Hello community, here is the log from the commit of package pax-utils for openSUSE:Factory checked in at 2017-03-02 19:37:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pax-utils (Old) and /work/SRC/openSUSE:Factory/.pax-utils.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pax-utils" Thu Mar 2 19:37:18 2017 rev:21 rq:460675 version:1.2.2 Changes: -------- --- /work/SRC/openSUSE:Factory/pax-utils/pax-utils.changes 2016-11-18 22:02:12.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.pax-utils.new/pax-utils.changes 2017-03-02 19:37:19.651704273 +0100 @@ -1,0 +2,11 @@ +Mon Feb 27 10:53:14 UTC 2017 - lnussel@suse.de + +- update to 1.2.2 + * misc fd and memory leak fixes + Add patches from git (boo#1026959) + 0004-scanelf-check-range-of-hash-bucket.patch + 0003-dumpelf-check-for-invalid-notes.patch + 0001-dumpelf-check-for-invalid-section-entry-sizes.patch + 0002-dumpelf-check-for-invalid-program-headers.patch + +------------------------------------------------------------------- Old: ---- pax-utils-1.1.6.tar.xz New: ---- 0001-dumpelf-check-for-invalid-section-entry-sizes.patch 0002-dumpelf-check-for-invalid-program-headers.patch 0003-dumpelf-check-for-invalid-notes.patch 0004-scanelf-check-range-of-hash-bucket.patch pax-utils-1.2.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pax-utils.spec ++++++ --- /var/tmp/diff_new_pack.tSdWO9/_old 2017-03-02 19:37:20.279615418 +0100 +++ /var/tmp/diff_new_pack.tSdWO9/_new 2017-03-02 19:37:20.279615418 +0100 @@ -1,7 +1,7 @@ # # spec file for package pax-utils # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -14,18 +14,23 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# icecream 0 Name: pax-utils -Version: 1.1.6 +Version: 1.2.2 Release: 0 Summary: Tools to Check ELF Files for Security Relevant Properties License: GPL-2.0+ Group: Productivity/Security Url: http://www.gentoo.org/proj/en/hardened/pax-utils.xml Source: http://dev.gentoo.org/~vapier/dist/pax-utils-%{version}.tar.xz -Patch0: pax-utils-handle-lib64.patch +# backports +Patch0: 0001-dumpelf-check-for-invalid-section-entry-sizes.patch +Patch1: 0002-dumpelf-check-for-invalid-program-headers.patch +Patch2: 0003-dumpelf-check-for-invalid-notes.patch +Patch3: 0004-scanelf-check-range-of-hash-bucket.patch +# openSUSE patches +Patch20: pax-utils-handle-lib64.patch BuildRequires: libcap-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -33,23 +38,15 @@ Tools to check ELF files for security relevant properties such as non-executable stack. - - -Authors: ---------- - Ned Ludd <solar@gentoo.org> - Mike Frysinger <vapier@gentoo.org> - %prep -%setup -q -%patch0 -p1 +%autosetup -q -p1 %build %configure make %{?_smp_mflags} V=1 %install -make %{?_smp_mflags} DESTDIR=%{buildroot} install +%make_install %files %defattr(-,root,root) ++++++ 0001-dumpelf-check-for-invalid-section-entry-sizes.patch ++++++

From 4609f57a690b4a5670baeb93167dab5300d07d4e Mon Sep 17 00:00:00 2001 From: Mike Frysinger <vapier@gentoo.org> Date: Wed, 1 Feb 2017 09:29:10 -1000 Subject: [PATCH 1/4] dumpelf: check for invalid section entry sizes

URL: https://bugs.gentoo.org/607894 Reported-by: Agostino Sarubbo <ago@gentoo.org> --- dumpelf.c | 50 ++++++++++++++++++++++++++++---------------------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/dumpelf.c b/dumpelf.c index 6b2458a..44da3ee 100644 --- a/dumpelf.c +++ b/dumpelf.c @@ -413,17 +413,20 @@ static void dump_shdr(elfobj *elf, const void *shdr_void, size_t shdr_cnt, const case SHT_DYNSYM: { \ Elf##B##_Sym *sym = vdata; \ printf("\n\t/%c section dump:\n", '*'); \ - for (i = 0; i < EGET(shdr->sh_size) / EGET(shdr->sh_entsize); ++i) { \ - printf("\t * Elf%i_Sym sym%zu = {\n", B, i); \ - printf("\t * \t.st_name = %u,\n", (uint32_t)EGET(sym->st_name)); \ - printf("\t * \t.st_value = 0x%"PRIX64",\n", EGET(sym->st_value)); \ - printf("\t * \t.st_size = %"PRIu64", (bytes)\n", EGET(sym->st_size)); \ - printf("\t * \t.st_info = %u,\n", (unsigned char)EGET(sym->st_info)); \ - printf("\t * \t.st_other = %u,\n", (unsigned char)EGET(sym->st_other)); \ - printf("\t * \t.st_shndx = %u\n", (uint16_t)EGET(sym->st_shndx)); \ - printf("\t * };\n"); \ - ++sym; \ - } \ + if (EGET(shdr->sh_entsize) < sizeof(*sym)) \ + printf(" /* corrupt section ! */ "); \ + else \ + for (i = 0; i < EGET(shdr->sh_size) / EGET(shdr->sh_entsize); ++i) { \ + printf("\t * Elf%i_Sym sym%zu = {\n", B, i); \ + printf("\t * \t.st_name = %u,\n", (uint32_t)EGET(sym->st_name)); \ + printf("\t * \t.st_value = 0x%"PRIX64",\n", EGET(sym->st_value)); \ + printf("\t * \t.st_size = %"PRIu64", (bytes)\n", EGET(sym->st_size)); \ + printf("\t * \t.st_info = %u,\n", (unsigned char)EGET(sym->st_info)); \ + printf("\t * \t.st_other = %u,\n", (unsigned char)EGET(sym->st_other)); \ + printf("\t * \t.st_shndx = %u\n", (uint16_t)EGET(sym->st_shndx)); \ + printf("\t * };\n"); \ + ++sym; \ + } \ printf("\t */\n"); \ break; \ } \ @@ -433,17 +436,20 @@ static void dump_shdr(elfobj *elf, const void *shdr_void, size_t shdr_cnt, const case SHT_GNU_LIBLIST: { \ Elf##B##_Lib *lib = vdata; \ printf("\n\t/%c section dump:\n", '*'); \ - for (i = 0; i < EGET(shdr->sh_size) / EGET(shdr->sh_entsize); ++i) { \ - printf("\t * Elf%i_Lib lib%zu = {\n", B, i); \ - printf("\t * \t.l_name = %"PRIu64",\n", EGET(lib->l_name)); \ - printf("\t * \t.l_time_stamp = 0x%"PRIX64", (%s)\n", \ - EGET(lib->l_time_stamp), timestamp(EGET(lib->l_time_stamp))); \ - printf("\t * \t.l_checksum = 0x%"PRIX64",\n", EGET(lib->l_checksum)); \ - printf("\t * \t.l_version = %"PRIu64",\n", EGET(lib->l_version)); \ - printf("\t * \t.l_flags = 0x%"PRIX64"\n", EGET(lib->l_flags)); \ - printf("\t * };\n"); \ - ++lib; \ - } \ + if (EGET(shdr->sh_entsize) < sizeof(*lib)) \ + printf(" /* corrupt section ! */ "); \ + else \ + for (i = 0; i < EGET(shdr->sh_size) / EGET(shdr->sh_entsize); ++i) { \ + printf("\t * Elf%i_Lib lib%zu = {\n", B, i); \ + printf("\t * \t.l_name = %"PRIu64",\n", EGET(lib->l_name)); \ + printf("\t * \t.l_time_stamp = 0x%"PRIX64", (%s)\n", \ + EGET(lib->l_time_stamp), timestamp(EGET(lib->l_time_stamp))); \ + printf("\t * \t.l_checksum = 0x%"PRIX64",\n", EGET(lib->l_checksum)); \ + printf("\t * \t.l_version = %"PRIu64",\n", EGET(lib->l_version)); \ + printf("\t * \t.l_flags = 0x%"PRIX64"\n", EGET(lib->l_flags)); \ + printf("\t * };\n"); \ + ++lib; \ + } \ printf("\t */\n"); \ } \ default: { \ -- 2.10.2 ++++++ 0002-dumpelf-check-for-invalid-program-headers.patch ++++++

From 18ded0e30ee5a84260cceb80d818b9c21ade4c76 Mon Sep 17 00:00:00 2001 From: Mike Frysinger <vapier@gentoo.org> Date: Wed, 1 Feb 2017 10:05:09 -1000 Subject: [PATCH 2/4] dumpelf: check for invalid program headers

URL: https://bugs.gentoo.org/607896 Reported-by: Agostino Sarubbo <ago@gentoo.org> --- dumpelf.c | 8 ++++---- paxelf.h | 5 +++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/dumpelf.c b/dumpelf.c index 44da3ee..a9c6e05 100644 --- a/dumpelf.c +++ b/dumpelf.c @@ -293,9 +293,6 @@ static void dump_phdr(elfobj *elf, const void *phdr_void, size_t phdr_cnt) Elf ## B ## _Off offset = EGET(phdr->p_offset); \ void *vdata = elf->vdata + offset; \ uint32_t p_type = EGET(phdr->p_type); \ - switch (p_type) { \ - case PT_DYNAMIC: phdr_dynamic_void = phdr_void; break; \ - } \ printf("/* Program Header #%zu 0x%tX */\n{\n", \ phdr_cnt, (uintptr_t)phdr_void - elf->udata); \ printf("\t.p_type = %-10u , /* [%s] */\n", p_type, get_elfptype(p_type)); \ @@ -307,12 +304,15 @@ static void dump_phdr(elfobj *elf, const void *phdr_void, size_t phdr_cnt) printf("\t.p_flags = 0x%-8X , /* %s */\n", (uint32_t)EGET(phdr->p_flags), dump_p_flags(p_type, EGET(phdr->p_flags))); \ printf("\t.p_align = %-10"PRIu64" , /* (min mem alignment in bytes) */\n", EGET(phdr->p_align)); \ \ - if ((off_t)EGET(phdr->p_offset) > elf->len) { \ + if (!VALID_PHDR(elf, phdr)) { \ printf("\t/* Warning: Program segment is corrupt. */\n"); \ goto done##B; \ } \ \ switch (p_type) { \ + case PT_DYNAMIC: \ + phdr_dynamic_void = phdr_void; \ + break; \ case PT_NOTE: \ dump_notes(elf, B, vdata, vdata + EGET(phdr->p_filesz)); \ break; \ diff --git a/paxelf.h b/paxelf.h index 56fa9f3..90b283c 100644 --- a/paxelf.h +++ b/paxelf.h @@ -45,6 +45,11 @@ typedef struct { EGET(shdr->sh_offset) < (uint64_t)elf->len && \ EGET(shdr->sh_size) < (uint64_t)elf->len && \ EGET(shdr->sh_offset) <= elf->len - EGET(shdr->sh_size)) +#define VALID_PHDR(elf, phdr) \ + (phdr && \ + EGET(phdr->p_filesz) < (uint64_t)elf->len && \ + EGET(phdr->p_offset) < (uint64_t)elf->len && \ + EGET(phdr->p_filesz) <= elf->len - EGET(phdr->p_offset)) /* prototypes */ extern char *pax_short_hf_flags(unsigned long flags); -- 2.10.2 ++++++ 0003-dumpelf-check-for-invalid-notes.patch ++++++

From 10a9643d90a1ba6058a66066803fac6cf43f6917 Mon Sep 17 00:00:00 2001 From: Mike Frysinger <vapier@gentoo.org> Date: Wed, 1 Feb 2017 12:40:09 -1000 Subject: [PATCH 3/4] dumpelf: check for invalid notes

Handle cases where the size fields would overflow the additions. URL: https://bugs.gentoo.org/607898 Reported-by: Agostino Sarubbo <ago@gentoo.org> --- dumpelf.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/dumpelf.c b/dumpelf.c index a9c6e05..60c78a3 100644 --- a/dumpelf.c +++ b/dumpelf.c @@ -209,6 +209,7 @@ static void dump_notes(elfobj *elf, size_t B, const void *memory, const void *me * world, the two structs are exactly the same. So avoid ugly CPP. */ size_t i; + bool corrupt = false; const void *ndata = memory; const char *name; const unsigned char *desc; @@ -223,23 +224,31 @@ static void dump_notes(elfobj *elf, size_t B, const void *memory, const void *me } printf("\n\t/%c note section dump:\n", '*'); - for (i = 0; ndata < memory_end; ++i) { + for (i = 0; ndata < memory_end && !corrupt; ++i) { note = ndata; namesz = EGET(note->n_namesz); descsz = EGET(note->n_descsz); - name = namesz ? ndata + sizeof(*note) : ""; - desc = descsz ? ndata + sizeof(*note) + ALIGN_UP(namesz, 4) : ""; + if (namesz > elf->len || descsz > elf->len) + corrupt = true; + name = namesz ? ndata + sizeof(*note) : NULL; + desc = descsz ? ndata + sizeof(*note) + ALIGN_UP(namesz, 4) : NULL; ndata += sizeof(*note) + ALIGN_UP(namesz, 4) + ALIGN_UP(descsz, 4); - if (ndata > memory_end) { + if (ndata > memory_end) + corrupt = true; + if (corrupt) { + name = NULL; + desc = NULL; printf("\tNote is corrupt\n"); - break; } printf("\t * Elf%zu_Nhdr note%zu = {\n", B, i); - printf("\t * \t.n_namesz = %u, (bytes) [%s]\n", namesz, name); + printf("\t * \t.n_namesz = %u, (bytes)", namesz); + if (name) + printf(" [%s]", name); + printf("\n"); printf("\t * \t.n_descsz = %u, (bytes)", descsz); - if (descsz) { + if (desc) { printf(" [ "); for (i = 0; i < descsz; ++i) printf("%.2X ", desc[i]); -- 2.10.2 ++++++ 0004-scanelf-check-range-of-hash-bucket.patch ++++++

From e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d Mon Sep 17 00:00:00 2001 From: Mike Frysinger <vapier@gentoo.org> Date: Sat, 11 Feb 2017 01:54:49 -0500 Subject: [PATCH 4/4] scanelf: check range of hash bucket

Make sure we don't walk off the end of the ELF with a corrupt hash table. URL: https://bugs.gentoo.org/608766 Reported-by: Agostino Sarubbo <ago@gentoo.org> --- scanelf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scanelf.c b/scanelf.c index 79ce59c..70856f3 100644 --- a/scanelf.c +++ b/scanelf.c @@ -332,7 +332,8 @@ static void scanelf_file_get_symtabs(elfobj *elf, void **sym, void **str) if (!buckets[b]) \ continue; \ for (sym_idx = buckets[b], chained = 0; \ - sym_idx < nchains && sym_idx && chained <= nchains; \ + (sym_idx < nchains && sym_idx && chained <= nchains && \ + (void *)&chains[sym_idx] + sizeof(*chains) < elf->data_end); \ sym_idx = chains[sym_idx], ++chained) { \ if (max_sym_idx < sym_idx) \ max_sym_idx = sym_idx; \ -- 2.10.2 ++++++ pax-utils-1.1.6.tar.xz -> pax-utils-1.2.2.tar.xz ++++++ ++++ 13039 lines of diff (skipped)