* [PATCH] gcc-9.2: Security fix for CVE-2019-14250
@ 2019-08-31 21:15 Armin Kuster
2019-09-01 14:05 ` Adrian Bunk
0 siblings, 1 reply; 8+ messages in thread
From: Armin Kuster @ 2019-08-31 21:15 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
Affects: <= 9.2
Signed-off-by: Armin Kuster <Akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/gcc/gcc-9.2.inc | 1 +
.../gcc/gcc-9.2/CVE-2019-14250.patch | 44 +++++++++++++++++++
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-9.2/CVE-2019-14250.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.2.inc b/meta/recipes-devtools/gcc/gcc-9.2.inc
index 1c3e200dab..01d3bf0f32 100644
--- a/meta/recipes-devtools/gcc/gcc-9.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-9.2.inc
@@ -64,6 +64,7 @@ SRC_URI = "\
file://0034-fix-segmentation-fault-in-precompiled-header-generat.patch \
file://0035-Fix-for-testsuite-failure.patch \
file://0036-Re-introduce-spe-commandline-options.patch \
+ file://CVE-2019-14250.patch \
"
S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}"
SRC_URI[md5sum] = "3818ad8600447f05349098232c2ddc78"
diff --git a/meta/recipes-devtools/gcc/gcc-9.2/CVE-2019-14250.patch b/meta/recipes-devtools/gcc/gcc-9.2/CVE-2019-14250.patch
new file mode 100644
index 0000000000..65ea34558a
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-9.2/CVE-2019-14250.patch
@@ -0,0 +1,44 @@
+From 517b211a3d78366ca8d5929f580e8ca72fd2c004 Mon Sep 17 00:00:00 2001
+From: rguenth <rguenth@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 25 Jul 2019 10:46:54 +0000
+Subject: [PATCH] 2019-07-25 Richard Biener <rguenther@suse.de>
+
+ PR lto/90924
+ Backport from mainline
+ 2019-07-12 Ren Kimura <rkx1209dev@gmail.com>
+
+ * simple-object-elf.c (simple_object_elf_match): Check zero value
+ shstrndx.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-9-branch@273793 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+Affectes: < 9.2
+CVE: CVE-2019-14250
+Dropped changelog
+Signed-off-by: Armin Kuster <Akustre@mvista.com>
+
+---
+ libiberty/simple-object-elf.c | 8 ++++++++
+ 2 files changed, 17 insertions(+)
+
+Index: gcc-9.2.0/libiberty/simple-object-elf.c
+===================================================================
+--- gcc-9.2.0.orig/libiberty/simple-object-elf.c
++++ gcc-9.2.0/libiberty/simple-object-elf.c
+@@ -557,6 +557,14 @@ simple_object_elf_match (unsigned char h
+ return NULL;
+ }
+
++ if (eor->shstrndx == 0)
++ {
++ *errmsg = "invalid ELF shstrndx == 0";
++ *err = 0;
++ XDELETE (eor);
++ return NULL;
++ }
++
+ return (void *) eor;
+ }
+
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] gcc-9.2: Security fix for CVE-2019-14250
2019-08-31 21:15 [PATCH] gcc-9.2: Security fix for CVE-2019-14250 Armin Kuster
@ 2019-09-01 14:05 ` Adrian Bunk
2019-09-01 17:07 ` akuster808
0 siblings, 1 reply; 8+ messages in thread
From: Adrian Bunk @ 2019-09-01 14:05 UTC (permalink / raw)
To: Armin Kuster; +Cc: openembedded-core
thud and zeus are providing 2 gcc versions each that need fixing.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] gcc-9.2: Security fix for CVE-2019-14250
2019-09-01 14:05 ` Adrian Bunk
@ 2019-09-01 17:07 ` akuster808
2019-09-02 12:40 ` Adrian Bunk
0 siblings, 1 reply; 8+ messages in thread
From: akuster808 @ 2019-09-01 17:07 UTC (permalink / raw)
To: Adrian Bunk; +Cc: openembedded-core
On 9/1/19 7:05 AM, Adrian Bunk wrote:
> thud and zeus are providing 2 gcc versions each that need fixing.
That is a true statement. What are you expecting?
- armin
>
> cu
> Adrian
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] gcc-9.2: Security fix for CVE-2019-14250
2019-09-01 17:07 ` akuster808
@ 2019-09-02 12:40 ` Adrian Bunk
2019-09-02 16:10 ` akuster808
2019-09-02 21:33 ` akuster808
0 siblings, 2 replies; 8+ messages in thread
From: Adrian Bunk @ 2019-09-02 12:40 UTC (permalink / raw)
To: akuster808; +Cc: openembedded-core
On Sun, Sep 01, 2019 at 10:07:13AM -0700, akuster808 wrote:
>
>
> On 9/1/19 7:05 AM, Adrian Bunk wrote:
> > thud and zeus are providing 2 gcc versions each that need fixing.
> That is a true statement. What are you expecting?
The other versions also being fixed?
gcc-8 being fixed in warrior before it gets fixed in master would be
the wrong order, and would introduce a security regression in master.
The code should be nearly identical in warrior and master, so fixing
this also in gcc-8 in master should be trivial.
Fixing gcc-7 in thud would be a bonus.
> - armin
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] gcc-9.2: Security fix for CVE-2019-14250
2019-09-02 12:40 ` Adrian Bunk
@ 2019-09-02 16:10 ` akuster808
2019-09-02 21:33 ` akuster808
1 sibling, 0 replies; 8+ messages in thread
From: akuster808 @ 2019-09-02 16:10 UTC (permalink / raw)
To: Adrian Bunk; +Cc: openembedded-core
On 9/2/19 5:40 AM, Adrian Bunk wrote:
> On Sun, Sep 01, 2019 at 10:07:13AM -0700, akuster808 wrote:
>>
>> On 9/1/19 7:05 AM, Adrian Bunk wrote:
>>> thud and zeus are providing 2 gcc versions each that need fixing.
>> That is a true statement. What are you expecting?
> The other versions also being fixed?
By whom?
>
> gcc-8 being fixed in warrior before it gets fixed in master would be
> the wrong order, and would introduce a security regression in master.
Warrior mainline does not have this fix nor does Thud. There is nothing
wrong doing all the prep-work so changes can land in the the proper
order. I am fine if they don't get accepted.
>
> The code should be nearly identical in warrior and master, so fixing
> this also in gcc-8 in master should be trivial.
If I find some additional free time and resources, I might be able to
swing that. We currently don't validate the Alt gcc's and they add a
maintenance burden.
IMHO, the older one should be dropped, like we did for Warrior.
>
> Fixing gcc-7 in thud would be a bonus.
Patches welcome for the bonus.
- armin
>
>> - armin
> cu
> Adrian
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] gcc-9.2: Security fix for CVE-2019-14250
2019-09-02 12:40 ` Adrian Bunk
2019-09-02 16:10 ` akuster808
@ 2019-09-02 21:33 ` akuster808
2019-09-03 3:41 ` Adrian Bunk
2019-09-03 5:50 ` Mikko.Rapeli
1 sibling, 2 replies; 8+ messages in thread
From: akuster808 @ 2019-09-02 21:33 UTC (permalink / raw)
To: Adrian Bunk; +Cc: openembedded-core
On 9/2/19 5:40 AM, Adrian Bunk wrote:
> On Sun, Sep 01, 2019 at 10:07:13AM -0700, akuster808 wrote:
>>
>> On 9/1/19 7:05 AM, Adrian Bunk wrote:
>>> thud and zeus are providing 2 gcc versions each that need fixing.
>> That is a true statement. What are you expecting?
> The other versions also being fixed?
>
> gcc-8 being fixed in warrior before it gets fixed in master would be
> the wrong order, and would introduce a security regression in master.
sent a patch. hope it is what is meant by the above.
>
> The code should be nearly identical in warrior and master, so fixing
> this also in gcc-8 in master should be trivial.
>
> Fixing gcc-7 in thud would be a bonus.
>
>> - armin
> cu
> Adrian
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] gcc-9.2: Security fix for CVE-2019-14250
2019-09-02 21:33 ` akuster808
@ 2019-09-03 3:41 ` Adrian Bunk
2019-09-03 5:50 ` Mikko.Rapeli
1 sibling, 0 replies; 8+ messages in thread
From: Adrian Bunk @ 2019-09-03 3:41 UTC (permalink / raw)
To: akuster808; +Cc: openembedded-core
On Mon, Sep 02, 2019 at 02:33:02PM -0700, akuster808 wrote:
>
>
> On 9/2/19 5:40 AM, Adrian Bunk wrote:
> > On Sun, Sep 01, 2019 at 10:07:13AM -0700, akuster808 wrote:
> >>
> >> On 9/1/19 7:05 AM, Adrian Bunk wrote:
> >>> thud and zeus are providing 2 gcc versions each that need fixing.
> >> That is a true statement. What are you expecting?
> > The other versions also being fixed?
> >
> > gcc-8 being fixed in warrior before it gets fixed in master would be
> > the wrong order, and would introduce a security regression in master.
> sent a patch. hope it is what is meant by the above.
Thanks a lot!
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] gcc-9.2: Security fix for CVE-2019-14250
2019-09-02 21:33 ` akuster808
2019-09-03 3:41 ` Adrian Bunk
@ 2019-09-03 5:50 ` Mikko.Rapeli
1 sibling, 0 replies; 8+ messages in thread
From: Mikko.Rapeli @ 2019-09-03 5:50 UTC (permalink / raw)
To: akuster808; +Cc: openembedded-core, bunk
On Mon, Sep 02, 2019 at 02:33:02PM -0700, akuster808 wrote:
>
>
> On 9/2/19 5:40 AM, Adrian Bunk wrote:
> > On Sun, Sep 01, 2019 at 10:07:13AM -0700, akuster808 wrote:
> >>
> >> On 9/1/19 7:05 AM, Adrian Bunk wrote:
> >>> thud and zeus are providing 2 gcc versions each that need fixing.
> >> That is a true statement. What are you expecting?
> > The other versions also being fixed?
> >
> > gcc-8 being fixed in warrior before it gets fixed in master would be
> > the wrong order, and would introduce a security regression in master.
> sent a patch. hope it is what is meant by the above.
>
> >
> > The code should be nearly identical in warrior and master, so fixing
> > this also in gcc-8 in master should be trivial.
> >
> > Fixing gcc-7 in thud would be a bonus.
FWIW, gcc-7-branch of https://github.com/gcc-mirror/gcc.git has this fix already.
-Mikko
commit 740d8b3baeea47cd5407be1752c5159223f77042
Author: rguenth <rguenth@138bc75d-0d04-0410-961f-82ee72b054a4>
AuthorDate: Thu Jul 25 10:50:47 2019 +0000
Commit: rguenth <rguenth@138bc75d-0d04-0410-961f-82ee72b054a4>
CommitDate: Thu Jul 25 10:50:47 2019 +0000
2019-07-25 Richard Biener <rguenther@suse.de>
PR lto/90924
Backport from mainline
2019-07-12 Ren Kimura <rkx1209dev@gmail.com>
* simple-object-elf.c (simple_object_elf_match): Check zero value
shstrndx.
git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-7-branch@273795 138bc75d-0d04-0410-961f-82ee72b054a4
diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index b785e71..0ecdec0 100644
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,3 +1,12 @@
+2019-07-25 Richard Biener <rguenther@suse.de>
+
+ PR lto/90924
+ Backport from mainline
+ 2019-07-12 Ren Kimura <rkx1209dev@gmail.com>
+
+ * simple-object-elf.c (simple_object_elf_match): Check zero value
+ shstrndx.
+
2018-12-06 Release Manager
* GCC 7.4.0 released.
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-09-03 5:50 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-31 21:15 [PATCH] gcc-9.2: Security fix for CVE-2019-14250 Armin Kuster
2019-09-01 14:05 ` Adrian Bunk
2019-09-01 17:07 ` akuster808
2019-09-02 12:40 ` Adrian Bunk
2019-09-02 16:10 ` akuster808
2019-09-02 21:33 ` akuster808
2019-09-03 3:41 ` Adrian Bunk
2019-09-03 5:50 ` Mikko.Rapeli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.