microsoft · azurelinux-security · Mar 17, 2026
@@ -0,0 +1,81 @@
+From ba553f91de0c02ae5c4d9dcb51bad4b01c6194dc Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Tue, 17 Mar 2026 10:44:24 +0000
+Subject: [PATCH] PR 33637: Avoid toggling do_types based on unit type; defer
+ find_cu_tu_set_v2 and handle type unit signature/offset without altering
+ global state. Prevents abort in byte_get for DWARF4 .debug_types. (Backport)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=cdb728d4da6184631989b192f1022c219dea7677
+---
+ binutils-2.37/binutils/dwarf.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/binutils-2.37/binutils/dwarf.c b/binutils-2.37/binutils/dwarf.c
+index 2f28f170..caeb0eaa 100644
+--- a/binutils-2.37/binutils/dwarf.c
++++ b/binutils-2.37/binutils/dwarf.c
+@@ -3562,7 +3562,6 @@ process_debug_info (struct dwarf_section * section,
+
+       SAFE_BYTE_GET_AND_INC (compunit.cu_version, hdrptr, 2, end_cu);
+
+-      this_set = find_cu_tu_set_v2 (cu_offset, do_types);
+
+       if (compunit.cu_version < 5)
+ 	{
+@@ -3573,7 +3572,6 @@ process_debug_info (struct dwarf_section * section,
+       else
+ 	{
+ 	  SAFE_BYTE_GET_AND_INC (compunit.cu_unit_type, hdrptr, 1, end_cu);
+-	  do_types = (compunit.cu_unit_type == DW_UT_type);
+
+ 	  SAFE_BYTE_GET_AND_INC (compunit.cu_pointer_size, hdrptr, 1, end_cu);
+ 	}
+@@ -3588,6 +3586,9 @@ process_debug_info (struct dwarf_section * section,
+ 	  SAFE_BYTE_GET_AND_INC (dwo_id, hdrptr, 8, end_cu);
+ 	}
+
++
++      this_set = find_cu_tu_set_v2 (cu_offset, do_types);
++
+       if (this_set == NULL)
+ 	{
+ 	  abbrev_base = 0;
+@@ -3649,8 +3650,6 @@ process_debug_info (struct dwarf_section * section,
+
+       SAFE_BYTE_GET_AND_INC (compunit.cu_version, hdrptr, 2, end_cu);
+
+-      this_set = find_cu_tu_set_v2 (cu_offset, do_types);
+-
+       if (compunit.cu_version < 5)
+ 	{
+ 	  compunit.cu_unit_type = DW_UT_compile;
+@@ -3660,13 +3659,15 @@ process_debug_info (struct dwarf_section * section,
+       else
+ 	{
+ 	  SAFE_BYTE_GET_AND_INC (compunit.cu_unit_type, hdrptr, 1, end_cu);
+-	  do_types = (compunit.cu_unit_type == DW_UT_type);
+
+ 	  SAFE_BYTE_GET_AND_INC (compunit.cu_pointer_size, hdrptr, 1, end_cu);
+ 	}
+
+       SAFE_BYTE_GET_AND_INC (compunit.cu_abbrev_offset, hdrptr, offset_size, end_cu);
+
++      this_set = find_cu_tu_set_v2 (cu_offset, do_types);
++
++
+       if (this_set == NULL)
+ 	{
+ 	  abbrev_base = 0;
+@@ -3698,7 +3699,7 @@ process_debug_info (struct dwarf_section * section,
+ 	  compunit.cu_pointer_size = offset_size;
+ 	}
+
+-      if (do_types)
++      if (do_types || compunit.cu_unit_type == DW_UT_type)
+ 	{
+ 	  SAFE_BYTE_GET_AND_INC (signature, hdrptr, 8, end_cu);
+ 	  SAFE_BYTE_GET_AND_INC (type_offset, hdrptr, offset_size, end_cu);
+-- 
+2.45.4
+
@@ -0,0 +1,106 @@
+From 90397c863f30263ee47ace3260a32030bc66feee Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Tue, 17 Mar 2026 10:36:22 +0000
+Subject: [PATCH] PR 33638: debug_rnglists output: limit unit length to
+ section, remove reloc-based len handling, ensure version >=5, ensure min
+ header length, and cap offset_entry_count based on unit length in
+ display_debug_ranges header parsing. Stop output on header errors.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=598704a00cbac5e85c2bedd363357b5bf6fcee33
+---
+ binutils-2.37/binutils/dwarf.c | 53 +++++++++++++++-------------------
+ 1 file changed, 23 insertions(+), 30 deletions(-)
+
+diff --git a/binutils-2.37/binutils/dwarf.c b/binutils-2.37/binutils/dwarf.c
+index a003807a..2f28f170 100644
+--- a/binutils-2.37/binutils/dwarf.c
++++ b/binutils-2.37/binutils/dwarf.c
+@@ -7694,47 +7694,36 @@ display_debug_ranges (struct dwarf_section *section,
+
+   if (is_rnglists)
+     {
+-      dwarf_vma initial_length;
++      dwarf_vma length;
++      unsigned char *hdr;
+       unsigned char segment_selector_size;
+       unsigned int offset_size, offset_entry_count;
+       unsigned short version;
+
+       /* Get and check the length of the block.  */
+-      SAFE_BYTE_GET_AND_INC (initial_length, start, 4, finish);
++      SAFE_BYTE_GET_AND_INC (length, start, 4, finish);
+
+-      if (initial_length == 0xffffffff)
++      if (length == 0xffffffff)
+ 	{
+ 	  /* This section is 64-bit DWARF 3.  */
+-	  SAFE_BYTE_GET_AND_INC (initial_length, start, 8, finish);
++	  SAFE_BYTE_GET_AND_INC (length, start, 8, finish);
+ 	  offset_size = 8;
+ 	}
+       else
+ 	offset_size = 4;
+
+-      if (initial_length > (size_t) (finish - start))
+-	{
+-	  /* If the length field has a relocation against it, then we should
+-	     not complain if it is inaccurate (and probably negative).
+-	     It is copied from .debug_line handling code.  */
+-	  if (reloc_at (section, (start - section->start) - offset_size))
+-	    {
+-	      initial_length = finish - start;
+-	    }
+-	  else
+-	    {
+-	      warn (_("The length field (0x%lx) in the debug_rnglists header is wrong - the section is too small\n"),
+-		    (long) initial_length);
+-	      return 0;
+-	    }
+-	}
+-      finish = start + initial_length;
++      if (length < 8)
++	return 0;
++
++      /* Start of the rest of the header, after the length field.  */
++      hdr = start;
+
+       /* Get and check the version number.  */
+       SAFE_BYTE_GET_AND_INC (version, start, 2, finish);
+
+-      if (version != 5)
++      if (version < 5)
+ 	{
+-	  warn (_("Only DWARF version 5 debug_rnglists info "
++	  warn (_("Only DWARF version 5+ debug_rnglists info "
+ 		  "is currently supported.\n"));
+ 	  return 0;
+ 	}
+@@ -7751,13 +7740,17 @@ display_debug_ranges (struct dwarf_section *section,
+ 	}
+
+       SAFE_BYTE_GET_AND_INC (offset_entry_count, start, 4, finish);
+-      if (offset_entry_count != 0)
+-	{
+-	  warn (_("The %s section contains "
+-		  "unsupported offset entry count: %u.\n"),
+-		section->name, offset_entry_count);
+-	  return 0;
+-	}
++      {
++	/* Limit the offset entry count to what can fit in the unit.  */
++	dwarf_vma max_off_count = (length - 8) / offset_size;
++	if (offset_entry_count > max_off_count)
++	  offset_entry_count = max_off_count;
++      }
++
++      /* Limit length to the rest of the section and set unit end.  */
++      if (length > (size_t) (finish - hdr))
++	length = finish - hdr;
++      finish = hdr + length;
+     }
+
+   if (load_debug_info (file) == 0)
+-- 
+2.45.4
+
@@ -0,0 +1,82 @@
+From 92318d7950fd30b5974bf5003f77f0306dff9893 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Tue, 17 Mar 2026 10:48:55 +0000
+Subject: [PATCH] Backport PR 33639: Limit .debug_loclists unit length to
+ section, cap offset entry count, and skip offset table accordingly to avoid
+ endless output
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=455446bbdc8675f34808187de2bbad4682016ff7
+---
+ binutils-2.37/binutils/dwarf.c | 44 +++++++++++++++++++++++++++-------
+ 1 file changed, 36 insertions(+), 8 deletions(-)
+
+diff --git a/binutils-2.37/binutils/dwarf.c b/binutils-2.37/binutils/dwarf.c
+index caeb0eaa..f71700da 100644
+--- a/binutils-2.37/binutils/dwarf.c
++++ b/binutils-2.37/binutils/dwarf.c
+@@ -6861,10 +6861,27 @@ display_debug_loc (struct dwarf_section *section, void *file)
+       unsigned char *end = section_begin + section->size;
+       unsigned char address_size, segment_selector_size;
+       uint32_t offset_entry_count;
++      bool is_64bit;
++      unsigned int offset_size;
++      dwarf_vma header_offset;
+
+       SAFE_BYTE_GET_AND_INC (ll_length, hdrptr, 4, end);
+       if (ll_length == 0xffffffff)
+-	SAFE_BYTE_GET_AND_INC (ll_length, hdrptr, 8, end);
++	{
++	  SAFE_BYTE_GET_AND_INC (ll_length, hdrptr, 8, end);
++	  is_64bit = true;
++	  offset_size = 8;
++	}
++      else
++	{
++	  is_64bit = false;
++	  offset_size = 4;
++	}
++
++      if (ll_length < 8)
++	return 0;
++
++      header_offset = hdrptr - section_begin;
+
+       SAFE_BYTE_GET_AND_INC (ll_version, hdrptr, 2, end);
+       if (ll_version != 5)
+@@ -6886,14 +6903,25 @@ display_debug_loc (struct dwarf_section *section, void *file)
+ 	  return 0;
+ 	}
+
++
++      /* Ensure length does not exceed section size.  */
++      if (ll_length > (dwarf_vma) (section->size - header_offset))
++	ll_length = section->size - header_offset;
++
++      /* Read offset entry count and cap to the maximum entries that can fit. */
+       SAFE_BYTE_GET_AND_INC (offset_entry_count, hdrptr, 4, end);
+-      if (offset_entry_count != 0)
+-	{
+-	  warn (_("The %s section contains "
+-		  "unsupported offset entry count: %d.\n"),
+-		section->name, offset_entry_count);
+-	  return 0;
+-	}
++      {
++	  dwarf_vma max_off_count = ll_length >> (is_64bit ? 3 : 2);
++	  if ((dwarf_vma) offset_entry_count > max_off_count)
++	    offset_entry_count = (uint32_t) max_off_count;
++	  /* Skip the offset entries so that hdrptr points to the start of lists. */
++	  dwarf_vma bytes_to_skip = (dwarf_vma) offset_entry_count * offset_size;
++	  unsigned char *unit_end = section_begin + header_offset + ll_length;
++	  if (hdrptr + bytes_to_skip > unit_end)
++	    hdrptr = unit_end;
++	  else
++	    hdrptr += bytes_to_skip;
++      }
+
+       expected_start = hdrptr - section_begin;
+     }
+-- 
+2.45.4
+
@@ -0,0 +1,29 @@
+From 41f172d6a0c0daf740fd2509ff216fec04b1f519 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Tue, 17 Mar 2026 10:29:19 +0000
+Subject: [PATCH] PR 33697: readelf: Avoid segfault in process_relocs when no
+ section headers present. Backport of upstream fix to guard iteration with
+ null section_headers.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66
+---
+ binutils-2.37/binutils/readelf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/binutils-2.37/binutils/readelf.c b/binutils-2.37/binutils/readelf.c
+index a6073f7e..dcd223fa 100644
+--- a/binutils-2.37/binutils/readelf.c
++++ b/binutils-2.37/binutils/readelf.c
+@@ -7879,6 +7879,8 @@ process_relocs (Filedata * filedata)
+       unsigned long i;
+       bool found = false;
+
++      /* PR 33697: Avoid segfault when there are no section headers.  */
++      if (filedata->section_headers != NULL)
+       for (i = 0, section = filedata->section_headers;
+ 	   i < filedata->file_header.e_shnum;
+ 	   i++, section++)
+-- 
+2.45.4
+
@@ -0,0 +1,34 @@
+From 9be4b179cbd98f1f1c784cacd8e5e9971754b6da Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Tue, 17 Mar 2026 10:27:37 +0000
+Subject: [PATCH] PR 33701: Set debug_info_p NULL when DEBUG_INFO_UNAVAILABLE
+ in process_debug_info
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01
+---
+ binutils-2.37/binutils/dwarf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/binutils-2.37/binutils/dwarf.c b/binutils-2.37/binutils/dwarf.c
+index 7934b2b5..a003807a 100644
+--- a/binutils-2.37/binutils/dwarf.c
++++ b/binutils-2.37/binutils/dwarf.c
+@@ -3936,9 +3936,11 @@ process_debug_info (struct dwarf_section * section,
+ 	      break;
+ 	    }
+
+-	  debug_info *debug_info_p =
+-	    (debug_information && unit < alloc_num_debug_info_entries)
+-	    ? debug_information + unit : NULL;
++	  debug_info *debug_info_p = NULL;
++	  if (debug_information
++	      && num_debug_info_entries != DEBUG_INFO_UNAVAILABLE
++	      && unit < alloc_num_debug_info_entries)
++	    debug_info_p = debug_information + unit;
+
+ 	  assert (!debug_info_p
+ 		  || (debug_info_p->num_loc_offsets
+-- 
+2.45.4
+
@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.37
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -63,6 +63,11 @@ Patch28:        CVE-2025-11083.patch
 Patch29:        CVE-2025-1147.patch
 Patch30:        CVE-2025-1148.patch
 Patch31:        CVE-2025-11839.patch
+Patch32:        CVE-2025-69645.patch
+Patch33:        CVE-2025-69646.patch
+Patch34:        CVE-2025-69647.patch
+Patch35:        CVE-2025-69649.patch
+Patch36:        CVE-2025-69652.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -319,6 +324,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Tue Mar 17 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.37-21
+- Patch for CVE-2025-69652, CVE-2025-69649, CVE-2025-69647, CVE-2025-69646, CVE-2025-69645
+
 * Wed Jan 07 2026 Jyoti Kanase <v-jykanase@microsoft.com> - 2.37-20
 - Patch for CVE-2025-1147, CVE-2025-1148, CVE-2025-11839
 

@@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.aarch64.rpm
 file-5.40-3.cm2.aarch64.rpm
 file-devel-5.40-3.cm2.aarch64.rpm
 file-libs-5.40-3.cm2.aarch64.rpm
-binutils-2.37-20.cm2.aarch64.rpm
-binutils-devel-2.37-20.cm2.aarch64.rpm
+binutils-2.37-21.cm2.aarch64.rpm
+binutils-devel-2.37-21.cm2.aarch64.rpm
 gmp-6.2.1-4.cm2.aarch64.rpm
 gmp-devel-6.2.1-4.cm2.aarch64.rpm
 mpfr-4.1.0-2.cm2.aarch64.rpm

@@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.x86_64.rpm
 file-5.40-3.cm2.x86_64.rpm
 file-devel-5.40-3.cm2.x86_64.rpm
 file-libs-5.40-3.cm2.x86_64.rpm
-binutils-2.37-20.cm2.x86_64.rpm
-binutils-devel-2.37-20.cm2.x86_64.rpm
+binutils-2.37-21.cm2.x86_64.rpm
+binutils-devel-2.37-21.cm2.x86_64.rpm
 gmp-6.2.1-4.cm2.x86_64.rpm
 gmp-devel-6.2.1-4.cm2.x86_64.rpm
 mpfr-4.1.0-2.cm2.x86_64.rpm