[AutoPR- Security] Patch binutils for CVE-2025-8225 [MEDIUM] (microsoft#14407)

Co-authored-by: Kevin Lockwood <[email protected]>
Co-authored-by: Kevin Lockwood <[email protected]>
Co-authored-by: jykanase <[email protected]>

Author: 3 people

SPECS/binutils/CVE-2025-8225.patch

@@ -0,0 +1,38 @@
+From 615a0496206ed16a93f3362d6189bdf8ba7c3523 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Mon, 28 Jul 2025 19:39:05 +0000
+Subject: [PATCH] Fix CVE CVE-2025-8225 in binutils
+
+[AI Backported] Upstream Patch Reference: https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4
+(Revised by <[email protected]>)
+---
+ binutils/dwarf.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index d976a64b..7934b2b5 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -3480,14 +3480,12 @@ process_debug_info (struct dwarf_section * section,
+       return false;
+     }
+ 
+-  if ((do_loc || do_debug_loc || do_debug_ranges)
+-      && num_debug_info_entries == 0
+-      && ! do_types)
++  if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
++      && alloc_num_debug_info_entries == 0
++      && !do_types)
+     {
+-
+       /* Then allocate an array to hold the information.  */
+-      debug_information = (debug_info *) cmalloc (num_units,
+-						  sizeof (* debug_information));
++      debug_information = cmalloc (num_units, sizeof (*debug_information));
+       if (debug_information == NULL)
+ 	{
+ 	  error (_("Not enough memory for a debug info array of %u entries\n"),
+-- 
+2.45.4
+

SPECS/binutils/binutils.spec

@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.37
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -55,6 +55,7 @@ Patch20:         CVE-2025-5245.patch
 Patch21:         CVE-2025-5244.patch
 Patch22:         CVE-2025-7545.patch
 Patch23:         CVE-2025-7546.patch
+Patch24:        CVE-2025-8225.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -311,6 +312,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Mon Jul 28 2025 Azure Linux Security Servicing Account <[email protected]> - 2.37-17
+- Patch for CVE-2025-8225
+
 * Thu Jul 17 2025 Azure Linux Security Servicing Account <[email protected]> - 2.37-16
 - Patch for CVE-2025-7545, CVE-2025-7546
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.aarch64.rpm
 file-5.40-3.cm2.aarch64.rpm
 file-devel-5.40-3.cm2.aarch64.rpm
 file-libs-5.40-3.cm2.aarch64.rpm
-binutils-2.37-16.cm2.aarch64.rpm
-binutils-devel-2.37-16.cm2.aarch64.rpm
+binutils-2.37-17.cm2.aarch64.rpm
+binutils-devel-2.37-17.cm2.aarch64.rpm
 gmp-6.2.1-4.cm2.aarch64.rpm
 gmp-devel-6.2.1-4.cm2.aarch64.rpm
 mpfr-4.1.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -12,8 +12,8 @@ zlib-devel-1.2.13-2.cm2.x86_64.rpm
 file-5.40-3.cm2.x86_64.rpm
 file-devel-5.40-3.cm2.x86_64.rpm
 file-libs-5.40-3.cm2.x86_64.rpm
-binutils-2.37-16.cm2.x86_64.rpm
-binutils-devel-2.37-16.cm2.x86_64.rpm
+binutils-2.37-17.cm2.x86_64.rpm
+binutils-devel-2.37-17.cm2.x86_64.rpm
 gmp-6.2.1-4.cm2.x86_64.rpm
 gmp-devel-6.2.1-4.cm2.x86_64.rpm
 mpfr-4.1.0-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -9,9 +9,9 @@ bash-5.1.8-4.cm2.aarch64.rpm
 bash-debuginfo-5.1.8-4.cm2.aarch64.rpm
 bash-devel-5.1.8-4.cm2.aarch64.rpm
 bash-lang-5.1.8-4.cm2.aarch64.rpm
-binutils-2.37-16.cm2.aarch64.rpm
-binutils-debuginfo-2.37-16.cm2.aarch64.rpm
-binutils-devel-2.37-16.cm2.aarch64.rpm
+binutils-2.37-17.cm2.aarch64.rpm
+binutils-debuginfo-2.37-17.cm2.aarch64.rpm
+binutils-devel-2.37-17.cm2.aarch64.rpm
 bison-3.7.6-2.cm2.aarch64.rpm
 bison-debuginfo-3.7.6-2.cm2.aarch64.rpm
 bzip2-1.0.8-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -9,10 +9,10 @@ bash-5.1.8-4.cm2.x86_64.rpm
 bash-debuginfo-5.1.8-4.cm2.x86_64.rpm
 bash-devel-5.1.8-4.cm2.x86_64.rpm
 bash-lang-5.1.8-4.cm2.x86_64.rpm
-binutils-2.37-16.cm2.x86_64.rpm
-binutils-aarch64-linux-gnu-2.37-16.cm2.x86_64.rpm
-binutils-debuginfo-2.37-16.cm2.x86_64.rpm
-binutils-devel-2.37-16.cm2.x86_64.rpm
+binutils-2.37-17.cm2.x86_64.rpm
+binutils-aarch64-linux-gnu-2.37-17.cm2.x86_64.rpm
+binutils-debuginfo-2.37-17.cm2.x86_64.rpm
+binutils-devel-2.37-17.cm2.x86_64.rpm
 bison-3.7.6-2.cm2.x86_64.rpm
 bison-debuginfo-3.7.6-2.cm2.x86_64.rpm
 bzip2-1.0.8-1.cm2.x86_64.rpm
@@ -47,7 +47,7 @@ cracklib-lang-2.9.7-5.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
 createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
 createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
-cross-binutils-common-2.37-16.cm2.noarch.rpm
+cross-binutils-common-2.37-17.cm2.noarch.rpm
 cross-gcc-common-11.2.0-8.cm2.noarch.rpm
 curl-8.8.0-6.cm2.x86_64.rpm
 curl-debuginfo-8.8.0-6.cm2.x86_64.rpm