[AutoPR- Security] Patch binutils for CVE-2025-11083, CVE-2025-11082 [MEDIUM] (#14764)

Co-authored-by: jykanase <v-jykanase@microsoft.com>

Author: azurelinux-security

SPECS/binutils/CVE-2025-11082.patch

@@ -0,0 +1,47 @@
+From ab0cbd03355bfa778beb3f8484f55c975f1066c8 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Mon, 22 Sep 2025 15:20:34 +0800
+Subject: [PATCH] elf: Don't read beyond .eh_frame section size
+
+	PR ld/33464
+	* elf-eh-frame.c (_bfd_elf_parse_eh_frame): Don't read beyond
+	.eh_frame section size.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/bminor/binutils-gdb/commit/ea1a0737c7692737a644af0486b71e4a392cbca8.patch
+---
+ bfd/elf-eh-frame.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/bfd/elf-eh-frame.c b/binutils-2.41/bfd/elf-eh-frame.c
+index bf7a9902..7d11a9ed 100644
+--- a/bfd/elf-eh-frame.c
++++ b/bfd/elf-eh-frame.c
+@@ -734,6 +734,7 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info,
+       if (hdr_id == 0)
+ 	{
+ 	  unsigned int initial_insn_length;
++	  char *null_byte;
+ 
+ 	  /* CIE  */
+ 	  this_inf->cie = 1;
+@@ -750,10 +751,13 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info,
+ 	  REQUIRE (cie->version == 1
+ 		   || cie->version == 3
+ 		   || cie->version == 4);
+-	  REQUIRE (strlen ((char *) buf) < sizeof (cie->augmentation));
++	  null_byte = memchr ((char *) buf, 0, end - buf);
++	  REQUIRE (null_byte != NULL);
++	  REQUIRE ((size_t) (null_byte - (char *) buf)
++		   < sizeof (cie->augmentation));
+ 
+ 	  strcpy (cie->augmentation, (char *) buf);
+-	  buf = (bfd_byte *) strchr ((char *) buf, '\0') + 1;
++	  buf = (bfd_byte *) null_byte + 1;
+ 	  this_inf->u.cie.aug_str_len = buf - start - 1;
+ 	  ENSURE_NO_RELOCS (buf);
+ 	  if (buf[0] == 'e' && buf[1] == 'h')
+-- 
+2.45.4
+

SPECS/binutils/CVE-2025-11083.patch

@@ -0,0 +1,74 @@
+From b598030bd2734ab9e5774b0c30eafc5a1a3bf7b5 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Wed, 1 Oct 2025 19:03:19 +0000
+Subject: [PATCH] elf: Don't match corrupt section header in linker input (PR
+ ld/33457)
+
+- Change elf_swap_shdr_in to return bool and return false for corrupt section headers in linker input.
+- Update elf_object_p to reject if elf_swap_shdr_in returns false.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/bminor/binutils-gdb/commit/9ca499644a21ceb3f946d1c179c38a83be084490.patch
+---
+ bfd/elfcode.h | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/binutils-2.41/bfd/elfcode.h b/binutils-2.41/bfd/elfcode.h
+index b2277921..67cf445c 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd,
+ /* Translate an ELF section header table entry in external format into an
+    ELF section header table entry in internal format.  */
+ 
+-static void
++static bool
+ elf_swap_shdr_in (bfd *abfd,
+ 		  const Elf_External_Shdr *src,
+ 		  Elf_Internal_Shdr *dst)
+@@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd,
+ 	{
+ 	  _bfd_error_handler (_("warning: %pB has a section "
+ 				"extending past end of file"), abfd);
++	  /* PR ld/33457: Don't match corrupt section header.  */
++	  if (abfd->is_linker_input)
++	    return false;
+ 	  abfd->read_only = 1;
+ 	}
+     }
+@@ -350,6 +353,8 @@ elf_swap_shdr_in (bfd *abfd,
+   dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize);
+   dst->bfd_section = NULL;
+   dst->contents = NULL;
++  return true;
++
+ }
+ 
+ /* Translate an ELF section header table entry in internal format into an
+@@ -642,9 +647,9 @@ elf_object_p (bfd *abfd)
+ 
+       /* Read the first section header at index 0, and convert to internal
+ 	 form.  */
+-      if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
++      if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
++	  || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr))
+ 	goto got_no_match;
+-      elf_swap_shdr_in (abfd, &x_shdr, &i_shdr);
+ 
+       /* If the section count is zero, the actual count is in the first
+ 	 section header.  */
+@@ -730,9 +735,9 @@ elf_object_p (bfd *abfd)
+ 	 to internal form.  */
+       for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++)
+ 	{
+-	  if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
++	  if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
++	      || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex))
+ 	    goto got_no_match;
+-	  elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
+ 
+ 	  /* Sanity check sh_link and sh_info.  */
+ 	  if (i_shdrp[shindex].sh_link >= num_sec)
+-- 
+2.45.4
+

SPECS/binutils/binutils.spec

@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.41
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -43,6 +43,8 @@ Patch9:         CVE-2025-5244.patch
 Patch10:        CVE-2025-7546.patch
 Patch11:        CVE-2025-7545.patch
 Patch12:        CVE-2025-8225.patch
+Patch13:        CVE-2025-11082.patch
+Patch14:        CVE-2025-11083.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -332,6 +334,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Wed Oct 01 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.41-9
+- Patch for CVE-2025-11083, CVE-2025-11082
+
 * Mon Jul 28 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.41-8
 - Patch for CVE-2025-8225
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
 file-devel-5.45-1.azl3.aarch64.rpm
 file-libs-5.45-1.azl3.aarch64.rpm
-binutils-2.41-8.azl3.aarch64.rpm
-binutils-devel-2.41-8.azl3.aarch64.rpm
+binutils-2.41-9.azl3.aarch64.rpm
+binutils-devel-2.41-9.azl3.aarch64.rpm
 gmp-6.3.0-1.azl3.aarch64.rpm
 gmp-devel-6.3.0-1.azl3.aarch64.rpm
 mpfr-4.2.1-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
 file-devel-5.45-1.azl3.x86_64.rpm
 file-libs-5.45-1.azl3.x86_64.rpm
-binutils-2.41-8.azl3.x86_64.rpm
-binutils-devel-2.41-8.azl3.x86_64.rpm
+binutils-2.41-9.azl3.x86_64.rpm
+binutils-devel-2.41-9.azl3.x86_64.rpm
 gmp-6.3.0-1.azl3.x86_64.rpm
 gmp-devel-6.3.0-1.azl3.x86_64.rpm
 mpfr-4.2.1-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -30,9 +30,9 @@ bash-5.2.15-3.azl3.aarch64.rpm
 bash-debuginfo-5.2.15-3.azl3.aarch64.rpm
 bash-devel-5.2.15-3.azl3.aarch64.rpm
 bash-lang-5.2.15-3.azl3.aarch64.rpm
-binutils-2.41-8.azl3.aarch64.rpm
-binutils-debuginfo-2.41-8.azl3.aarch64.rpm
-binutils-devel-2.41-8.azl3.aarch64.rpm
+binutils-2.41-9.azl3.aarch64.rpm
+binutils-debuginfo-2.41-9.azl3.aarch64.rpm
+binutils-devel-2.41-9.azl3.aarch64.rpm
 bison-3.8.2-1.azl3.aarch64.rpm
 bison-debuginfo-3.8.2-1.azl3.aarch64.rpm
 bzip2-1.0.8-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -32,10 +32,10 @@ bash-5.2.15-3.azl3.x86_64.rpm
 bash-debuginfo-5.2.15-3.azl3.x86_64.rpm
 bash-devel-5.2.15-3.azl3.x86_64.rpm
 bash-lang-5.2.15-3.azl3.x86_64.rpm
-binutils-2.41-8.azl3.x86_64.rpm
-binutils-aarch64-linux-gnu-2.41-8.azl3.x86_64.rpm
-binutils-debuginfo-2.41-8.azl3.x86_64.rpm
-binutils-devel-2.41-8.azl3.x86_64.rpm
+binutils-2.41-9.azl3.x86_64.rpm
+binutils-aarch64-linux-gnu-2.41-9.azl3.x86_64.rpm
+binutils-debuginfo-2.41-9.azl3.x86_64.rpm
+binutils-devel-2.41-9.azl3.x86_64.rpm
 bison-3.8.2-1.azl3.x86_64.rpm
 bison-debuginfo-3.8.2-1.azl3.x86_64.rpm
 bzip2-1.0.8-1.azl3.x86_64.rpm
@@ -70,7 +70,7 @@ cracklib-lang-2.9.11-1.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
-cross-binutils-common-2.41-8.azl3.noarch.rpm
+cross-binutils-common-2.41-9.azl3.noarch.rpm
 cross-gcc-common-13.2.0-7.azl3.noarch.rpm
 curl-8.11.1-4.azl3.x86_64.rpm
 curl-debuginfo-8.11.1-4.azl3.x86_64.rpm