', this is not +--- a/libdwarf/dwarf_query.c ++++ b/libdwarf/dwarf_query.c +@@ -181,7 +181,7 @@ + Dwarf_Word i = 0; + Dwarf_Half attr = 0; + Dwarf_Half attr_form = 0; +- Dwarf_Byte_Ptr abbrev_ptr = 0; ++ Dwarf_Byte_Ptr abbrev_ptr = 0, abbrev_end = 0; + Dwarf_Abbrev_List abbrev_list = 0; + Dwarf_Attribute new_attr = 0; + Dwarf_Attribute head_attr = NULL; +@@ -205,6 +205,7 @@ + return (DW_DLV_ERROR); + } + abbrev_ptr = abbrev_list->ab_abbrev_ptr; ++ abbrev_end = (&dbg->de_debug_abbrev)->dss_data + (&dbg->de_debug_abbrev)->dss_size; + + info_ptr = die->di_debug_ptr; + SKIP_LEB128_WORD(info_ptr); +@@ -212,9 +213,9 @@ + do { + Dwarf_Unsigned utmp2; + +- DECODE_LEB128_UWORD(abbrev_ptr, utmp2); ++ DECODE_LEB128_UWORD_CK(abbrev_ptr, utmp2,dbg,error,abbrev_end); + attr = (Dwarf_Half) utmp2; +- DECODE_LEB128_UWORD(abbrev_ptr, utmp2); ++ DECODE_LEB128_UWORD_CK(abbrev_ptr, utmp2,dbg,error,abbrev_end); + attr_form = (Dwarf_Half) utmp2; + if (!_dwarf_valid_form_we_know(dbg,attr_form,attr)) { + _dwarf_error(dbg, error, DW_DLE_UNKNOWN_FORM); only in patch2: unchanged: --- dwarfutils-20120410.orig/debian/patches/CVE-2016-5039.patch +++ dwarfutils-20120410/debian/patches/CVE-2016-5039.patch @@ -0,0 +1,43 @@ +Description: Fix for CVE-2016-5039 (OOB read bug in get_attr_value()) +Author: Fabian Wolff <fabi.wo...@arcor.de> +Origin: backport, https://sourceforge.net/p/libdwarf/code/ci/eb1472afac95031d0c9dd8c11d527b865fe7deb8/ + +--- a/libdwarf/dwarf_form.c ++++ b/libdwarf/dwarf_form.c +@@ -766,10 +766,17 @@ + Dwarf_Word leb128_length = 0; + Dwarf_Block *ret_block = 0; + ++ Dwarf_Unsigned section_length = 0; ++ + int res = get_attr_dbg(&dbg,&cu_context,attr,error); + if(res != DW_DLV_OK) { + return res; +- } ++ } ++ ++ section_length = (cu_context->cc_is_info ++ ? (&dbg->de_debug_info) ++ : (&dbg->de_debug_types))->dss_size; ++ + switch (attr->ar_attribute_form) { + + case DW_FORM_block1: +@@ -801,11 +808,12 @@ + } + + /* Check that block lies within current cu in .debug_info. */ +- if (attr->ar_debug_ptr + length >= +- dbg->de_debug_info.dss_data + cu_context->cc_debug_offset + +- cu_context->cc_length + cu_context->cc_length_size + +- cu_context->cc_extension_size) { +- _dwarf_error(dbg, error, DW_DLE_ATTR_FORM_SIZE_BAD); ++ if ((attr->ar_debug_ptr + length >= ++ dbg->de_debug_info.dss_data + cu_context->cc_debug_offset + ++ cu_context->cc_length + cu_context->cc_length_size + ++ cu_context->cc_extension_size) ++ || (length >= section_length)) { ++ _dwarf_error(dbg, error, DW_DLE_ATTR_FORM_SIZE_BAD); + return (DW_DLV_ERROR); + } + only in patch2: unchanged: --- dwarfutils-20120410.orig/debian/patches/CVE-2016-5042.patch +++ dwarfutils-20120410/debian/patches/CVE-2016-5042.patch @@ -0,0 +1,155 @@ +Description: Fix for CVE-2016-5042 + In dwarf_get_aranges_list() an invalid count will iterate, reading + from memory addresses that increase till it all fails. +Origin: backport, https://sourceforge.net/p/libdwarf/code/ci/98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f + +--- a/libdwarf/dwarf_arange.c ++++ b/libdwarf/dwarf_arange.c +@@ -102,13 +102,12 @@ + /* Length of current set of aranges. */ + Dwarf_Unsigned length = 0; + Dwarf_Small remainder = 0; +- Dwarf_Small *arange_ptr_past_end = 0; + Dwarf_Unsigned range_entry_size = 0; +- + int local_length_size; + + /*REFERENCED*/ /* Not used in this instance of the macro */ + int local_extension_size = 0; ++ Dwarf_Small *end_this_arange = 0; + + header_ptr = arange_ptr; + +@@ -116,11 +115,19 @@ + READ_AREA_LENGTH(dbg, length, Dwarf_Unsigned, + arange_ptr, local_length_size, + local_extension_size); +- arange_ptr_past_end = arange_ptr + length; ++ ++ if ((length + local_length_size + local_extension_size) > ++ dbg->de_debug_aranges.dss_size) { ++ _dwarf_error(dbg, error, DW_DLE_ARANGES_HEADER_ERROR); ++ return DW_DLV_ERROR; ++ } ++ ++ end_this_arange = arange_ptr + length; + + +- READ_UNALIGNED(dbg, version, Dwarf_Half, +- arange_ptr, sizeof(Dwarf_Half)); ++ READ_UNALIGNED_CK(dbg, version, Dwarf_Half, ++ arange_ptr, sizeof(Dwarf_Half), ++ error,end_this_arange); + arange_ptr += sizeof(Dwarf_Half); + length = length - sizeof(Dwarf_Half); + if (version != CURRENT_VERSION_STAMP) { +@@ -128,8 +135,9 @@ + return (DW_DLV_ERROR); + } + +- READ_UNALIGNED(dbg, info_offset, Dwarf_Off, +- arange_ptr, local_length_size); ++ READ_UNALIGNED_CK(dbg, info_offset, Dwarf_Off, ++ arange_ptr, local_length_size, ++ error, end_this_arange); + arange_ptr += local_length_size; + length = length - local_length_size; + /* This applies to debug_info only, not to debug_types. */ +@@ -243,14 +251,14 @@ + DWARF2,3,4 section 7.20 + We stop short to avoid overrun of the end of the CU. */ + +- } while (arange_ptr_past_end >= (arange_ptr + range_entry_size)); ++ } while (end_this_arange >= (arange_ptr + range_entry_size)); + + /* A compiler could emit some padding bytes here. dwarf2/3 + (dwarf4 sec 7.20) does not clearly make extra padding + bytes illegal. */ +- if (arange_ptr_past_end < arange_ptr) { ++ if (end_this_arange < arange_ptr) { + char buf[200]; +- Dwarf_Unsigned pad_count = arange_ptr - arange_ptr_past_end; ++ Dwarf_Unsigned pad_count = arange_ptr - end_this_arange; + Dwarf_Unsigned offset = arange_ptr - arange_ptr_start; + snprintf(buf,sizeof(buf),"DW_DLE_ARANGE_LENGTH_BAD." + " 0x%" DW_PR_XZEROS DW_PR_DUx +@@ -259,9 +267,9 @@ + pad_count, offset); + dwarf_insert_harmless_error(dbg,buf); + } +- /* For most compilers, arange_ptr == arange_ptr_past_end at ++ /* For most compilers, arange_ptr == end_this_arange at + this point. But not if there were padding bytes */ +- arange_ptr = arange_ptr_past_end; ++ arange_ptr = end_this_arange; + } while (arange_ptr < + dbg->de_debug_aranges.dss_data + dbg->de_debug_aranges.dss_size); + +--- a/libdwarf/dwarf_error.c ++++ b/libdwarf/dwarf_error.c +@@ -329,6 +329,9 @@ + "DW_DLE_GNU_OPCODE_ERROR (240)", + "DW_DLE_RELOC_INVALID (241)", + "DW_DLE_UNKNOWN_FORM (242) Possibly corrupt DWARF data", ++ "DW_DLE_READ_LITTLEENDIAN_ERROR (243)", ++ "DW_DLE_READ_BIGENDIAN_ERROR (244)", ++ "DW_DLE_ARANGES_HEADER_ERROR (245)", + }; + + +--- a/libdwarf/dwarf_util.h ++++ b/libdwarf/dwarf_util.h +@@ -130,6 +130,18 @@ + dest = (desttype)_ltmp; \ + } while (0) + ++#define READ_UNALIGNED_CK(dbg,dest,desttype, source, length,error,endptr) \ ++ do { \ ++ BIGGEST_UINT _ltmp = 0; \ ++ Dwarf_Byte_Ptr readend = source+length; \ ++ if (readend > endptr) { \ ++ _dwarf_error(dbg, error, DW_DLE_READ_LITTLEENDIAN_ERROR); \ ++ return DW_DLV_ERROR; \ ++ } \ ++ dbg->de_copy_word( (((char *)(&_ltmp)) + sizeof(_ltmp) - length), \ ++ source, length); \ ++ dest = (desttype)_ltmp; \ ++ } while (0) + + /* + This macro sign-extends a variable depending on the length. +@@ -155,6 +167,17 @@ + dest = (desttype)_ltmp; \ + } while (0) + ++#define READ_UNALIGNED_CK(dbg,dest,desttype, source, length,error,endptr) \ ++ do { \ ++ BIGGEST_UINT _ltmp = 0; \ ++ Dwarf_Byte_Ptr readend = source+length; \ ++ if (readend > endptr) { \ ++ _dwarf_error(dbg, error, DW_DLE_READ_BIGENDIAN_ERROR); \ ++ return DW_DLV_ERROR; \ ++ } \ ++ dbg->de_copy_word( (char *)(&_ltmp), source, length); \ ++ dest = (desttype)_ltmp; \ ++ } while (0) + + /* + This macro sign-extends a variable depending on the length. +--- a/libdwarf/libdwarf.h ++++ b/libdwarf/libdwarf.h +@@ -1063,10 +1063,13 @@ + #define DW_DLE_GNU_OPCODE_ERROR 240 + #define DW_DLE_RELOC_INVALID 241 + #define DW_DLE_UNKNOWN_FORM 242 ++#define DW_DLE_READ_LITTLEENDIAN_ERROR 243 ++#define DW_DLE_READ_BIGENDIAN_ERROR 244 ++#define DW_DLE_ARANGES_HEADER_ERROR 245 + + + /* DW_DLE_LAST MUST EQUAL LAST ERROR NUMBER */ +-#define DW_DLE_LAST 242 ++#define DW_DLE_LAST 245 + #define DW_DLE_LO_USER 0x10000 + + /* Taken as meaning 'undefined value', this is notsignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Version: 8.6 The updates referred to in each of these bugs were included in today's stable point release. Regards, Adam
--- End Message ---