From accd3811e1f79eaf4def5f96805771f862ea1af6 Mon Sep 17 00:00:00 2001 From: lkundrak Date: Tue, 3 Jul 2007 12:41:18 +0000 Subject: Fixes for CVE-2005-1704 and CVE-2005-1705. Bump PKGREVISION. --- devel/gdb/Makefile | 4 +-- devel/gdb/distinfo | 4 ++- devel/gdb/patches/patch-ap | 75 ++++++++++++++++++++++++++++++++++++++++++++++ devel/gdb/patches/patch-aq | 15 ++++++++++ 4 files changed, 95 insertions(+), 3 deletions(-) create mode 100644 devel/gdb/patches/patch-ap create mode 100644 devel/gdb/patches/patch-aq diff --git a/devel/gdb/Makefile b/devel/gdb/Makefile index 89c33e615db..69cd5f52802 100644 --- a/devel/gdb/Makefile +++ b/devel/gdb/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.33 2007/03/23 15:18:23 joerg Exp $ +# $NetBSD: Makefile,v 1.34 2007/07/03 12:41:18 lkundrak Exp $ # DISTNAME= gdb-5.3 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_GNU:=gdb/} diff --git a/devel/gdb/distinfo b/devel/gdb/distinfo index 839421d91f3..047b439aab4 100644 --- a/devel/gdb/distinfo +++ b/devel/gdb/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.8 2006/10/22 07:55:38 rillig Exp $ +$NetBSD: distinfo,v 1.9 2007/07/03 12:41:18 lkundrak Exp $ SHA1 (gdb-5.3.tar.gz) = 24a6c9da6e89b1b82b7508f27f94098d989ff662 RMD160 (gdb-5.3.tar.gz) = 3f88dc11115de08708c50c73b10acaf00ed25e96 @@ -18,3 +18,5 @@ SHA1 (patch-al) = 2721abee837d85f57b05073490d94e9e11d5193d SHA1 (patch-am) = 8bb74176c2e7042a74330a02d60a1976919da2a0 SHA1 (patch-an) = c28777296917daa1a619eca092023c8f5aaf706f SHA1 (patch-ao) = 7a38b55945cf6d9fc422e460d67b88a1e4416e62 +SHA1 (patch-ap) = e79d8a70d12098716791e3349d8606d07f8acd47 +SHA1 (patch-aq) = f7c356f7c500b84feb141ba693390378e5f71642 diff --git a/devel/gdb/patches/patch-ap b/devel/gdb/patches/patch-ap new file mode 100644 index 00000000000..2bdcaf6e663 --- /dev/null +++ b/devel/gdb/patches/patch-ap @@ -0,0 +1,75 @@ +$NetBSD: patch-ap,v 1.1 2007/07/03 12:41:18 lkundrak Exp $ + +Patch for CVE-2005-1704 sucked from upstream. +* elfcode.h (elf_object_p): Add more sanity checks on elf header. + +--- bfd/elfcode.h.orig 2002-07-07 11:10:39.000000000 +0200 ++++ bfd/elfcode.h +@@ -683,8 +683,13 @@ elf_object_p (abfd) + + if (i_ehdrp->e_shoff != 0) + { ++ bfd_signed_vma where = i_ehdrp->e_shoff; ++ ++ if (where != (file_ptr) where) ++ goto got_wrong_format_error; ++ + /* Seek to the section header table in the file. */ +- if (bfd_seek (abfd, (file_ptr) i_ehdrp->e_shoff, SEEK_SET) != 0) ++ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0) + goto got_no_match; + + /* Read the first section header at index 0, and convert to internal +@@ -697,13 +702,50 @@ elf_object_p (abfd) + /* If the section count is zero, the actual count is in the first + section header. */ + if (i_ehdrp->e_shnum == SHN_UNDEF) +- i_ehdrp->e_shnum = i_shdr.sh_size; ++ { ++ i_ehdrp->e_shnum = i_shdr.sh_size; ++ if (i_ehdrp->e_shnum != i_shdr.sh_size) ++ goto got_wrong_format_error; ++ } + + /* And similarly for the string table index. */ + if (i_ehdrp->e_shstrndx == SHN_XINDEX) +- i_ehdrp->e_shstrndx = i_shdr.sh_link; ++ { ++ i_ehdrp->e_shstrndx = i_shdr.sh_link; ++ if (i_ehdrp->e_shstrndx != i_shdr.sh_link) ++ goto got_wrong_format_error; ++ } ++ ++ /* Sanity check that we can read all of the section headers. ++ It ought to be good enough to just read the last one. */ ++ if (i_ehdrp->e_shnum != 1) ++ { ++ /* Check that we don't have a totally silly number of sections. */ ++ if (i_ehdrp->e_shnum > (unsigned int) -1 / sizeof (x_shdr)) ++ goto got_wrong_format_error; ++ ++ where += (i_ehdrp->e_shnum - 1) * sizeof (x_shdr); ++ if (where != (file_ptr) where) ++ goto got_wrong_format_error; ++ if ((bfd_size_type) where <= i_ehdrp->e_shoff) ++ goto got_wrong_format_error; ++ ++ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0) ++ goto got_no_match; ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ goto got_no_match; ++ ++ /* Back to where we were. */ ++ where = i_ehdrp->e_shoff + sizeof (x_shdr); ++ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0) ++ goto got_no_match; ++ } + } + ++ /* A further sanity check. */ ++ if (i_ehdrp->e_shstrndx >= i_ehdrp->e_shnum) ++ goto got_wrong_format_error; ++ + /* Allocate space for a copy of the section header table in + internal form. */ + if (i_ehdrp->e_shnum != 0) diff --git a/devel/gdb/patches/patch-aq b/devel/gdb/patches/patch-aq new file mode 100644 index 00000000000..8914a8e5a21 --- /dev/null +++ b/devel/gdb/patches/patch-aq @@ -0,0 +1,15 @@ +$NetBSD: patch-aq,v 1.1 2007/07/03 12:41:18 lkundrak Exp $ + +Patch for CVE-2005-1705 from Gentoo #88398. + +--- gdb/main.c.orig 2002-09-28 17:10:31.000000000 +0200 ++++ gdb/main.c +@@ -626,7 +626,7 @@ extern int gdbtk_test (char *); + + if (!homedir + || memcmp ((char *) &homebuf, (char *) &cwdbuf, sizeof (struct stat))) +- if (!inhibit_gdbinit) ++ if (!inhibit_gdbinit && (cwdbuf.st_uid == getuid()) && (!cwdbuf.st_mode & (S_IWOTH))) + { + catch_command_errors (source_command, gdbinit, 0, RETURN_MASK_ALL); + } -- cgit v1.2.3