Skip to content

Commit bb05f4d

Browse files
CBL-Mariner-BotKavyaSree2610
CBL-Mariner-Bot
and
KavyaSree2610
authored
[AUTO-CHERRYPICK] Patch binutils for CVE-2025-1744 [CRITICAL] - branch main (#12896)
Co-authored-by: KavyaSree2610 <92566732+KavyaSree2610@users.noreply.github.com>
1 parent 2eaa7c0 commit bb05f4d

6 files changed

Lines changed: 46 additions & 13 deletions

File tree

SPECS/binutils/CVE-2025-1744.patch

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
From 4f089501e761cecf2d702f3fe9a42fd2c2c3fe32 Mon Sep 17 00:00:00 2001
2+
From: kavyasree <kkaitepalli@microsoft.com>
3+
Date: Tue, 11 Mar 2025 14:15:39 +0530
4+
Subject: [PATCH] Patch for CVE-2025-1744
5+
6+
Reference: https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
7+
---
8+
zlib/inflate.c | 5 +++--
9+
1 file changed, 3 insertions(+), 2 deletions(-)
10+
11+
diff --git a/zlib/inflate.c b/zlib/inflate.c
12+
index 7be8c636..754f5540 100644
13+
--- a/zlib/inflate.c
14+
+++ b/zlib/inflate.c
15+
@@ -764,8 +764,9 @@ int flush;
16+
if (copy > have) copy = have;
17+
if (copy) {
18+
if (state->head != Z_NULL &&
19+
- state->head->extra != Z_NULL) {
20+
- len = state->head->extra_len - state->length;
21+
+ state->head->extra != Z_NULL &&
22+
+ (len = state->head->extra_len - state->length) <
23+
+ state->head->extra_max) {
24+
zmemcpy(state->head->extra + len, next,
25+
len + copy > state->head->extra_max ?
26+
state->head->extra_max - len : copy);
27+
--
28+
2.34.1
29+

SPECS/binutils/binutils.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
Summary: Contains a linker, an assembler, and other tools
2222
Name: binutils
2323
Version: 2.37
24-
Release: 13%{?dist}
24+
Release: 14%{?dist}
2525
License: GPLv2+
2626
Vendor: Microsoft Corporation
2727
Distribution: Mariner
@@ -50,6 +50,7 @@ Patch15: CVE-2025-1176.patch
5050
Patch16: CVE-2025-1181.patch
5151
Patch17: CVE-2025-1182.patch
5252
Patch18: CVE-2025-1178.patch
53+
Patch19: CVE-2025-1744.patch
5354
Provides: bundled(libiberty)
5455

5556
# Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -306,6 +307,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
306307
%do_files aarch64-linux-gnu %{build_aarch64}
307308

308309
%changelog
310+
* Tue Mar 11 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 2.37-14
311+
- Fix CVE-2025-1744
312+
309313
* Mon Feb 17 2025 Sindhu Karri <lakarri@microsoft.com> - 2.37-13
310314
- Fix CVE-2025-1178
311315

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.aarch64.rpm
1212
file-5.40-3.cm2.aarch64.rpm
1313
file-devel-5.40-3.cm2.aarch64.rpm
1414
file-libs-5.40-3.cm2.aarch64.rpm
15-
binutils-2.37-13.cm2.aarch64.rpm
16-
binutils-devel-2.37-13.cm2.aarch64.rpm
15+
binutils-2.37-14.cm2.aarch64.rpm
16+
binutils-devel-2.37-14.cm2.aarch64.rpm
1717
gmp-6.2.1-4.cm2.aarch64.rpm
1818
gmp-devel-6.2.1-4.cm2.aarch64.rpm
1919
mpfr-4.1.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.x86_64.rpm
1212
file-5.40-3.cm2.x86_64.rpm
1313
file-devel-5.40-3.cm2.x86_64.rpm
1414
file-libs-5.40-3.cm2.x86_64.rpm
15-
binutils-2.37-13.cm2.x86_64.rpm
16-
binutils-devel-2.37-13.cm2.x86_64.rpm
15+
binutils-2.37-14.cm2.x86_64.rpm
16+
binutils-devel-2.37-14.cm2.x86_64.rpm
1717
gmp-6.2.1-4.cm2.x86_64.rpm
1818
gmp-devel-6.2.1-4.cm2.x86_64.rpm
1919
mpfr-4.1.0-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ bash-5.1.8-4.cm2.aarch64.rpm
99
bash-debuginfo-5.1.8-4.cm2.aarch64.rpm
1010
bash-devel-5.1.8-4.cm2.aarch64.rpm
1111
bash-lang-5.1.8-4.cm2.aarch64.rpm
12-
binutils-2.37-13.cm2.aarch64.rpm
13-
binutils-debuginfo-2.37-13.cm2.aarch64.rpm
14-
binutils-devel-2.37-13.cm2.aarch64.rpm
12+
binutils-2.37-14.cm2.aarch64.rpm
13+
binutils-debuginfo-2.37-14.cm2.aarch64.rpm
14+
binutils-devel-2.37-14.cm2.aarch64.rpm
1515
bison-3.7.6-2.cm2.aarch64.rpm
1616
bison-debuginfo-3.7.6-2.cm2.aarch64.rpm
1717
bzip2-1.0.8-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,10 @@ bash-5.1.8-4.cm2.x86_64.rpm
99
bash-debuginfo-5.1.8-4.cm2.x86_64.rpm
1010
bash-devel-5.1.8-4.cm2.x86_64.rpm
1111
bash-lang-5.1.8-4.cm2.x86_64.rpm
12-
binutils-2.37-13.cm2.x86_64.rpm
13-
binutils-aarch64-linux-gnu-2.37-13.cm2.x86_64.rpm
14-
binutils-debuginfo-2.37-13.cm2.x86_64.rpm
15-
binutils-devel-2.37-13.cm2.x86_64.rpm
12+
binutils-2.37-14.cm2.x86_64.rpm
13+
binutils-aarch64-linux-gnu-2.37-14.cm2.x86_64.rpm
14+
binutils-debuginfo-2.37-14.cm2.x86_64.rpm
15+
binutils-devel-2.37-14.cm2.x86_64.rpm
1616
bison-3.7.6-2.cm2.x86_64.rpm
1717
bison-debuginfo-3.7.6-2.cm2.x86_64.rpm
1818
bzip2-1.0.8-1.cm2.x86_64.rpm
@@ -47,7 +47,7 @@ cracklib-lang-2.9.7-5.cm2.x86_64.rpm
4747
createrepo_c-0.17.5-1.cm2.x86_64.rpm
4848
createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
4949
createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
50-
cross-binutils-common-2.37-13.cm2.noarch.rpm
50+
cross-binutils-common-2.37-14.cm2.noarch.rpm
5151
cross-gcc-common-11.2.0-8.cm2.noarch.rpm
5252
curl-8.8.0-5.cm2.x86_64.rpm
5353
curl-debuginfo-8.8.0-5.cm2.x86_64.rpm

0 commit comments

Comments
 (0)