From d4c18ec4301bf7f0b74a01e95c8a5d492faf1375 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Tue, 17 Mar 2026 10:59:31 +0000 Subject: [PATCH] Patch binutils for CVE-2025-69652, CVE-2025-69649, CVE-2025-69647, CVE-2025-69646, CVE-2025-69645 --- SPECS/binutils/CVE-2025-69645.patch | 81 +++++++++++++ SPECS/binutils/CVE-2025-69646.patch | 106 ++++++++++++++++++ SPECS/binutils/CVE-2025-69647.patch | 82 ++++++++++++++ SPECS/binutils/CVE-2025-69649.patch | 29 +++++ SPECS/binutils/CVE-2025-69652.patch | 34 ++++++ SPECS/binutils/binutils.spec | 10 +- .../manifests/package/pkggen_core_aarch64.txt | 4 +- .../manifests/package/pkggen_core_x86_64.txt | 4 +- .../manifests/package/toolchain_aarch64.txt | 6 +- .../manifests/package/toolchain_x86_64.txt | 10 +- 10 files changed, 353 insertions(+), 13 deletions(-) create mode 100644 SPECS/binutils/CVE-2025-69645.patch create mode 100644 SPECS/binutils/CVE-2025-69646.patch create mode 100644 SPECS/binutils/CVE-2025-69647.patch create mode 100644 SPECS/binutils/CVE-2025-69649.patch create mode 100644 SPECS/binutils/CVE-2025-69652.patch diff --git a/SPECS/binutils/CVE-2025-69645.patch b/SPECS/binutils/CVE-2025-69645.patch new file mode 100644 index 00000000000..045c32248aa --- /dev/null +++ b/SPECS/binutils/CVE-2025-69645.patch @@ -0,0 +1,81 @@ +From ba553f91de0c02ae5c4d9dcb51bad4b01c6194dc Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 17 Mar 2026 10:44:24 +0000 +Subject: [PATCH] PR 33637: Avoid toggling do_types based on unit type; defer + find_cu_tu_set_v2 and handle type unit signature/offset without altering + global state. Prevents abort in byte_get for DWARF4 .debug_types. (Backport) + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=cdb728d4da6184631989b192f1022c219dea7677 +--- + binutils-2.37/binutils/dwarf.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/binutils-2.37/binutils/dwarf.c b/binutils-2.37/binutils/dwarf.c +index 2f28f170..caeb0eaa 100644 +--- a/binutils-2.37/binutils/dwarf.c ++++ b/binutils-2.37/binutils/dwarf.c +@@ -3562,7 +3562,6 @@ process_debug_info (struct dwarf_section * section, + + SAFE_BYTE_GET_AND_INC (compunit.cu_version, hdrptr, 2, end_cu); + +- this_set = find_cu_tu_set_v2 (cu_offset, do_types); + + if (compunit.cu_version < 5) + { +@@ -3573,7 +3572,6 @@ process_debug_info (struct dwarf_section * section, + else + { + SAFE_BYTE_GET_AND_INC (compunit.cu_unit_type, hdrptr, 1, end_cu); +- do_types = (compunit.cu_unit_type == DW_UT_type); + + SAFE_BYTE_GET_AND_INC (compunit.cu_pointer_size, hdrptr, 1, end_cu); + } +@@ -3588,6 +3586,9 @@ process_debug_info (struct dwarf_section * section, + SAFE_BYTE_GET_AND_INC (dwo_id, hdrptr, 8, end_cu); + } + ++ ++ this_set = find_cu_tu_set_v2 (cu_offset, do_types); ++ + if (this_set == NULL) + { + abbrev_base = 0; +@@ -3649,8 +3650,6 @@ process_debug_info (struct dwarf_section * section, + + SAFE_BYTE_GET_AND_INC (compunit.cu_version, hdrptr, 2, end_cu); + +- this_set = find_cu_tu_set_v2 (cu_offset, do_types); +- + if (compunit.cu_version < 5) + { + compunit.cu_unit_type = DW_UT_compile; +@@ -3660,13 +3659,15 @@ process_debug_info (struct dwarf_section * section, + else + { + SAFE_BYTE_GET_AND_INC (compunit.cu_unit_type, hdrptr, 1, end_cu); +- do_types = (compunit.cu_unit_type == DW_UT_type); + + SAFE_BYTE_GET_AND_INC (compunit.cu_pointer_size, hdrptr, 1, end_cu); + } + + SAFE_BYTE_GET_AND_INC (compunit.cu_abbrev_offset, hdrptr, offset_size, end_cu); + ++ this_set = find_cu_tu_set_v2 (cu_offset, do_types); ++ ++ + if (this_set == NULL) + { + abbrev_base = 0; +@@ -3698,7 +3699,7 @@ process_debug_info (struct dwarf_section * section, + compunit.cu_pointer_size = offset_size; + } + +- if (do_types) ++ if (do_types || compunit.cu_unit_type == DW_UT_type) + { + SAFE_BYTE_GET_AND_INC (signature, hdrptr, 8, end_cu); + SAFE_BYTE_GET_AND_INC (type_offset, hdrptr, offset_size, end_cu); +-- +2.45.4 + diff --git a/SPECS/binutils/CVE-2025-69646.patch b/SPECS/binutils/CVE-2025-69646.patch new file mode 100644 index 00000000000..086c3cc09ef --- /dev/null +++ b/SPECS/binutils/CVE-2025-69646.patch @@ -0,0 +1,106 @@ +From 90397c863f30263ee47ace3260a32030bc66feee Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 17 Mar 2026 10:36:22 +0000 +Subject: [PATCH] PR 33638: debug_rnglists output: limit unit length to + section, remove reloc-based len handling, ensure version >=5, ensure min + header length, and cap offset_entry_count based on unit length in + display_debug_ranges header parsing. Stop output on header errors. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=598704a00cbac5e85c2bedd363357b5bf6fcee33 +--- + binutils-2.37/binutils/dwarf.c | 53 +++++++++++++++------------------- + 1 file changed, 23 insertions(+), 30 deletions(-) + +diff --git a/binutils-2.37/binutils/dwarf.c b/binutils-2.37/binutils/dwarf.c +index a003807a..2f28f170 100644 +--- a/binutils-2.37/binutils/dwarf.c ++++ b/binutils-2.37/binutils/dwarf.c +@@ -7694,47 +7694,36 @@ display_debug_ranges (struct dwarf_section *section, + + if (is_rnglists) + { +- dwarf_vma initial_length; ++ dwarf_vma length; ++ unsigned char *hdr; + unsigned char segment_selector_size; + unsigned int offset_size, offset_entry_count; + unsigned short version; + + /* Get and check the length of the block. */ +- SAFE_BYTE_GET_AND_INC (initial_length, start, 4, finish); ++ SAFE_BYTE_GET_AND_INC (length, start, 4, finish); + +- if (initial_length == 0xffffffff) ++ if (length == 0xffffffff) + { + /* This section is 64-bit DWARF 3. */ +- SAFE_BYTE_GET_AND_INC (initial_length, start, 8, finish); ++ SAFE_BYTE_GET_AND_INC (length, start, 8, finish); + offset_size = 8; + } + else + offset_size = 4; + +- if (initial_length > (size_t) (finish - start)) +- { +- /* If the length field has a relocation against it, then we should +- not complain if it is inaccurate (and probably negative). +- It is copied from .debug_line handling code. */ +- if (reloc_at (section, (start - section->start) - offset_size)) +- { +- initial_length = finish - start; +- } +- else +- { +- warn (_("The length field (0x%lx) in the debug_rnglists header is wrong - the section is too small\n"), +- (long) initial_length); +- return 0; +- } +- } +- finish = start + initial_length; ++ if (length < 8) ++ return 0; ++ ++ /* Start of the rest of the header, after the length field. */ ++ hdr = start; + + /* Get and check the version number. */ + SAFE_BYTE_GET_AND_INC (version, start, 2, finish); + +- if (version != 5) ++ if (version < 5) + { +- warn (_("Only DWARF version 5 debug_rnglists info " ++ warn (_("Only DWARF version 5+ debug_rnglists info " + "is currently supported.\n")); + return 0; + } +@@ -7751,13 +7740,17 @@ display_debug_ranges (struct dwarf_section *section, + } + + SAFE_BYTE_GET_AND_INC (offset_entry_count, start, 4, finish); +- if (offset_entry_count != 0) +- { +- warn (_("The %s section contains " +- "unsupported offset entry count: %u.\n"), +- section->name, offset_entry_count); +- return 0; +- } ++ { ++ /* Limit the offset entry count to what can fit in the unit. */ ++ dwarf_vma max_off_count = (length - 8) / offset_size; ++ if (offset_entry_count > max_off_count) ++ offset_entry_count = max_off_count; ++ } ++ ++ /* Limit length to the rest of the section and set unit end. */ ++ if (length > (size_t) (finish - hdr)) ++ length = finish - hdr; ++ finish = hdr + length; + } + + if (load_debug_info (file) == 0) +-- +2.45.4 + diff --git a/SPECS/binutils/CVE-2025-69647.patch b/SPECS/binutils/CVE-2025-69647.patch new file mode 100644 index 00000000000..7188a92030b --- /dev/null +++ b/SPECS/binutils/CVE-2025-69647.patch @@ -0,0 +1,82 @@ +From 92318d7950fd30b5974bf5003f77f0306dff9893 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 17 Mar 2026 10:48:55 +0000 +Subject: [PATCH] Backport PR 33639: Limit .debug_loclists unit length to + section, cap offset entry count, and skip offset table accordingly to avoid + endless output + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=455446bbdc8675f34808187de2bbad4682016ff7 +--- + binutils-2.37/binutils/dwarf.c | 44 +++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 8 deletions(-) + +diff --git a/binutils-2.37/binutils/dwarf.c b/binutils-2.37/binutils/dwarf.c +index caeb0eaa..f71700da 100644 +--- a/binutils-2.37/binutils/dwarf.c ++++ b/binutils-2.37/binutils/dwarf.c +@@ -6861,10 +6861,27 @@ display_debug_loc (struct dwarf_section *section, void *file) + unsigned char *end = section_begin + section->size; + unsigned char address_size, segment_selector_size; + uint32_t offset_entry_count; ++ bool is_64bit; ++ unsigned int offset_size; ++ dwarf_vma header_offset; + + SAFE_BYTE_GET_AND_INC (ll_length, hdrptr, 4, end); + if (ll_length == 0xffffffff) +- SAFE_BYTE_GET_AND_INC (ll_length, hdrptr, 8, end); ++ { ++ SAFE_BYTE_GET_AND_INC (ll_length, hdrptr, 8, end); ++ is_64bit = true; ++ offset_size = 8; ++ } ++ else ++ { ++ is_64bit = false; ++ offset_size = 4; ++ } ++ ++ if (ll_length < 8) ++ return 0; ++ ++ header_offset = hdrptr - section_begin; + + SAFE_BYTE_GET_AND_INC (ll_version, hdrptr, 2, end); + if (ll_version != 5) +@@ -6886,14 +6903,25 @@ display_debug_loc (struct dwarf_section *section, void *file) + return 0; + } + ++ ++ /* Ensure length does not exceed section size. */ ++ if (ll_length > (dwarf_vma) (section->size - header_offset)) ++ ll_length = section->size - header_offset; ++ ++ /* Read offset entry count and cap to the maximum entries that can fit. */ + SAFE_BYTE_GET_AND_INC (offset_entry_count, hdrptr, 4, end); +- if (offset_entry_count != 0) +- { +- warn (_("The %s section contains " +- "unsupported offset entry count: %d.\n"), +- section->name, offset_entry_count); +- return 0; +- } ++ { ++ dwarf_vma max_off_count = ll_length >> (is_64bit ? 3 : 2); ++ if ((dwarf_vma) offset_entry_count > max_off_count) ++ offset_entry_count = (uint32_t) max_off_count; ++ /* Skip the offset entries so that hdrptr points to the start of lists. */ ++ dwarf_vma bytes_to_skip = (dwarf_vma) offset_entry_count * offset_size; ++ unsigned char *unit_end = section_begin + header_offset + ll_length; ++ if (hdrptr + bytes_to_skip > unit_end) ++ hdrptr = unit_end; ++ else ++ hdrptr += bytes_to_skip; ++ } + + expected_start = hdrptr - section_begin; + } +-- +2.45.4 + diff --git a/SPECS/binutils/CVE-2025-69649.patch b/SPECS/binutils/CVE-2025-69649.patch new file mode 100644 index 00000000000..7f616d51a08 --- /dev/null +++ b/SPECS/binutils/CVE-2025-69649.patch @@ -0,0 +1,29 @@ +From 41f172d6a0c0daf740fd2509ff216fec04b1f519 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 17 Mar 2026 10:29:19 +0000 +Subject: [PATCH] PR 33697: readelf: Avoid segfault in process_relocs when no + section headers present. Backport of upstream fix to guard iteration with + null section_headers. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66 +--- + binutils-2.37/binutils/readelf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/binutils-2.37/binutils/readelf.c b/binutils-2.37/binutils/readelf.c +index a6073f7e..dcd223fa 100644 +--- a/binutils-2.37/binutils/readelf.c ++++ b/binutils-2.37/binutils/readelf.c +@@ -7879,6 +7879,8 @@ process_relocs (Filedata * filedata) + unsigned long i; + bool found = false; + ++ /* PR 33697: Avoid segfault when there are no section headers. */ ++ if (filedata->section_headers != NULL) + for (i = 0, section = filedata->section_headers; + i < filedata->file_header.e_shnum; + i++, section++) +-- +2.45.4 + diff --git a/SPECS/binutils/CVE-2025-69652.patch b/SPECS/binutils/CVE-2025-69652.patch new file mode 100644 index 00000000000..c188afbab6c --- /dev/null +++ b/SPECS/binutils/CVE-2025-69652.patch @@ -0,0 +1,34 @@ +From 9be4b179cbd98f1f1c784cacd8e5e9971754b6da Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 17 Mar 2026 10:27:37 +0000 +Subject: [PATCH] PR 33701: Set debug_info_p NULL when DEBUG_INFO_UNAVAILABLE + in process_debug_info + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01 +--- + binutils-2.37/binutils/dwarf.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/binutils-2.37/binutils/dwarf.c b/binutils-2.37/binutils/dwarf.c +index 7934b2b5..a003807a 100644 +--- a/binutils-2.37/binutils/dwarf.c ++++ b/binutils-2.37/binutils/dwarf.c +@@ -3936,9 +3936,11 @@ process_debug_info (struct dwarf_section * section, + break; + } + +- debug_info *debug_info_p = +- (debug_information && unit < alloc_num_debug_info_entries) +- ? debug_information + unit : NULL; ++ debug_info *debug_info_p = NULL; ++ if (debug_information ++ && num_debug_info_entries != DEBUG_INFO_UNAVAILABLE ++ && unit < alloc_num_debug_info_entries) ++ debug_info_p = debug_information + unit; + + assert (!debug_info_p + || (debug_info_p->num_loc_offsets +-- +2.45.4 + diff --git a/SPECS/binutils/binutils.spec b/SPECS/binutils/binutils.spec index 51fc9d20920..059d262d6fa 100644 --- a/SPECS/binutils/binutils.spec +++ b/SPECS/binutils/binutils.spec @@ -21,7 +21,7 @@ Summary: Contains a linker, an assembler, and other tools Name: binutils Version: 2.37 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -63,6 +63,11 @@ Patch28: CVE-2025-11083.patch Patch29: CVE-2025-1147.patch Patch30: CVE-2025-1148.patch Patch31: CVE-2025-11839.patch +Patch32: CVE-2025-69645.patch +Patch33: CVE-2025-69646.patch +Patch34: CVE-2025-69647.patch +Patch35: CVE-2025-69649.patch +Patch36: CVE-2025-69652.patch Provides: bundled(libiberty) # Moving macro before the "SourceX" tags breaks PR checks parsing the specs. @@ -319,6 +324,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %do_files aarch64-linux-gnu %{build_aarch64} %changelog +* Tue Mar 17 2026 Azure Linux Security Servicing Account - 2.37-21 +- Patch for CVE-2025-69652, CVE-2025-69649, CVE-2025-69647, CVE-2025-69646, CVE-2025-69645 + * Wed Jan 07 2026 Jyoti Kanase - 2.37-20 - Patch for CVE-2025-1147, CVE-2025-1148, CVE-2025-11839 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index a3002ac039e..5f8c0caeac3 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.aarch64.rpm file-5.40-3.cm2.aarch64.rpm file-devel-5.40-3.cm2.aarch64.rpm file-libs-5.40-3.cm2.aarch64.rpm -binutils-2.37-20.cm2.aarch64.rpm -binutils-devel-2.37-20.cm2.aarch64.rpm +binutils-2.37-21.cm2.aarch64.rpm +binutils-devel-2.37-21.cm2.aarch64.rpm gmp-6.2.1-4.cm2.aarch64.rpm gmp-devel-6.2.1-4.cm2.aarch64.rpm mpfr-4.1.0-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 9735869dfdc..5af54bbb27d 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.x86_64.rpm file-5.40-3.cm2.x86_64.rpm file-devel-5.40-3.cm2.x86_64.rpm file-libs-5.40-3.cm2.x86_64.rpm -binutils-2.37-20.cm2.x86_64.rpm -binutils-devel-2.37-20.cm2.x86_64.rpm +binutils-2.37-21.cm2.x86_64.rpm +binutils-devel-2.37-21.cm2.x86_64.rpm gmp-6.2.1-4.cm2.x86_64.rpm gmp-devel-6.2.1-4.cm2.x86_64.rpm mpfr-4.1.0-2.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index ae98412399f..5eff322968b 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -9,9 +9,9 @@ bash-5.1.8-4.cm2.aarch64.rpm bash-debuginfo-5.1.8-4.cm2.aarch64.rpm bash-devel-5.1.8-4.cm2.aarch64.rpm bash-lang-5.1.8-4.cm2.aarch64.rpm -binutils-2.37-20.cm2.aarch64.rpm -binutils-debuginfo-2.37-20.cm2.aarch64.rpm -binutils-devel-2.37-20.cm2.aarch64.rpm +binutils-2.37-21.cm2.aarch64.rpm +binutils-debuginfo-2.37-21.cm2.aarch64.rpm +binutils-devel-2.37-21.cm2.aarch64.rpm bison-3.7.6-2.cm2.aarch64.rpm bison-debuginfo-3.7.6-2.cm2.aarch64.rpm bzip2-1.0.8-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 6a330887776..f3fa2ea19ab 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -9,10 +9,10 @@ bash-5.1.8-4.cm2.x86_64.rpm bash-debuginfo-5.1.8-4.cm2.x86_64.rpm bash-devel-5.1.8-4.cm2.x86_64.rpm bash-lang-5.1.8-4.cm2.x86_64.rpm -binutils-2.37-20.cm2.x86_64.rpm -binutils-aarch64-linux-gnu-2.37-20.cm2.x86_64.rpm -binutils-debuginfo-2.37-20.cm2.x86_64.rpm -binutils-devel-2.37-20.cm2.x86_64.rpm +binutils-2.37-21.cm2.x86_64.rpm +binutils-aarch64-linux-gnu-2.37-21.cm2.x86_64.rpm +binutils-debuginfo-2.37-21.cm2.x86_64.rpm +binutils-devel-2.37-21.cm2.x86_64.rpm bison-3.7.6-2.cm2.x86_64.rpm bison-debuginfo-3.7.6-2.cm2.x86_64.rpm bzip2-1.0.8-1.cm2.x86_64.rpm @@ -47,7 +47,7 @@ cracklib-lang-2.9.7-5.cm2.x86_64.rpm createrepo_c-0.17.5-1.cm2.x86_64.rpm createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm -cross-binutils-common-2.37-20.cm2.noarch.rpm +cross-binutils-common-2.37-21.cm2.noarch.rpm cross-gcc-common-11.2.0-9.cm2.noarch.rpm curl-8.8.0-8.cm2.x86_64.rpm curl-debuginfo-8.8.0-8.cm2.x86_64.rpm