Patch crash for CVE-2025-11082 [MEDIUM] (#14782)

azurelinux-security · jykanase · web-flow · commit a53aa29123ef · 2025-10-17T11:55:01.000+05:30
Co-authored-by: jykanase &lt;v-jykanase@microsoft.com&gt;
diff --git a/SPECS/crash/crash.signatures.json b/SPECS/crash/crash.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
   "crash-8.0.1.tar.gz": "233208b1433a49e1d5a063fa88e6fc9772b99fbb7b30ae79a2115d1b8f0dfc52",
-  "gdb-10.2-3.tar.gz": "0d322f3c3ee75b364eb4f90b394c9ecc17800d2a94d2913a5ea845acead26bd2"
+  "gdb-10.2-4.tar.gz": "f2902cd89e725e0dd2e4ac007d4a31bf0237ad3b1a38191455d801ee6096246b"
  }
 }
diff --git a/SPECS/crash/crash.spec b/SPECS/crash/crash.spec
@@ -1,7 +1,7 @@
 %global gdb_version 10.2
 Name:          crash
 Version:       8.0.1
-Release:       4%{?dist}
+Release:       5%{?dist}
 Summary:       kernel crash analysis utility for live systems, netdump, diskdump, kdump, LKCD or mcore dumpfiles
 Group:         Development/Tools
 Vendor:        Microsoft Corporation
@@ -10,7 +10,8 @@ URL:           https://github.com/crash-utility/crash
 Source0:       https://github.com/crash-utility/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # crash requires gdb tarball for the build. There is no option to use the host gdb. For crash 8.0.1 the newest supported gdb version is 10.2.
 # '-3' version of the tarball contains fix for CVE-2021-20197, CVE-2022-47673, CVE-2022-47696, CVE-2022-37434 which cannot be applied as a .patch because source1 is only untar'ed during crash make
-Source1:       gdb-%{gdb_version}-3.tar.gz
+# '-4' version of the tarball contains fix for CVE-2025-11082 which cannot be applied as a .patch because source1 is only untar'ed during crash make
+Source1:       gdb-%{gdb_version}-4.tar.gz
 # lzo patch sourced from https://src.fedoraproject.org/rpms/crash/blob/rawhide/f/lzo_snappy_zstd.patch
 Patch0:        lzo_snappy_zstd.patch
 License:       GPLv3+
@@ -66,6 +67,9 @@ cp -p defs.h %{buildroot}%{_includedir}/crash
 %{_includedir}/crash/*.h
 
 %changelog
+* Fri Oct 03 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.0.1-5
+- Update gdb-10.2-4.tar.gz to address CVE-2025-11082
+
 * Mon Apr 21 2025 Kanishk Bansal <kanbansal@microsoft.com> - 8.0.1-4
 - Update gdb-10.2-3.tar.gz to address CVE-2021-20197, CVE-2022-47673, CVE-2022-47696, CVE-2022-37434
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`	`3`	`"crash-8.0.1.tar.gz": "233208b1433a49e1d5a063fa88e6fc9772b99fbb7b30ae79a2115d1b8f0dfc52",`
`4`		`- "gdb-10.2-3.tar.gz": "0d322f3c3ee75b364eb4f90b394c9ecc17800d2a94d2913a5ea845acead26bd2"`
	`4`	`+ "gdb-10.2-4.tar.gz": "f2902cd89e725e0dd2e4ac007d4a31bf0237ad3b1a38191455d801ee6096246b"`
`5`	`5`	`}`
`6`	`6`	`}`