[AUTO-CHERRYPICK] Fix crash for CVE-2021-20197, CVE-2022-47673, CVE-2022-47696 [High] - branch 3.0-dev (#13539)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit 43a515b11a22 · 2025-04-24T18:22:55.000-04:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/crash/crash.signatures.json b/SPECS/crash/crash.signatures.json
@@ -1,6 +1,6 @@
 {
   "Signatures": {
-    "gdb-10.2-2.tar.gz": "76162b994d80718dfb7e9eaf101db3ed8495234756b262916f47359a807a3ac2",
+    "gdb-10.2-3.tar.gz": "0d322f3c3ee75b364eb4f90b394c9ecc17800d2a94d2913a5ea845acead26bd2",
     "crash-8.0.4.tar.gz": "94df600c183301013787cd47112044e358fb37bb8e2b5544f40377dda98ee78f"
   }
 }
diff --git a/SPECS/crash/crash.spec b/SPECS/crash/crash.spec
@@ -1,7 +1,7 @@
 %global gdb_version 10.2
 Name:          crash
 Version:       8.0.4
-Release:       3%{?dist}
+Release:       4%{?dist}
 Summary:       kernel crash analysis utility for live systems, netdump, diskdump, kdump, LKCD or mcore dumpfiles
 Group:         Development/Tools
 Vendor:        Microsoft Corporation
@@ -10,7 +10,8 @@ URL:           https://github.com/crash-utility/crash
 Source0:       https://github.com/crash-utility/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # crash requires gdb tarball for the build. There is no option to use the host gdb. For crash 8.0.1 the newest supported gdb version is 10.2.
 # '-2' version of the tarball contains fix for CVE-2022-37434 which cannot be applied as a .patch because source1 is only untar'ed during crash make
-Source1:       gdb-%{gdb_version}-2.tar.gz
+# '-3' version of the tarball contains fix for CVE-2021-20197, CVE-2022-47673, CVE-2022-47696 which cannot be applied as a .patch because source1 is only untar'ed during crash make
+Source1:       gdb-%{gdb_version}-3.tar.gz
 # lzo patch sourced from https://src.fedoraproject.org/rpms/crash/blob/rawhide/f/lzo_snappy_zstd.patch
 Patch0:        lzo_snappy_zstd.patch
 License:       GPLv3+
@@ -82,7 +83,7 @@ cp -p defs.h %{buildroot}%{_includedir}/crash
 %license COPYING3
 %{_bindir}/crash
 %{_mandir}/man8/crash.8.gz
-%doc COPYING3 README
+%doc README
 
 %files devel
 %defattr(-,root,root)
@@ -96,6 +97,9 @@ cp -p defs.h %{buildroot}%{_includedir}/crash
 %endif
 
 %changelog
+* Mon Apr 21 2025 Kanishk Bansal <kanbansal@microsoft.com> - 8.0.4-4
+- Update gdb-10.2-3.tar.gz to address CVE-2021-20197, CVE-2022-47673, CVE-2022-47696
+
 * Tue Jun 18 2024 Andrew Phelps <anphel@microsoft.com> - 8.0.4-3
 - Add crash-target-arm64 binary to analyze aarch64 dumps on x86_64 machine
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`		`- "gdb-10.2-2.tar.gz": "76162b994d80718dfb7e9eaf101db3ed8495234756b262916f47359a807a3ac2",`
	`3`	`+ "gdb-10.2-3.tar.gz": "0d322f3c3ee75b364eb4f90b394c9ecc17800d2a94d2913a5ea845acead26bd2",`
`4`	`4`	`"crash-8.0.4.tar.gz": "94df600c183301013787cd47112044e358fb37bb8e2b5544f40377dda98ee78f"`
`5`	`5`	`}`
`6`	`6`	`}`