Fix partial reads in readelf.c [CVE-2014-9653]. Closes: #777585

debian/patches/CVE-2014-9653.1.4c948c0.patch

@@ -0,0 +1,41 @@
+Subject: Fix previous, reading section name
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Fri Feb 22 01:35:49 2013 +0000
+Origin: FILE5_12-68-g4c948c0
+Last-Update: 2015-02-15
+
+(prequisite for CVE-2014-9653)
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -1013,18 +1013,23 @@
+ 		return 0;
+ 	}
+ 
+-	/* Save offset of name section to be able to read section names later */
+-	name_off = off * size * strtab;
+-	/* Read the name of this section. */
+-	if (pread(fd, name, sizeof(name), name_off + xsh_name) == -1) {
++	/* Read offset of name section to be able to read section names later */
++	if (pread(fd, xsh_addr, xsh_sizeof, off + size * strtab) == -1) {
+ 		file_badread(ms);
+ 		return -1;
+ 	}
+-	name[sizeof(name) - 1] = '\0';
+-	if (strcmp(name, ".debug_info") == 0)
+-		stripped = 0;
++	name_off = xsh_offset;
+ 
+ 	for ( ; num; num--) {
++		/* Read the name of this section. */
++		if (pread(fd, name, sizeof(name), name_off + xsh_name) == -1) {
++			file_badread(ms);
++			return -1;
++		}
++		name[sizeof(name) - 1] = '\0';
++		if (strcmp(name, ".debug_info") == 0)
++			stripped = 0;
++
+ 		if (pread(fd, xsh_addr, xsh_sizeof, off) < (ssize_t)xsh_sizeof) {
+ 			file_badread(ms);
+ 			return -1;

debian/patches/CVE-2014-9653.2.445c8fb.patch

@@ -0,0 +1,37 @@
+Subject: Bail out on partial reads, from Alexander Cherepanov (...)
+ID: CVE-2014-9653
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Tue Dec 16 20:53:05 2014 +0000
+Origin: FILE5_21-10-g445c8fb
+Last-Update: 2015-02-15
+
+    Bail out on partial reads, from Alexander Cherepanov
+    
+    Note: Parts of that patch had already been cherry-picked as
+         TEMP-0000000-B67840.11.445c8fb.patch
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -1014,7 +1014,7 @@
+ 	}
+ 
+ 	/* Read offset of name section to be able to read section names later */
+-	if (pread(fd, xsh_addr, xsh_sizeof, off + size * strtab) == -1) {
++	if (pread(fd, xsh_addr, xsh_sizeof, off + size * strtab) < (ssize_t)xsh_sizeof) {
+ 		file_badread(ms);
+ 		return -1;
+ 	}
+@@ -1022,11 +1022,11 @@
+ 
+ 	for ( ; num; num--) {
+ 		/* Read the name of this section. */
+-		if (pread(fd, name, sizeof(name), name_off + xsh_name) == -1) {
++		if ((namesize = pread(fd, name, sizeof(name) - 1, name_off + xsh_name)) == -1) {
+ 			file_badread(ms);
+ 			return -1;
+ 		}
+-		name[sizeof(name) - 1] = '\0';
++		name[namesize] = '\0';
+ 		if (strcmp(name, ".debug_info") == 0)
+ 			stripped = 0;
+ 

debian/patches/series

@@ -38,3 +38,6 @@ TEMP-0000000-B67840.10.dddd3cd.patch
 TEMP-0000000-B67840.11.445c8fb.patch
 TEMP-0000000-B67840.12.ce90e05.patch
 TEMP-0000000-E110B2.65437ce.patch
+
+CVE-2014-9653.1.4c948c0.patch
+CVE-2014-9653.2.445c8fb.patch