From 260187a1d2be0d6ca9e28f6704f39bd3af7e5467 Mon Sep 17 00:00:00 2001 From: wenxin Date: Fri, 18 Jul 2025 10:25:59 +0800 Subject: [PATCH] Add patch to fix CVE-2025-3198,CVE-2025-7545,CVE-2025-7546 --- 0041-fix-CVE-2025-3198.patch | 27 ++++++++++++++++++ 0042-fix-CVE-2025-7545.patch | 43 +++++++++++++++++++++++++++++ 0043-fix-CVE-2025-7546.patch | 53 ++++++++++++++++++++++++++++++++++++ binutils.spec | 14 +++++++++- 4 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 0041-fix-CVE-2025-3198.patch create mode 100644 0042-fix-CVE-2025-7545.patch create mode 100644 0043-fix-CVE-2025-7546.patch diff --git a/0041-fix-CVE-2025-3198.patch b/0041-fix-CVE-2025-3198.patch new file mode 100644 index 0000000..2484de5 --- /dev/null +++ b/0041-fix-CVE-2025-3198.patch @@ -0,0 +1,27 @@ +From ba6ad3a18cb26b79e0e3b84c39f707535bbc344d Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 19 Feb 2025 07:58:54 +1030 +Subject: [PATCH] PR32716, objdump -i memory leak + + PR binutils/32716 + * bucomm.c (display_info): Free arg.info. +--- + binutils/bucomm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/binutils/bucomm.c b/binutils/bucomm.c +index ccf54099154..d4554737db1 100644 +--- a/binutils/bucomm.c ++++ b/binutils/bucomm.c +@@ -435,6 +435,7 @@ display_info (void) + if (!arg.error) + display_target_tables (&arg); + ++ free (arg.info); + return arg.error; + } + +-- +2.43.5 + + diff --git a/0042-fix-CVE-2025-7545.patch b/0042-fix-CVE-2025-7545.patch new file mode 100644 index 0000000..df40d74 --- /dev/null +++ b/0042-fix-CVE-2025-7545.patch @@ -0,0 +1,43 @@ +From 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Sat, 21 Jun 2025 06:36:56 +0800 +Subject: [PATCH] objcopy: Don't extend the output section size + +Since the output section contents are copied from the input, don't +extend the output section size beyond the input section size. + + PR binutils/33049 + * objcopy.c (copy_section): Don't extend the output section + size beyond the input section size. + +Signed-off-by: H.J. Lu +--- + binutils/objcopy.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/binutils/objcopy.c b/binutils/objcopy.c +index 366e1079d82..2e98ba44c01 100644 +--- a/binutils/objcopy.c ++++ b/binutils/objcopy.c +@@ -4514,6 +4514,7 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) + char *to = (char *) memhunk; + char *end = (char *) memhunk + size; + int i; ++ bfd_size_type memhunk_size = size; + + /* If the section address is not exactly divisible by the interleave, + then we must bias the from address. If the copy_byte is less than +@@ -4533,6 +4534,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) + } + + size = (size + interleave - 1 - copy_byte) / interleave * copy_width; ++ ++ /* Don't extend the output section size. */ ++ if (size > memhunk_size) ++ size = memhunk_size; ++ + osection->lma /= interleave; + if (copy_byte < extra) + osection->lma++; +-- +2.43.7 \ No newline at end of file diff --git a/0043-fix-CVE-2025-7546.patch b/0043-fix-CVE-2025-7546.patch new file mode 100644 index 0000000..225ba76 --- /dev/null +++ b/0043-fix-CVE-2025-7546.patch @@ -0,0 +1,53 @@ +From 41461010eb7c79fee7a9d5f6209accdaac66cc6b Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Sat, 21 Jun 2025 06:52:00 +0800 +Subject: [PATCH 1/1] elf: Report corrupted group section + +Report corrupted group section instead of trying to recover. + + PR binutils/33050 + * elf.c (bfd_elf_set_group_contents): Report corrupted group + section. + +Signed-off-by: H.J. Lu +--- + bfd/elf.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index 14ce15c7254..ee894eb05f2 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -3971,20 +3971,17 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec, void *failedptrarg) + break; + } + +- /* We should always get here with loc == sec->contents + 4, but it is +- possible to craft bogus SHT_GROUP sections that will cause segfaults +- in objcopy without checking loc here and in the loop above. */ +- if (loc == sec->contents) +- BFD_ASSERT (0); +- else ++ /* We should always get here with loc == sec->contents + 4. Return ++ an error for bogus SHT_GROUP sections. */ ++ loc -= 4; ++ if (loc != sec->contents) + { +- loc -= 4; +- if (loc != sec->contents) +- { +- BFD_ASSERT (0); +- memset (sec->contents + 4, 0, loc - sec->contents); +- loc = sec->contents; +- } ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: corrupted group section: `%pA'"), ++ abfd, sec); ++ bfd_set_error (bfd_error_bad_value); ++ *failedptr = true; ++ return; + } + + H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc); +-- +2.43.7 \ No newline at end of file diff --git a/binutils.spec b/binutils.spec index fdec0af..f3892e3 100644 --- a/binutils.spec +++ b/binutils.spec @@ -1,4 +1,4 @@ -%define anolis_release 6 +%define anolis_release 7 # Determine if this is a native build or a cross build. # # For a cross build add --define "binutils_target " to the command @@ -356,6 +356,15 @@ Patch0039: 0039-binutils-multilib.am.patch # https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e0323071916878e0634a6e24d8250e4faff67e88 Patch0040: 0040-fix-CVE-2024-53589.patch +# https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d +Patch0041: 0041-fix-CVE-2025-3198.patch + +# https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944 +Patch0042: 0042-fix-CVE-2025-7545.patch + +# https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b +Patch0043: 0043-fix-CVE-2025-7546.patch + # Purpose: Suppress the x86 linker's p_align-1 tests due to kernel bug on CentOS-10 # Lifetime: TEMPORARY Patch0099: 0099-binutils-suppress-ld-align-tests.patch @@ -1131,6 +1140,9 @@ exit 0 %doc README ChangeLog MAINTAINERS README-maintainer-mode %changelog +* Wed Jul 30 2025 wenxin - 2.41-7 +- Add patch to fix CVE-2025-3198,CVE-2025-7545,CVE-2025-7546 + * Tue May 27 2025 mgb01105731 - 2.41-6 - Add patch to fix CVE-2024-53589 -- Gitee