Bug 15022

LWN reference for CVE-2014-8484 and CVE-2014-8485:
http://lwn.net/Vulnerabilities/629234/

See the CVE descriptions, all of them have been fixed in binutils 2.25.

For cauldron:
CVE-2014-8737: was already fixed in 1:2.24-11.mga5
CVE-2014-8738: not sure, might be fixed with same patch as CVE-2014-8737
CVE-2014-8504: was already fixed in 1:2.24-11.mga5
CVE-2014-8503: was already fixed in 1:2.24-11.mga5
CVE-2014-8502: was already fixed in 1:2.24-11.mga5
CVE-2014-8501: was already fixed in 1:2.24-11.mga5
CVE-2014-8485: was already fixed in 1:2.24-11.mga5
CVE-2014-8484: was already fixed in 1:2.24-11.mga5

CC: (none) => cjw

Debian has links to the upstream commits for the CVEs.  CVE-2014-8737 and CVE-2014-8738 are different and the fixes are in different source files.  The binutils-2.24-corrupt-ar.patch patch we have has part of the CVE-2014-8738 patch, but not all of it:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=bb0d867169d7e9743d229804106a8fbcab7f3b3f

binutils-2.24-corrupt-ar.patch is CVE-2014-8737.

In fact, Debian's CVE-2014-8738 patch has the two parts we're missing.

Description: CVE-2014-8738 fix
Author: Luciano Bello <luciano@debian.org>
Origin: backport: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bb0d867169d7e9743d229804106a8fbcab7f3b3f
Applied-Upstream: commit: bb0d867169d7e9743d229804106a8fbcab7f3b3f
---
--- a/bfd/archive.c
+++ b/bfd/archive.c
@@ -1272,6 +1272,9 @@ _bfd_slurp_extended_name_table (bfd *abf
       amt = namedata->parsed_size;
       if (amt + 1 == 0)
         goto byebye;
+      /* PR binutils/17533: A corrupt archive can contain an invalid size.  */
+      if (amt > (bfd_size_type) bfd_get_size (abfd))
+       goto byebye;
 
       bfd_ardata (abfd)->extended_names_size = amt;
       bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1);
@@ -1289,7 +1292,6 @@ _bfd_slurp_extended_name_table (bfd *abf
         if (bfd_get_error () != bfd_error_system_call)
           bfd_set_error (bfd_error_malformed_archive);
         bfd_release (abfd, (bfd_ardata (abfd)->extended_names));
-        bfd_ardata (abfd)->extended_names = NULL;
         goto byebye;
       }

(In reply to David Walser from comment #3)
> Debian has links to the upstream commits for the CVEs. 

I checked the commits of course, but used links in the separate redhat bugs (:

> The binutils-2.24-corrupt-ar.patch patch we have has part of the
> CVE-2014-8738 patch, but not all of it:

Thanks, the missing chunks are added as separate patch in binutils-2.24-12.mga5.

I don't have any plans for mga4 at this time.

OK, hopefully the rest of the CVEs are fully fixed.  Marking this as just for Mageia 4 now.

Since Mageia 4 is also binutils 2.24, is there any reason we can't sync it with Cauldron?

Whiteboard: MGA4TOO => (none)
Blocks: 14674 => (none)
Version: Cauldron => 4

Looking at the changelog I'd say submitting 2.24-12.mga5 as 2.24-3.1.mga4 is the right way to resolve the security issues.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated binutils packages fix security vulnerabilities:

Multiple security issues have been found in binutils. These vulnerabilities
include multiple memory safety errors, buffer overflows, use-after-frees and
other implementation errors may lead to the execution of arbitrary code, the
bypass of security restrictions, path traversal attack or denial of service
(CVE-2014-8484, CVE-2014-8485, CVE-2014-8501, CVE-2014-8502, CVE-2014-8503,
CVE-2014-8504, CVE-2014-8737, CVE-2014-8738).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8738
https://www.debian.org/security/2015/dsa-3123
========================

Updated packages in core/updates_testing:
========================
binutils-2.24-3.1.mga4
libbinutils-devel-2.24-3.1.mga4

from binutils-2.24-3.1.mga4.src.rpm

Assignee: tmb => qa-bugs

Testing on Mageia4x64, real hardware

From current package :
--------------------
binutils-2.24-3.mga4

Ran a few binutils commands on binaries.

$ size --format=SysV /usr/bin/znc
/usr/bin/znc  :
section                 size      addr
.interp                   28   4194872
.note.ABI-tag             32   4194900
(...)
.gnu_debuglink            16         0
.gnu_debugdata          1992         0
Total                1380109

$ objdump -f /usr/bin/zip

/usr/bin/zip:     format de fichier elf64-x86-64
architecture: i386:x86-64, fanions 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
adresse de départ 0x000000000040816f

$ strings -a /usr/bin/lsusb
/lib64/ld-linux-x86-64.so.2
libusb-1.0.so.0
(...)
.gnu_debuglink
.gnu_debugdata

$ ar -cvq testbinutils.a Yamaha2.wav Yamaha.ogg
a - Yamaha2.wav
a - Yamaha.ogg

created an archive file (testbinutils.a) from two sound files

$ ar vx drawpile_0.8.6-1~getdeb1_amd64.deb
x - debian-binary
x - control.tar.gz
x - data.tar.gz

extracted a deb file found on the web

To updated testing packages :
---------------------------
binutils-2.24-3.1.mga4

Ran same tests, all gave same results.
OK for these tests but I guess there is more to do to efficiently test binutils.

CC: (none) => olchal

Testing Mageia 4 i586.

$ size --format=SysV /usr/bin/krfb
/usr/bin/krfb  :
section                size        addr
.interp                  19   134512980
.note.ABI-tag            32   134513000
.note.gnu.build-id       36   134513032
.gnu.hash              5636   134513068
.dynsym               14064   134518704
.dynstr               24680   134532768
.gnu.version           1758   134557448
.gnu.version_r          304   134559208
.rel.dyn                232   134559512
.rel.plt               4616   134559744
.init                    35   134564360
.plt                   9248   134564400
.text                244002   134573648
.fini                    20   134817652
.rodata               41702   134817696
.eh_frame_hdr          5644   134859400
.eh_frame             33236   134865044
.init_array               4   134905488
.fini_array               4   134905492
.jcr                      4   134905496
.dynamic                352   134905500
.got                      4   134905852
.got.plt               2320   134905856
.data                   524   134908192
.bss                  89600   134908736
.gnu_debuglink           16           0
.gnu_debugdata         7320           0
Total                485412

$ objdump -f /usr/bin/zip

/usr/bin/zip:     file format elf32-i386
architecture: i386, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x0805019e

$ strings -a /usr/bin/lsusb -n 60
{%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x}
      Warning: mixer with %5u input and %5u output channels.
      Warning: CLOCK_SOURCE descriptors are illegal for UAC1
      Warning: CLOCK_SELECTOR descriptors are illegal for UAC1
      Warning: CLOCK_MULTIPLIER descriptors are illegal for UAC1
      Warning: SAMPLE_RATE_CONVERTER_UNIT descriptors are illegal for UAC1
Couldn't get configuration descriptor 0, some information will be missing
Couldn't get configuration descriptor %d, some information will be missing
FIXME: alloc bigger buffer for device capability descriptors
      Lowest fully-functional device speed is Low Speed (1Mbps)
      Lowest fully-functional device speed is Full Speed (12Mbps)
      Lowest fully-functional device speed is High Speed (480Mbps)
      Lowest fully-functional device speed is SuperSpeed (5Gbps)
      Lowest fully-functional device speed is at an unknown speed!
Duplicate Physdes  type spec at line %u terminal type %04x %s
Product/Subclass spec without prior Vendor/Class spec at line %u
Protocol spec without prior Class and Subclass spec at line %u
Duplicate audio terminal type spec at line %u terminal type %04x %s
Duplicate video terminal type spec at line %u terminal type %04x %s

$ ar -cvq testar.a pop.wav KDE-Sys-Log-In.ogg
a - pop.wav
a - KDE-Sys-Log-In.ogg

$ ar vx wicd_1.7.2.4-4.1_all.deb
x - debian-binary
x - control.tar.gz
x - data.tar.gz

Looks good.

Whiteboard: (none) => MGA4-32-OK MGA4-64-OK

seems to be an issue reported in bug 15063, blocking for now

CC: (none) => tmb
Depends on: (none) => 15063

Dropping the blocker... turns out its not a regression but an old known problem with known workarounds... I will maybe fix it later for mga4, but no need to hold up this security update.

Depends on: 15063 => (none)

Validating. Advisory uploaded.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0027.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED