Refreshed patch #1 and disable debuginfod.
The debuginfod tools needs to hook into serverinfrastructure,
this currently only exists for Fedora.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2018-18310: An invalid memory address dereference was
discovered in dwfl_segment_report_module.c in libdwfl in elfutils
through v0.174. The vulnerability allows attackers to cause a denial of
service (application crash) with a crafted ELF file, as demonstrated by
consider_notes.
Fixes CVE-2018-18520: An Invalid Memory Address Dereference exists in
the function elf_end in libelf in elfutils through v0.174. Although
eu-size is intended to support ar files inside ar files,
handle_ar in size.c closes the outer ar file before handling all inner
entries. The vulnerability allows attackers to cause a denial of service
(application crash) with a crafted ELF file.
Fixes CVE-2018-18521: Divide-by-zero vulnerabilities in the function
arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers
to cause a denial of service (application crash) with a crafted ELF
file, as demonstrated by eu-ranlib, because a zero sh_entsize is
mishandled.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-16062: dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils
before 2018-08-18 allows remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted file.
CVE-2018-16402: libelf/elf_end.c in elfutils 0.173 allows remote attackers
to cause a denial of service (double free and application crash) or possibly
have unspecified other impact because it tries to decompress twice.
CVE-2018-16403: libdw in elfutils 0.173 checks the end of the attributes
list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr
in dwarf_hasattr.c, leading to a heap-based buffer over-read and an
application crash.
For more details, see the announcement:
https://sourceware.org/ml/elfutils-devel/2018-q3/msg00116.html
0.172 and 0.173 also included fixes for crashes and hangs found by afl-fuzz
(no CVEs assigned):
https://sourceware.org/ml/elfutils-devel/2018-q2/msg00272.htmlhttps://sourceware.org/ml/elfutils-devel/2018-q2/msg00209.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop the po/ disable patch; not needed anymore.
Drop the __mempcpy compatibility patch; __mempcpy is not used anymore.
Refresh the -Werror removal patch; still needed, unfortunately.
Renumber the remaining patches.
Add GPLv3 license file.
Add license files hash.
[Peter: drop security reference, was added post-release]
Cc: Stefan Fröberg <stefan.froberg@petroprogram.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a number of security issues: CVE-2017-7607, CVE-2017-7608,
CVE-2017-7609, CVE-2017-7610, CVE-2017-7611, CVE-2017-7612, CVE-2017-7613.
Rebase patches, and convert to git format.
Remove --disable-werror; unrecognized configure option.
Use upstream provided hash.
Cc: Stefan Fröberg <stefan.froberg@petroprogram.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- Remove 0001-argp-support.patch since it's already included upstream:
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=1ab3c2befeedf5bd891cfbe17cfef79c06e5079a
- Tweak patches for this new version:
- 0002-disable-progs.patch
- 0003-fts.patch
- 0004-disable-po.patch
- 0005-really-make-werror-conditional-to-build-werror.patch
- Remove 0007-Allow-disabling-symbol-versioning-at-configure-t since
it's already included upstream:
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=bafacacaf7659a4933604662daba26a480b29a8d
- Remove portability patch since it's no longer needed. I have asked
Mark Wielaard regarding this topic given the portability patch looks
been discontinued since 0.163 and he replied the following:
- "I believe it is no longer needed. At least not on any platform I
am actively maintaining. See also this discussion from last year:
https://lists.fedorahosted.org/pipermail/elfutils-devel/2015-May/004825.html"
- Add zlib dependency since it's now mandatory:
configure: error: zlib not found but is required
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- Bump version to 0.161
- Remove the portability patch. We don't need to have it in Buildroot
since it includes the version number so we can download it safely
without having collisions between versions.
- Adapt the patches that need to be adapted.
- Rename patches to start from 0001.
- Update the hash value and add a new value for the portability patch.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Download the portability patch into the buildroot tree.
This isn't nice but there really isn't another good solution for it.
The elfutils-portability.patch is version-dependent hence we already
have an older version for an older version of elfutils in the mirrors.
This causes hash check failures when fetching from sources.buildroot.net
But we can't remove (hence replace) the old version with the new one
since this would causee issues with older versions of
buildroot/elfutils for the same scenario.
Fixes:
http://autobuild.buildroot.net/results/26a/26afb92dc14fd0f85c0800dd4e034ea86af19fe2/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Bump version to 0.160
- Add a hash file
- Adapt patches to the new version
- Add a new patch to really make -Werror conditional to BUILD_WERROR
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Tested-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
