Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libdwarf for openSUSE:Factory checked in at 2022-06-08 14:24:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libdwarf (Old) and /work/SRC/openSUSE:Factory/.libdwarf.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libdwarf" Wed Jun 8 14:24:45 2022 rev:25 rq:981183 version:0.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libdwarf/libdwarf.changes 2022-05-02 16:25:54.348860641 +0200 +++ /work/SRC/openSUSE:Factory/.libdwarf.new.1548/libdwarf.changes 2022-06-08 14:25:04.168513408 +0200 @@ -1,0 +2,5 @@ +Tue Jun 7 16:24:08 UTC 2022 - Dirk M??ller <dmuel...@suse.com> + +- add fix-CVE-2022-32200.patch (bsc#1200291, CVE-2022-32200) + +------------------------------------------------------------------- New: ---- fix-CVE-2022-32200.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libdwarf.spec ++++++ --- /var/tmp/diff_new_pack.3lKG17/_old 2022-06-08 14:25:04.720514093 +0200 +++ /var/tmp/diff_new_pack.3lKG17/_new 2022-06-08 14:25:04.724514098 +0200 @@ -24,6 +24,7 @@ Group: Development/Libraries/C and C++ URL: https://prevanders.net/dwarf.html Source: https://github.com/davea42/libdwarf-code/releases/download/v%{version}/libdwarf-%{version}.tar.xz +Patch1: https://github.com/davea42/libdwarf-code/commit/8151575a6ace77d005ca5bb5d71c1bfdba3f7069.patch#/fix-CVE-2022-32200.patch BuildRequires: binutils-devel BuildRequires: libelf-devel ++++++ fix-CVE-2022-32200.patch ++++++ >From 8151575a6ace77d005ca5bb5d71c1bfdba3f7069 Mon Sep 17 00:00:00 2001 From: David Anderson <dave...@linuxmail.org> Date: Sun, 29 May 2022 09:35:39 -0700 Subject: [PATCH] Fixes vulnerability DW202205-001 Reports error instead of crashing the when reading a specially crafted (corrupted) .debug_pubnames or .debug_pubtypes section. modified: src/lib/libdwarf/dwarf_global.c --- src/lib/libdwarf/dwarf_global.c | 81 +++++++++++++++++++++++++++++---- 1 file changed, 73 insertions(+), 8 deletions(-) diff --git a/src/lib/libdwarf/dwarf_global.c b/src/lib/libdwarf/dwarf_global.c index 03ee0cd2..6cfe883f 100644 --- a/src/lib/libdwarf/dwarf_global.c +++ b/src/lib/libdwarf/dwarf_global.c @@ -31,7 +31,6 @@ #include <config.h> #include <string.h> /* strlen() */ - #if defined(_WIN32) && defined(HAVE_STDAFX_H) #include "stdafx.h" #endif /* HAVE_STDAFX_H */ @@ -83,6 +82,33 @@ _dwarf_fix_up_offset_irix(Dwarf_Debug dbg, } #endif /* __sgi */ +#if 0 +/* Debugging only. Requires start. can calulate one of len, end */ +static void +debug_print_range(const char *msg, + int lineno, + void *start, signed long len, + void *end) +{ + + char *st = (char *)start; + char *en = (char *)end; + signed long le = len; + + if (len) { + if (en) { + le = (long)(en-st); + } else { + en= start+len; + } + } else if (en) { + le = (long)(en-st); + } + printf("RANGEdebug %s st=0x%lx le=%ld en=0x%lx line %d\n", + msg,(unsigned long)st,le,(unsigned long)en,lineno); +} +#endif + static void dealloc_globals_chain(Dwarf_Debug dbg, Dwarf_Chain head_chain) @@ -287,9 +313,9 @@ _dwarf_internal_get_pubnames_like_data(Dwarf_Debug dbg, Dwarf_Off pubnames_section_offset = 0; Dwarf_Small *section_end_ptr = section_data_ptr +section_length; - /* Points to the context for the current set of global names, and - contains information to identify the compilation-unit that the - set refers to. */ + /* Points to the context for the current set of global names, + and contains information to identify the compilation-unit + that the set refers to. */ Dwarf_Global_Context pubnames_context = 0; Dwarf_Bool pubnames_context_on_list = FALSE; @@ -301,6 +327,10 @@ _dwarf_internal_get_pubnames_like_data(Dwarf_Debug dbg, Dwarf_Unsigned global_count = 0; + /* The count is just to improve the error message + a few lines above. */ + Dwarf_Unsigned context_count = 0; + /* Used to chain the Dwarf_Global_s structs for creating contiguous list of pointers to the structs. */ Dwarf_Chain head_chain = 0; @@ -384,6 +414,41 @@ _dwarf_internal_get_pubnames_like_data(Dwarf_Debug dbg, } return mres; } + { + Dwarf_Small * localend =pubnames_like_ptr + length; + + if ((length > section_length) || + (localend > section_end_ptr)){ + /* The length field is corrupted */ + dwarfstring m; + + dwarfstring_constructor(&m); + dwarfstring_append_printf_u(&m, + "DW_DLE_PUBNAMES_LENGTH_BAD (or similar) " + "A DWARF length field in cu context %u ", + context_count); + dwarfstring_append_printf_s(&m,"of section %s ", + (char *)secname); + dwarfstring_append_printf_u(&m,"of " + "%u bytes ",length); + dwarfstring_append_printf_u(&m, + "runs off the end of " + "the %u bytes of the real section", + section_length); + _dwarf_error_string(dbg, error,length_err_num, + dwarfstring_string(&m)); + dwarfstring_destructor(&m); + dealloc_globals_chain(dbg,head_chain); + if (!pubnames_context_on_list) { + dwarf_dealloc(dbg,pubnames_context, + context_DLA_code); + } + return DW_DLV_ERROR; + } + } + /* The count is just to improve the error message + a few lines above. */ + ++context_count; pubnames_context->pu_alloc_type = context_DLA_code; pubnames_context->pu_length_size = local_length_size; pubnames_context->pu_length = length; @@ -393,8 +458,7 @@ _dwarf_internal_get_pubnames_like_data(Dwarf_Debug dbg, pubnames_ptr_past_end_cu = pubnames_like_ptr + length; pubnames_context->pu_pub_entries_end_ptr = pubnames_ptr_past_end_cu; - - if ((pubnames_like_ptr + (DWARF_HALF_SIZE) ) > + if ((pubnames_like_ptr + (DWARF_HALF_SIZE) ) >= /* A minimum size needed */ section_end_ptr) { pubnames_error_length(dbg,error, @@ -554,6 +618,7 @@ _dwarf_internal_get_pubnames_like_data(Dwarf_Debug dbg, while (die_offset_in_cu) { int res = 0; unsigned char *glname = 0; + Dwarf_Unsigned nstrlen = 0; /* non-zero die_offset_in_cu already read, so pubnames_like_ptr points to a string. */ @@ -570,8 +635,8 @@ _dwarf_internal_get_pubnames_like_data(Dwarf_Debug dbg, return res; } glname = (unsigned char *)pubnames_like_ptr; - pubnames_like_ptr = pubnames_like_ptr + - strlen((char *) pubnames_like_ptr) + 1; + nstrlen = strlen((char *)pubnames_like_ptr); + pubnames_like_ptr += nstrlen + 1; /* Already read offset and verified string, glname now points to the string. */ res = _dwarf_make_global_add_to_chain(dbg,