rpms/gdb/FC-4 gdb-6.3-security-errata-20050608.patch, NONE, 1.1 gdb.spec, 1.147, 1.148
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Jun 10 19:14:54 UTC 2005
- Previous message (by thread): rpms/HelixPlayer/FC-4-embargo .cvsignore, 1.7, 1.8 HelixPlayer.spec, 1.35, 1.36 sources, 1.8, 1.9
- Next message (by thread): rpms/HelixPlayer/FC-4-embargo HelixPlayer-1.0.5-missing-header.patch, NONE, 1.1 HelixPlayer.spec, 1.36, 1.37
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jjohnstn
Update of /cvs/dist/rpms/gdb/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv6938
Modified Files:
gdb.spec
Added Files:
gdb-6.3-security-errata-20050608.patch
Log Message:
* Fri Jun 10 2005 Jeff Johnston <jjohnstn at redhat.com> 6.3.0.0-1.27
- Bump up release number.
* Fri Jun 10 2005 Jeff Johnston <jjohnstn at redhat.com> 6.3.0.0-1.25
- Security errata for bfd and .gdbinit file usage
- Bugzilla 158680
gdb-6.3-security-errata-20050608.patch:
bfd/elf.c | 7
bfd/elfcode.h | 71 +
gdb/Makefile.in | 2
gdb/cli/cli-cmds.c | 25
gdb/config.in | 3
gdb/configure | 1210 +++++++++++++++++-----------------
gdb/configure.in | 1
gdb/main.c | 4
gdb/testsuite/gdb.base/gdbinit.exp | 98 ++
gdb/testsuite/gdb.base/gdbinit.sample | 1
10 files changed, 830 insertions(+), 592 deletions(-)
--- NEW FILE gdb-6.3-security-errata-20050608.patch ---
2005-06-09 Jeff Johnston <jjohnstn at redhat.com>
* gdb.base/gdbinit.exp: New testcase.
* gdb.base/gdbinit.sample: Sample .gdbinit for gdbinit.exp.
2005-06-08 Daniel Jacobowitz <dan at codesourcery.com>
Jeff Johnston <jjohnstn at redhat.com>
* Makefile.in (cli-cmds.o): Update.
* configure.in: Add check for getuid.
* configure: Regenerated.
* config.in: Ditto.
* main.c (captured_main): Pass -1 to source_command when loading
gdbinit files.
* cli/cli-cmds.c: Include "gdb_stat.h" and <fcntl.h>.
(source_command): Update documentation. Check permissions if
FROM_TTY is -1.
2005-05-17 H.J. Lu <hongjiu.lu at intel.com>
* elf.c (group_signature): Check if the symbol table section is
correct.
2005-05-25 Jakub Jelinek <jakub at redhat.com>
* elfcode.h (elf_object_p): Fail if e_shoff != 0, e_shnum == 0 and
first shdr has sh_size == 0. Fail if e_shnum is large to cause
arithmetic overflow when allocating the i_shdr array.
Sanity check sh_link and sh_info fields. Fix e_shstrndx sanity check.
2005-05-07 Mike Frysinger <vapier at gentoo.org>
* elfcode.h (elf_object_p): Add more sanity checks on elf header.
--- gdb-6.3/gdb/config.in.fix 2005-06-10 14:44:45.000000000 -0400
+++ gdb-6.3/gdb/config.in 2005-06-10 14:44:53.000000000 -0400
@@ -203,6 +203,9 @@
/* Define if you have the getpagesize function. */
#undef HAVE_GETPAGESIZE
+/* Define if you have the getuid function. */
+#undef HAVE_GETUID
+
/* Define if you have the monstartup function. */
#undef HAVE_MONSTARTUP
--- gdb-6.3/gdb/cli/cli-cmds.c.fix 2005-06-08 18:43:11.000000000 -0400
+++ gdb-6.3/gdb/cli/cli-cmds.c 2005-06-09 18:23:54.000000000 -0400
@@ -37,6 +37,7 @@
#include "objfiles.h"
#include "source.h"
#include "disasm.h"
+#include "gdb_stat.h"
#include "ui-out.h"
@@ -54,6 +55,8 @@
#define GDBINIT_FILENAME ".gdbinit"
#endif
+#include <fcntl.h>
+
/* Prototypes for local command functions */
static void complete_command (char *, int);
@@ -441,12 +444,32 @@ source_command (char *args, int from_tty
stream = fopen (file, FOPEN_RT);
if (!stream)
{
- if (from_tty)
+ if (from_tty > 0)
perror_with_name (file);
else
return;
}
+#ifdef HAVE_GETUID
+ if (from_tty == -1)
+ {
+ struct stat statbuf;
+ int fd = fileno (stream);
+ if (fstat (fd, &statbuf) < 0)
+ {
+ perror_with_name (file);
+ fclose (stream);
+ return;
+ }
+ if (statbuf.st_uid != getuid () || (statbuf.st_mode & S_IWOTH))
+ {
+ warning (_("not using untrusted file \"%s\""), file);
+ fclose (stream);
+ return;
+ }
+ }
+#endif
+
script_from_file (stream, file);
do_cleanups (old_cleanups);
--- gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp.fix 2005-06-09 20:22:14.000000000 -0400
+++ gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp 2005-06-09 20:22:59.000000000 -0400
@@ -0,0 +1,98 @@
+# Copyright 2005
+# Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# Please email any bugs, comments, and/or additions to this file to:
+# bug-gdb at prep.ai.mit.edu
+
+# This file was written by Jeff Johnston <jjohnstn at redhat.com>.
+
+if $tracelevel then {
+ strace $tracelevel
+}
+
+set prms_id 0
+set bug_id 0
+
+# are we on a target board
+if [is_remote target] {
+ return
+}
+
+
+global verbose
+global GDB
+global GDBFLAGS
+global gdb_prompt
+global timeout
+global gdb_spawn_id;
+
+gdb_stop_suppressing_tests;
+
+verbose "Spawning $GDB -nw"
+
+if [info exists gdb_spawn_id] {
+ return 0;
+}
+
+if ![is_remote host] {
+ if { [which $GDB] == 0 } then {
+ perror "$GDB does not exist."
+ exit 1
+ }
+}
+
+set env(HOME) [pwd]
+remote_exec build "rm .gdbinit"
+remote_exec build "cp ${srcdir}/${subdir}/gdbinit.sample .gdbinit"
+remote_exec build "chmod 646 .gdbinit"
+
+set res [remote_spawn host "$GDB -nw [host_info gdb_opts]"];
+if { $res < 0 || $res == "" } {
+ perror "Spawning $GDB failed."
+ return 1;
+}
+gdb_expect 360 {
+ -re "warning: not using untrusted file.*\.gdbinit.*\[\r\n\]$gdb_prompt $" {
+ pass "untrusted .gdbinit caught."
+ }
+ -re "$gdb_prompt $" {
+ fail "untrusted .gdbinit caught."
+ }
+ timeout {
+ fail "(timeout) untrusted .gdbinit caught."
+ }
+}
+
+remote_exec build "chmod 644 .gdbinit"
+set res [remote_spawn host "$GDB -nw [host_info gdb_opts]"];
+if { $res < 0 || $res == "" } {
+ perror "Spawning $GDB failed."
+ return 1;
+}
+gdb_expect 360 {
+ -re "warning: not using untrusted file.*\.gdbinit.*\[\r\n\]$gdb_prompt $" {
+ fail "trusted .gdbinit allowed."
+ }
+ -re "in gdbinit.*$gdb_prompt $" {
+ pass "trusted .gdbinit allowed."
+ }
+ timeout {
+ fail "(timeout) trusted .gdbinit allowed."
+ }
+}
+
[...4594 lines suppressed...]
- if { (eval echo configure:11075: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then
+ if { (eval echo configure:11119: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then
for file in conftest.*; do
case $file in
- *.c | *.C | *.o | *.obj | *.ilk | *.pdb) ;;
+ *.c | *.o | *.obj) ;;
*) ac_cv_exeext=`echo $file | sed -e s/conftest//` ;;
esac
done
@@ -11113,7 +11157,7 @@ fi
echo $ac_n "checking for iconv""... $ac_c" 1>&6
-echo "configure:11117: checking for iconv" >&5
+echo "configure:11161: checking for iconv" >&5
if eval "test \"`echo '$''{'am_cv_func_iconv'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@@ -11121,7 +11165,7 @@ else
am_cv_func_iconv="no, consider installing GNU libiconv"
am_cv_lib_iconv=no
cat > conftest.$ac_ext <<EOF
-#line 11125 "configure"
+#line 11169 "configure"
#include "confdefs.h"
#include <stdlib.h>
#include <iconv.h>
@@ -11131,7 +11175,7 @@ iconv_t cd = iconv_open("","");
iconv_close(cd);
; return 0; }
EOF
-if { (eval echo configure:11135: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11179: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
am_cv_func_iconv=yes
else
@@ -11143,7 +11187,7 @@ rm -f conftest*
am_save_LIBS="$LIBS"
LIBS="$LIBS -liconv"
cat > conftest.$ac_ext <<EOF
-#line 11147 "configure"
+#line 11191 "configure"
#include "confdefs.h"
#include <stdlib.h>
#include <iconv.h>
@@ -11153,7 +11197,7 @@ iconv_t cd = iconv_open("","");
iconv_close(cd);
; return 0; }
EOF
-if { (eval echo configure:11157: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11201: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
am_cv_lib_iconv=yes
am_cv_func_iconv=yes
@@ -11174,13 +11218,13 @@ echo "$ac_t""$am_cv_func_iconv" 1>&6
EOF
echo $ac_n "checking for iconv declaration""... $ac_c" 1>&6
-echo "configure:11178: checking for iconv declaration" >&5
+echo "configure:11222: checking for iconv declaration" >&5
if eval "test \"`echo '$''{'am_cv_proto_iconv'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 11184 "configure"
+#line 11228 "configure"
#include "confdefs.h"
#include <stdlib.h>
@@ -11199,7 +11243,7 @@ int main() {
; return 0; }
EOF
-if { (eval echo configure:11203: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:11247: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
am_cv_proto_iconv_arg1=""
else
--- gdb-6.3/bfd/elf.c.fix 2005-06-08 18:42:42.000000000 -0400
+++ gdb-6.3/bfd/elf.c 2005-06-08 18:50:42.000000000 -0400
@@ -438,8 +438,11 @@ group_signature (bfd *abfd, Elf_Internal
Elf_External_Sym_Shndx eshndx;
Elf_Internal_Sym isym;
- /* First we need to ensure the symbol table is available. */
- if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
+ /* First we need to ensure the symbol table is available. Make sure
+ that it is a symbol table section. */
+ hdr = elf_elfsections (abfd) [ghdr->sh_link];
+ if (hdr->sh_type != SHT_SYMTAB
+ || ! bfd_section_from_shdr (abfd, ghdr->sh_link))
return NULL;
/* Go read the symbol. */
--- gdb-6.3/bfd/elfcode.h.fix 2005-06-08 18:42:50.000000000 -0400
+++ gdb-6.3/bfd/elfcode.h 2005-06-08 18:50:38.000000000 -0400
@@ -613,8 +613,13 @@ elf_object_p (bfd *abfd)
if (i_ehdrp->e_shoff != 0)
{
+ bfd_signed_vma where = i_ehdrp->e_shoff;
+
+ if (where != (file_ptr) where)
+ goto got_wrong_format_error;
+
/* Seek to the section header table in the file. */
- if (bfd_seek (abfd, (file_ptr) i_ehdrp->e_shoff, SEEK_SET) != 0)
+ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
goto got_no_match;
/* Read the first section header at index 0, and convert to internal
@@ -626,11 +631,46 @@ elf_object_p (bfd *abfd)
/* If the section count is zero, the actual count is in the first
section header. */
if (i_ehdrp->e_shnum == SHN_UNDEF)
- i_ehdrp->e_shnum = i_shdr.sh_size;
+ {
+ i_ehdrp->e_shnum = i_shdr.sh_size;
+ if (i_ehdrp->e_shnum != i_shdr.sh_size
+ || i_ehdrp->e_shnum == 0)
+ goto got_wrong_format_error;
+ }
/* And similarly for the string table index. */
if (i_ehdrp->e_shstrndx == SHN_XINDEX)
- i_ehdrp->e_shstrndx = i_shdr.sh_link;
+ {
+ i_ehdrp->e_shstrndx = i_shdr.sh_link;
+ if (i_ehdrp->e_shstrndx != i_shdr.sh_link)
+ goto got_wrong_format_error;
+ }
+
+ /* Sanity check that we can read all of the section headers.
+ It ought to be good enough to just read the last one. */
+ if (i_ehdrp->e_shnum != 1)
+ {
+ /* Check that we don't have a totally silly number of sections. */
+ if (i_ehdrp->e_shnum > (unsigned int) -1 / sizeof (x_shdr)
+ || i_ehdrp->e_shnum > (unsigned int) -1 / sizeof (i_shdr))
+ goto got_wrong_format_error;
+
+ where += (i_ehdrp->e_shnum - 1) * sizeof (x_shdr);
+ if (where != (file_ptr) where)
+ goto got_wrong_format_error;
+ if ((bfd_size_type) where <= i_ehdrp->e_shoff)
+ goto got_wrong_format_error;
+
+ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
+ goto got_no_match;
+ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
+ goto got_no_match;
+
+ /* Back to where we were. */
+ where = i_ehdrp->e_shoff + sizeof (x_shdr);
+ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
+ goto got_no_match;
+ }
}
/* Allocate space for a copy of the section header table in
@@ -674,6 +714,20 @@ elf_object_p (bfd *abfd)
goto got_no_match;
elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
+ /* Sanity check sh_link and sh_info. */
+ if (i_shdrp[shindex].sh_link >= num_sec
+ || (i_shdrp[shindex].sh_link >= SHN_LORESERVE
+ && i_shdrp[shindex].sh_link <= SHN_HIRESERVE))
+ goto got_wrong_format_error;
+
+ if (((i_shdrp[shindex].sh_flags & SHF_INFO_LINK)
+ || i_shdrp[shindex].sh_type == SHT_RELA
+ || i_shdrp[shindex].sh_type == SHT_REL)
+ && (i_shdrp[shindex].sh_info >= num_sec
+ || (i_shdrp[shindex].sh_info >= SHN_LORESERVE
+ && i_shdrp[shindex].sh_info <= SHN_HIRESERVE)))
+ goto got_wrong_format_error;
+
/* If the section is loaded, but not page aligned, clear
D_PAGED. */
if (i_shdrp[shindex].sh_size != 0
@@ -692,6 +746,17 @@ elf_object_p (bfd *abfd)
goto got_no_match;
}
+ /* A further sanity check. */
+ if (i_ehdrp->e_shnum != 0)
+ {
+ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
+ || (i_ehdrp->e_shstrndx >= SHN_LORESERVE
+ && i_ehdrp->e_shstrndx <= SHN_HIRESERVE))
+ goto got_wrong_format_error;
+ }
+ else if (i_ehdrp->e_shstrndx != 0)
+ goto got_wrong_format_error;
+
/* Read in the program headers. */
if (i_ehdrp->e_phnum == 0)
elf_tdata (abfd)->phdr = NULL;
Index: gdb.spec
===================================================================
RCS file: /cvs/dist/rpms/gdb/FC-4/gdb.spec,v
retrieving revision 1.147
retrieving revision 1.148
diff -u -r1.147 -r1.148
--- gdb.spec 18 May 2005 19:25:28 -0000 1.147
+++ gdb.spec 10 Jun 2005 19:14:52 -0000 1.148
@@ -11,7 +11,7 @@
Version: 6.3.0.0
# The release always contains a leading reserved number, start it at 0.
-Release: 1.24
+Release: 1.27
License: GPL
Group: Development/Debuggers
@@ -219,6 +219,9 @@
# SA_RESTART patch
Patch156: gdb-6.3-sarestart-20050518.patch
+# Security errata for bfd overflow and untrusted .gdbinit
+Patch157: gdb-6.3-security-errata-20050608.patch
+
%ifarch ia64
BuildRequires: ncurses-devel glibc-devel gcc make gzip texinfo dejagnu libunwind >= 0.96-3
%else
@@ -307,6 +310,7 @@
%patch154 -p1
%patch155 -p1
%patch156 -p1
+%patch157 -p1
# Change the version that gets printed at GDB startup, so it is RedHat
# specific.
@@ -475,6 +479,13 @@
# don't include the files in include, they are part of binutils
%changelog
+* Fri Jun 10 2005 Jeff Johnston <jjohnstn at redhat.com> 6.3.0.0-1.27
+- Bump up release number.
+
+* Fri Jun 10 2005 Jeff Johnston <jjohnstn at redhat.com> 6.3.0.0-1.25
+- Security errata for bfd and .gdbinit file usage
+- Bugzilla 158680
+
* Wed May 18 2005 Jeff Johnston <jjohnstn at redhat.com> 6.3.0.0-1.24
- Bump up release number.
- Previous message (by thread): rpms/HelixPlayer/FC-4-embargo .cvsignore, 1.7, 1.8 HelixPlayer.spec, 1.35, 1.36 sources, 1.8, 1.9
- Next message (by thread): rpms/HelixPlayer/FC-4-embargo HelixPlayer-1.0.5-missing-header.patch, NONE, 1.1 HelixPlayer.spec, 1.36, 1.37
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list