Skip to content

Commit b2ae0b8

Browse files
CBL-Mariner-BotKavyaSree2610
CBL-Mariner-Bot
and
KavyaSree2610
authored
[AUTO-CHERRYPICK] Patch binutils for CVE-2025-1744 [CRITICAL] - branch 3.0-dev (#12925)
Co-authored-by: KavyaSree2610 <92566732+KavyaSree2610@users.noreply.github.com>
1 parent 16a75f2 commit b2ae0b8

6 files changed

Lines changed: 45 additions & 13 deletions

File tree

SPECS/binutils/CVE-2025-1744.patch

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
From 4f089501e761cecf2d702f3fe9a42fd2c2c3fe32 Mon Sep 17 00:00:00 2001
2+
From: kavyasree <kkaitepalli@microsoft.com>
3+
Date: Tue, 11 Mar 2025 14:15:39 +0530
4+
Subject: [PATCH] Patch for CVE-2025-1744
5+
Reference: https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
6+
---
7+
zlib/inflate.c | 5 +++--
8+
1 file changed, 3 insertions(+), 2 deletions(-)
9+
10+
diff --git a/zlib/inflate.c b/zlib/inflate.c
11+
index 7be8c636..754f5540 100644
12+
--- a/zlib/inflate.c
13+
+++ b/zlib/inflate.c
14+
@@ -764,8 +764,9 @@ int flush;
15+
if (copy > have) copy = have;
16+
if (copy) {
17+
if (state->head != Z_NULL &&
18+
- state->head->extra != Z_NULL) {
19+
- len = state->head->extra_len - state->length;
20+
+ state->head->extra != Z_NULL &&
21+
+ (len = state->head->extra_len - state->length) <
22+
+ state->head->extra_max) {
23+
zmemcpy(state->head->extra + len, next,
24+
len + copy > state->head->extra_max ?
25+
state->head->extra_max - len : copy);
26+
--
27+
2.34.1
28+

SPECS/binutils/binutils.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
Summary: Contains a linker, an assembler, and other tools
2222
Name: binutils
2323
Version: 2.41
24-
Release: 4%{?dist}
24+
Release: 5%{?dist}
2525
License: GPLv2+
2626
Vendor: Microsoft Corporation
2727
Distribution: Azure Linux
@@ -37,6 +37,7 @@ Patch3: CVE-2025-1178.patch
3737
Patch4: CVE-2025-1181.patch
3838
Patch5: CVE-2025-1182.patch
3939
Patch6: CVE-2025-0840.patch
40+
Patch7: CVE-2025-1744.patch
4041
Provides: bundled(libiberty)
4142

4243
# Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -326,6 +327,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
326327
%do_files aarch64-linux-gnu %{build_aarch64}
327328

328329
%changelog
330+
* Tue Mar 11 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 2.41-5
331+
- Fix CVE-2025-1744
332+
329333
* Sun Feb 23 2025 Sudipta Pandit <sudpandit@microsoft.com> - 2.41-4
330334
- Fix CVE-2025-0840 by backporting upstream patch
331335

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.aarch64.rpm
1313
file-5.45-1.azl3.aarch64.rpm
1414
file-devel-5.45-1.azl3.aarch64.rpm
1515
file-libs-5.45-1.azl3.aarch64.rpm
16-
binutils-2.41-4.azl3.aarch64.rpm
17-
binutils-devel-2.41-4.azl3.aarch64.rpm
16+
binutils-2.41-5.azl3.aarch64.rpm
17+
binutils-devel-2.41-5.azl3.aarch64.rpm
1818
gmp-6.3.0-1.azl3.aarch64.rpm
1919
gmp-devel-6.3.0-1.azl3.aarch64.rpm
2020
mpfr-4.2.1-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.x86_64.rpm
1313
file-5.45-1.azl3.x86_64.rpm
1414
file-devel-5.45-1.azl3.x86_64.rpm
1515
file-libs-5.45-1.azl3.x86_64.rpm
16-
binutils-2.41-4.azl3.x86_64.rpm
17-
binutils-devel-2.41-4.azl3.x86_64.rpm
16+
binutils-2.41-5.azl3.x86_64.rpm
17+
binutils-devel-2.41-5.azl3.x86_64.rpm
1818
gmp-6.3.0-1.azl3.x86_64.rpm
1919
gmp-devel-6.3.0-1.azl3.x86_64.rpm
2020
mpfr-4.2.1-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,9 +30,9 @@ bash-5.2.15-3.azl3.aarch64.rpm
3030
bash-debuginfo-5.2.15-3.azl3.aarch64.rpm
3131
bash-devel-5.2.15-3.azl3.aarch64.rpm
3232
bash-lang-5.2.15-3.azl3.aarch64.rpm
33-
binutils-2.41-4.azl3.aarch64.rpm
34-
binutils-debuginfo-2.41-4.azl3.aarch64.rpm
35-
binutils-devel-2.41-4.azl3.aarch64.rpm
33+
binutils-2.41-5.azl3.aarch64.rpm
34+
binutils-debuginfo-2.41-5.azl3.aarch64.rpm
35+
binutils-devel-2.41-5.azl3.aarch64.rpm
3636
bison-3.8.2-1.azl3.aarch64.rpm
3737
bison-debuginfo-3.8.2-1.azl3.aarch64.rpm
3838
bzip2-1.0.8-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -32,10 +32,10 @@ bash-5.2.15-3.azl3.x86_64.rpm
3232
bash-debuginfo-5.2.15-3.azl3.x86_64.rpm
3333
bash-devel-5.2.15-3.azl3.x86_64.rpm
3434
bash-lang-5.2.15-3.azl3.x86_64.rpm
35-
binutils-2.41-4.azl3.x86_64.rpm
36-
binutils-aarch64-linux-gnu-2.41-4.azl3.x86_64.rpm
37-
binutils-debuginfo-2.41-4.azl3.x86_64.rpm
38-
binutils-devel-2.41-4.azl3.x86_64.rpm
35+
binutils-2.41-5.azl3.x86_64.rpm
36+
binutils-aarch64-linux-gnu-2.41-5.azl3.x86_64.rpm
37+
binutils-debuginfo-2.41-5.azl3.x86_64.rpm
38+
binutils-devel-2.41-5.azl3.x86_64.rpm
3939
bison-3.8.2-1.azl3.x86_64.rpm
4040
bison-debuginfo-3.8.2-1.azl3.x86_64.rpm
4141
bzip2-1.0.8-1.azl3.x86_64.rpm
@@ -70,7 +70,7 @@ cracklib-lang-2.9.11-1.azl3.x86_64.rpm
7070
createrepo_c-1.0.3-1.azl3.x86_64.rpm
7171
createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
7272
createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
73-
cross-binutils-common-2.41-4.azl3.noarch.rpm
73+
cross-binutils-common-2.41-5.azl3.noarch.rpm
7474
cross-gcc-common-13.2.0-7.azl3.noarch.rpm
7575
curl-8.11.1-3.azl3.x86_64.rpm
7676
curl-debuginfo-8.11.1-3.azl3.x86_64.rpm

0 commit comments

Comments
 (0)