From 38e2728a42af488439aae6e7b2c5038dee1929ac Mon Sep 17 00:00:00 2001 From: lkundrak Date: Tue, 3 Jul 2007 12:32:28 +0000 Subject: Backported fixes for CAN-2005-1704 and CAN-2005-1705. --- devel/gdb6/Makefile | 4 +-- devel/gdb6/distinfo | 4 ++- devel/gdb6/patches/patch-bo | 75 +++++++++++++++++++++++++++++++++++++++++++++ devel/gdb6/patches/patch-bp | 15 +++++++++ 4 files changed, 95 insertions(+), 3 deletions(-) create mode 100644 devel/gdb6/patches/patch-bo create mode 100644 devel/gdb6/patches/patch-bp diff --git a/devel/gdb6/Makefile b/devel/gdb6/Makefile index c97dfffcd97..8d58b3a2e66 100644 --- a/devel/gdb6/Makefile +++ b/devel/gdb6/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.20 2006/10/18 13:39:07 reed Exp $ +# $NetBSD: Makefile,v 1.21 2007/07/03 12:32:28 lkundrak Exp $ # DISTNAME= gdb-6.2.1 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= devel MASTER_SITES= ftp://sources.redhat.com/pub/gdb/releases/ EXTRACT_SUFX= .tar.bz2 diff --git a/devel/gdb6/distinfo b/devel/gdb6/distinfo index c5ed0530f2f..4a19197d9d9 100644 --- a/devel/gdb6/distinfo +++ b/devel/gdb6/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.10 2006/10/22 08:06:42 rillig Exp $ +$NetBSD: distinfo,v 1.11 2007/07/03 12:32:28 lkundrak Exp $ SHA1 (gdb-6.2.1.tar.bz2) = 50cee3887744c4140aafcc0e4eb579d94464dfd7 RMD160 (gdb-6.2.1.tar.bz2) = 6fe9f3bbef076c55cbcdf05143e7d5f98f61f889 @@ -43,3 +43,5 @@ SHA1 (patch-bk) = 98f836c7007a668b812d119be294842a957cb507 SHA1 (patch-bl) = 12a9846fc08e8c3110897644d7803f67999b68f8 SHA1 (patch-bm) = baf198e86cb5e9d8b9f6b0bd6d7ccd1ca61227b4 SHA1 (patch-bn) = cfeee69148028782b9ab6580f0f619d5f3327325 +SHA1 (patch-bo) = 92221afaa93d9362057783c20100ce7ff1b5df9b +SHA1 (patch-bp) = bff41b3fb0f5952cbcd37797ec4bb63f6f79da8d diff --git a/devel/gdb6/patches/patch-bo b/devel/gdb6/patches/patch-bo new file mode 100644 index 00000000000..6dc9ba9c52e --- /dev/null +++ b/devel/gdb6/patches/patch-bo @@ -0,0 +1,75 @@ +$NetBSD: patch-bo,v 1.1 2007/07/03 12:32:28 lkundrak Exp $ + +Patch for CVE-2005-1704 sucked from upstream. +* elfcode.h (elf_object_p): Add more sanity checks on elf header. + +--- bfd/elfcode.h.orig 2004-06-24 06:46:22.000000000 +0200 ++++ bfd/elfcode.h +@@ -613,8 +613,13 @@ elf_object_p (bfd *abfd) + + if (i_ehdrp->e_shoff != 0) + { ++ bfd_signed_vma where = i_ehdrp->e_shoff; ++ ++ if (where != (file_ptr) where) ++ goto got_wrong_format_error; ++ + /* Seek to the section header table in the file. */ +- if (bfd_seek (abfd, (file_ptr) i_ehdrp->e_shoff, SEEK_SET) != 0) ++ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0) + goto got_no_match; + + /* Read the first section header at index 0, and convert to internal +@@ -626,13 +631,50 @@ elf_object_p (bfd *abfd) + /* If the section count is zero, the actual count is in the first + section header. */ + if (i_ehdrp->e_shnum == SHN_UNDEF) +- i_ehdrp->e_shnum = i_shdr.sh_size; ++ { ++ i_ehdrp->e_shnum = i_shdr.sh_size; ++ if (i_ehdrp->e_shnum != i_shdr.sh_size) ++ goto got_wrong_format_error; ++ } + + /* And similarly for the string table index. */ + if (i_ehdrp->e_shstrndx == SHN_XINDEX) +- i_ehdrp->e_shstrndx = i_shdr.sh_link; ++ { ++ i_ehdrp->e_shstrndx = i_shdr.sh_link; ++ if (i_ehdrp->e_shstrndx != i_shdr.sh_link) ++ goto got_wrong_format_error; ++ } ++ ++ /* Sanity check that we can read all of the section headers. ++ It ought to be good enough to just read the last one. */ ++ if (i_ehdrp->e_shnum != 1) ++ { ++ /* Check that we don't have a totally silly number of sections. */ ++ if (i_ehdrp->e_shnum > (unsigned int) -1 / sizeof (x_shdr)) ++ goto got_wrong_format_error; ++ ++ where += (i_ehdrp->e_shnum - 1) * sizeof (x_shdr); ++ if (where != (file_ptr) where) ++ goto got_wrong_format_error; ++ if ((bfd_size_type) where <= i_ehdrp->e_shoff) ++ goto got_wrong_format_error; ++ ++ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0) ++ goto got_no_match; ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ goto got_no_match; ++ ++ /* Back to where we were. */ ++ where = i_ehdrp->e_shoff + sizeof (x_shdr); ++ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0) ++ goto got_no_match; ++ } + } + ++ /* A further sanity check. */ ++ if (i_ehdrp->e_shstrndx >= i_ehdrp->e_shnum) ++ goto got_wrong_format_error; ++ + /* Allocate space for a copy of the section header table in + internal form. */ + if (i_ehdrp->e_shnum != 0) diff --git a/devel/gdb6/patches/patch-bp b/devel/gdb6/patches/patch-bp new file mode 100644 index 00000000000..4a2898fb286 --- /dev/null +++ b/devel/gdb6/patches/patch-bp @@ -0,0 +1,15 @@ +$NetBSD: patch-bp,v 1.1 2007/07/03 12:32:28 lkundrak Exp $ + +Patch for CVE-2005-1705 from Gentoo #88398. + +--- gdb/main.c.orig 2004-07-26 21:01:36.000000000 +0200 ++++ gdb/main.c +@@ -696,7 +696,7 @@ extern int gdbtk_test (char *); + + if (!homedir + || memcmp ((char *) &homebuf, (char *) &cwdbuf, sizeof (struct stat))) +- if (!inhibit_gdbinit) ++ if (!inhibit_gdbinit && (cwdbuf.st_uid == getuid()) && (!cwdbuf.st_mode & (S_IWOTH))) + { + catch_command_errors (source_command, gdbinit, 0, RETURN_MASK_ALL); + } -- cgit v1.2.3