Hello community,
here is the log from the commit of package pax-utils for openSUSE:Factory checked in at 2017-03-02 19:37:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pax-utils (Old)
and /work/SRC/openSUSE:Factory/.pax-utils.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pax-utils"
Thu Mar 2 19:37:18 2017 rev:21 rq:460675 version:1.2.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/pax-utils/pax-utils.changes 2016-11-18 22:02:12.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.pax-utils.new/pax-utils.changes 2017-03-02 19:37:19.651704273 +0100
@@ -1,0 +2,11 @@
+Mon Feb 27 10:53:14 UTC 2017 - lnussel@suse.de
+
+- update to 1.2.2
+ * misc fd and memory leak fixes
+ Add patches from git (boo#1026959)
+ 0004-scanelf-check-range-of-hash-bucket.patch
+ 0003-dumpelf-check-for-invalid-notes.patch
+ 0001-dumpelf-check-for-invalid-section-entry-sizes.patch
+ 0002-dumpelf-check-for-invalid-program-headers.patch
+
+-------------------------------------------------------------------
Old:
----
pax-utils-1.1.6.tar.xz
New:
----
0001-dumpelf-check-for-invalid-section-entry-sizes.patch
0002-dumpelf-check-for-invalid-program-headers.patch
0003-dumpelf-check-for-invalid-notes.patch
0004-scanelf-check-range-of-hash-bucket.patch
pax-utils-1.2.2.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pax-utils.spec ++++++
--- /var/tmp/diff_new_pack.tSdWO9/_old 2017-03-02 19:37:20.279615418 +0100
+++ /var/tmp/diff_new_pack.tSdWO9/_new 2017-03-02 19:37:20.279615418 +0100
@@ -1,7 +1,7 @@
#
# spec file for package pax-utils
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -14,18 +14,23 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
-# icecream 0
Name: pax-utils
-Version: 1.1.6
+Version: 1.2.2
Release: 0
Summary: Tools to Check ELF Files for Security Relevant Properties
License: GPL-2.0+
Group: Productivity/Security
Url: http://www.gentoo.org/proj/en/hardened/pax-utils.xml
Source: http://dev.gentoo.org/~vapier/dist/pax-utils-%{version}.tar.xz
-Patch0: pax-utils-handle-lib64.patch
+# backports
+Patch0: 0001-dumpelf-check-for-invalid-section-entry-sizes.patch
+Patch1: 0002-dumpelf-check-for-invalid-program-headers.patch
+Patch2: 0003-dumpelf-check-for-invalid-notes.patch
+Patch3: 0004-scanelf-check-range-of-hash-bucket.patch
+# openSUSE patches
+Patch20: pax-utils-handle-lib64.patch
BuildRequires: libcap-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -33,23 +38,15 @@
Tools to check ELF files for security relevant properties such as
non-executable stack.
-
-
-Authors:
----------
- Ned Ludd
- Mike Frysinger
-
%prep
-%setup -q
-%patch0 -p1
+%autosetup -q -p1
%build
%configure
make %{?_smp_mflags} V=1
%install
-make %{?_smp_mflags} DESTDIR=%{buildroot} install
+%make_install
%files
%defattr(-,root,root)
++++++ 0001-dumpelf-check-for-invalid-section-entry-sizes.patch ++++++
From 4609f57a690b4a5670baeb93167dab5300d07d4e Mon Sep 17 00:00:00 2001
From: Mike Frysinger
Date: Wed, 1 Feb 2017 09:29:10 -1000
Subject: [PATCH 1/4] dumpelf: check for invalid section entry sizes
URL: https://bugs.gentoo.org/607894
Reported-by: Agostino Sarubbo
---
dumpelf.c | 50 ++++++++++++++++++++++++++++----------------------
1 file changed, 28 insertions(+), 22 deletions(-)
diff --git a/dumpelf.c b/dumpelf.c
index 6b2458a..44da3ee 100644
--- a/dumpelf.c
+++ b/dumpelf.c
@@ -413,17 +413,20 @@ static void dump_shdr(elfobj *elf, const void *shdr_void, size_t shdr_cnt, const
case SHT_DYNSYM: { \
Elf##B##_Sym *sym = vdata; \
printf("\n\t/%c section dump:\n", '*'); \
- for (i = 0; i < EGET(shdr->sh_size) / EGET(shdr->sh_entsize); ++i) { \
- printf("\t * Elf%i_Sym sym%zu = {\n", B, i); \
- printf("\t * \t.st_name = %u,\n", (uint32_t)EGET(sym->st_name)); \
- printf("\t * \t.st_value = 0x%"PRIX64",\n", EGET(sym->st_value)); \
- printf("\t * \t.st_size = %"PRIu64", (bytes)\n", EGET(sym->st_size)); \
- printf("\t * \t.st_info = %u,\n", (unsigned char)EGET(sym->st_info)); \
- printf("\t * \t.st_other = %u,\n", (unsigned char)EGET(sym->st_other)); \
- printf("\t * \t.st_shndx = %u\n", (uint16_t)EGET(sym->st_shndx)); \
- printf("\t * };\n"); \
- ++sym; \
- } \
+ if (EGET(shdr->sh_entsize) < sizeof(*sym)) \
+ printf(" /* corrupt section ! */ "); \
+ else \
+ for (i = 0; i < EGET(shdr->sh_size) / EGET(shdr->sh_entsize); ++i) { \
+ printf("\t * Elf%i_Sym sym%zu = {\n", B, i); \
+ printf("\t * \t.st_name = %u,\n", (uint32_t)EGET(sym->st_name)); \
+ printf("\t * \t.st_value = 0x%"PRIX64",\n", EGET(sym->st_value)); \
+ printf("\t * \t.st_size = %"PRIu64", (bytes)\n", EGET(sym->st_size)); \
+ printf("\t * \t.st_info = %u,\n", (unsigned char)EGET(sym->st_info)); \
+ printf("\t * \t.st_other = %u,\n", (unsigned char)EGET(sym->st_other)); \
+ printf("\t * \t.st_shndx = %u\n", (uint16_t)EGET(sym->st_shndx)); \
+ printf("\t * };\n"); \
+ ++sym; \
+ } \
printf("\t */\n"); \
break; \
} \
@@ -433,17 +436,20 @@ static void dump_shdr(elfobj *elf, const void *shdr_void, size_t shdr_cnt, const
case SHT_GNU_LIBLIST: { \
Elf##B##_Lib *lib = vdata; \
printf("\n\t/%c section dump:\n", '*'); \
- for (i = 0; i < EGET(shdr->sh_size) / EGET(shdr->sh_entsize); ++i) { \
- printf("\t * Elf%i_Lib lib%zu = {\n", B, i); \
- printf("\t * \t.l_name = %"PRIu64",\n", EGET(lib->l_name)); \
- printf("\t * \t.l_time_stamp = 0x%"PRIX64", (%s)\n", \
- EGET(lib->l_time_stamp), timestamp(EGET(lib->l_time_stamp))); \
- printf("\t * \t.l_checksum = 0x%"PRIX64",\n", EGET(lib->l_checksum)); \
- printf("\t * \t.l_version = %"PRIu64",\n", EGET(lib->l_version)); \
- printf("\t * \t.l_flags = 0x%"PRIX64"\n", EGET(lib->l_flags)); \
- printf("\t * };\n"); \
- ++lib; \
- } \
+ if (EGET(shdr->sh_entsize) < sizeof(*lib)) \
+ printf(" /* corrupt section ! */ "); \
+ else \
+ for (i = 0; i < EGET(shdr->sh_size) / EGET(shdr->sh_entsize); ++i) { \
+ printf("\t * Elf%i_Lib lib%zu = {\n", B, i); \
+ printf("\t * \t.l_name = %"PRIu64",\n", EGET(lib->l_name)); \
+ printf("\t * \t.l_time_stamp = 0x%"PRIX64", (%s)\n", \
+ EGET(lib->l_time_stamp), timestamp(EGET(lib->l_time_stamp))); \
+ printf("\t * \t.l_checksum = 0x%"PRIX64",\n", EGET(lib->l_checksum)); \
+ printf("\t * \t.l_version = %"PRIu64",\n", EGET(lib->l_version)); \
+ printf("\t * \t.l_flags = 0x%"PRIX64"\n", EGET(lib->l_flags)); \
+ printf("\t * };\n"); \
+ ++lib; \
+ } \
printf("\t */\n"); \
} \
default: { \
--
2.10.2
++++++ 0002-dumpelf-check-for-invalid-program-headers.patch ++++++
From 18ded0e30ee5a84260cceb80d818b9c21ade4c76 Mon Sep 17 00:00:00 2001
From: Mike Frysinger
Date: Wed, 1 Feb 2017 10:05:09 -1000
Subject: [PATCH 2/4] dumpelf: check for invalid program headers
URL: https://bugs.gentoo.org/607896
Reported-by: Agostino Sarubbo
---
dumpelf.c | 8 ++++----
paxelf.h | 5 +++++
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/dumpelf.c b/dumpelf.c
index 44da3ee..a9c6e05 100644
--- a/dumpelf.c
+++ b/dumpelf.c
@@ -293,9 +293,6 @@ static void dump_phdr(elfobj *elf, const void *phdr_void, size_t phdr_cnt)
Elf ## B ## _Off offset = EGET(phdr->p_offset); \
void *vdata = elf->vdata + offset; \
uint32_t p_type = EGET(phdr->p_type); \
- switch (p_type) { \
- case PT_DYNAMIC: phdr_dynamic_void = phdr_void; break; \
- } \
printf("/* Program Header #%zu 0x%tX */\n{\n", \
phdr_cnt, (uintptr_t)phdr_void - elf->udata); \
printf("\t.p_type = %-10u , /* [%s] */\n", p_type, get_elfptype(p_type)); \
@@ -307,12 +304,15 @@ static void dump_phdr(elfobj *elf, const void *phdr_void, size_t phdr_cnt)
printf("\t.p_flags = 0x%-8X , /* %s */\n", (uint32_t)EGET(phdr->p_flags), dump_p_flags(p_type, EGET(phdr->p_flags))); \
printf("\t.p_align = %-10"PRIu64" , /* (min mem alignment in bytes) */\n", EGET(phdr->p_align)); \
\
- if ((off_t)EGET(phdr->p_offset) > elf->len) { \
+ if (!VALID_PHDR(elf, phdr)) { \
printf("\t/* Warning: Program segment is corrupt. */\n"); \
goto done##B; \
} \
\
switch (p_type) { \
+ case PT_DYNAMIC: \
+ phdr_dynamic_void = phdr_void; \
+ break; \
case PT_NOTE: \
dump_notes(elf, B, vdata, vdata + EGET(phdr->p_filesz)); \
break; \
diff --git a/paxelf.h b/paxelf.h
index 56fa9f3..90b283c 100644
--- a/paxelf.h
+++ b/paxelf.h
@@ -45,6 +45,11 @@ typedef struct {
EGET(shdr->sh_offset) < (uint64_t)elf->len && \
EGET(shdr->sh_size) < (uint64_t)elf->len && \
EGET(shdr->sh_offset) <= elf->len - EGET(shdr->sh_size))
+#define VALID_PHDR(elf, phdr) \
+ (phdr && \
+ EGET(phdr->p_filesz) < (uint64_t)elf->len && \
+ EGET(phdr->p_offset) < (uint64_t)elf->len && \
+ EGET(phdr->p_filesz) <= elf->len - EGET(phdr->p_offset))
/* prototypes */
extern char *pax_short_hf_flags(unsigned long flags);
--
2.10.2
++++++ 0003-dumpelf-check-for-invalid-notes.patch ++++++
From 10a9643d90a1ba6058a66066803fac6cf43f6917 Mon Sep 17 00:00:00 2001
From: Mike Frysinger
Date: Wed, 1 Feb 2017 12:40:09 -1000
Subject: [PATCH 3/4] dumpelf: check for invalid notes
Handle cases where the size fields would overflow the additions.
URL: https://bugs.gentoo.org/607898
Reported-by: Agostino Sarubbo
---
dumpelf.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/dumpelf.c b/dumpelf.c
index a9c6e05..60c78a3 100644
--- a/dumpelf.c
+++ b/dumpelf.c
@@ -209,6 +209,7 @@ static void dump_notes(elfobj *elf, size_t B, const void *memory, const void *me
* world, the two structs are exactly the same. So avoid ugly CPP.
*/
size_t i;
+ bool corrupt = false;
const void *ndata = memory;
const char *name;
const unsigned char *desc;
@@ -223,23 +224,31 @@ static void dump_notes(elfobj *elf, size_t B, const void *memory, const void *me
}
printf("\n\t/%c note section dump:\n", '*');
- for (i = 0; ndata < memory_end; ++i) {
+ for (i = 0; ndata < memory_end && !corrupt; ++i) {
note = ndata;
namesz = EGET(note->n_namesz);
descsz = EGET(note->n_descsz);
- name = namesz ? ndata + sizeof(*note) : "";
- desc = descsz ? ndata + sizeof(*note) + ALIGN_UP(namesz, 4) : "";
+ if (namesz > elf->len || descsz > elf->len)
+ corrupt = true;
+ name = namesz ? ndata + sizeof(*note) : NULL;
+ desc = descsz ? ndata + sizeof(*note) + ALIGN_UP(namesz, 4) : NULL;
ndata += sizeof(*note) + ALIGN_UP(namesz, 4) + ALIGN_UP(descsz, 4);
- if (ndata > memory_end) {
+ if (ndata > memory_end)
+ corrupt = true;
+ if (corrupt) {
+ name = NULL;
+ desc = NULL;
printf("\tNote is corrupt\n");
- break;
}
printf("\t * Elf%zu_Nhdr note%zu = {\n", B, i);
- printf("\t * \t.n_namesz = %u, (bytes) [%s]\n", namesz, name);
+ printf("\t * \t.n_namesz = %u, (bytes)", namesz);
+ if (name)
+ printf(" [%s]", name);
+ printf("\n");
printf("\t * \t.n_descsz = %u, (bytes)", descsz);
- if (descsz) {
+ if (desc) {
printf(" [ ");
for (i = 0; i < descsz; ++i)
printf("%.2X ", desc[i]);
--
2.10.2
++++++ 0004-scanelf-check-range-of-hash-bucket.patch ++++++
From e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d Mon Sep 17 00:00:00 2001
From: Mike Frysinger
Date: Sat, 11 Feb 2017 01:54:49 -0500
Subject: [PATCH 4/4] scanelf: check range of hash bucket
Make sure we don't walk off the end of the ELF with a corrupt hash table.
URL: https://bugs.gentoo.org/608766
Reported-by: Agostino Sarubbo
---
scanelf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/scanelf.c b/scanelf.c
index 79ce59c..70856f3 100644
--- a/scanelf.c
+++ b/scanelf.c
@@ -332,7 +332,8 @@ static void scanelf_file_get_symtabs(elfobj *elf, void **sym, void **str)
if (!buckets[b]) \
continue; \
for (sym_idx = buckets[b], chained = 0; \
- sym_idx < nchains && sym_idx && chained <= nchains; \
+ (sym_idx < nchains && sym_idx && chained <= nchains && \
+ (void *)&chains[sym_idx] + sizeof(*chains) < elf->data_end); \
sym_idx = chains[sym_idx], ++chained) { \
if (max_sym_idx < sym_idx) \
max_sym_idx = sym_idx; \
--
2.10.2
++++++ pax-utils-1.1.6.tar.xz -> pax-utils-1.2.2.tar.xz ++++++
++++ 13039 lines of diff (skipped)