[AutoPR- Security] Patch binutils for CVE-2025-11414, CVE-2025-11412 [MEDIUM] (microsoft#14885)

Co-authored-by: Kanishk Bansal <[email protected]>

Author: azurelinux-security

SPECS/binutils/CVE-2025-11412.patch

@@ -0,0 +1,37 @@
+From fc99e514c408a988c8d540bafed93b4214f629c2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <[email protected]>
+Date: Thu, 25 Sep 2025 08:22:24 +0930
+Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry
+
+Limit addends on vtentry relocs, otherwise ld might attempt to
+allocate a stupidly large array.  This also fixes the expression
+overflow leading to pr33452.  A vtable of 33M entries on a 64-bit
+host is surely large enough, especially considering that VTINHERIT
+and VTENTRY relocations are to support -fvtable-gc that disappeared
+from gcc over 20 years ago.
+
+	PR ld/33452
+	* elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/bminor/binutils-gdb/commit/047435dd988a3975d40c6626a8f739a0b2e154bc.patch
+---
+ bfd/elflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index be2a2f53..3ec41fd5 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -14536,7 +14536,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec,
+   const struct elf_backend_data *bed = get_elf_backend_data (abfd);
+   unsigned int log_file_align = bed->s->log_file_align;
+ 
+-  if (!h)
++  if (!h || addend > 1u << 28)
+     {
+       /* xgettext:c-format */
+       _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"),
+-- 
+2.45.4
+

SPECS/binutils/CVE-2025-11414.patch

@@ -0,0 +1,85 @@
+From 03c88b26a6d9cedb201699e435fe685e5131a33e Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <[email protected]>
+Date: Tue, 23 Sep 2025 08:52:26 +0800
+Subject: [PATCH] elf: Return error on unsorted symbol table if not allowed
+
+Normally ELF symbol table should be sorted, i.e., local symbols precede
+global symbols.  Irix 6 is an exception and its elf_bad_symtab is set
+to true.  Issue an error if elf_bad_symtab is false and symbol table is
+unsorted.
+
+	PR ld/33450
+	* elflink.c (set_symbol_value): Change return type to bool and
+	return false on error.  Issue an error on unsorted symbol table
+	if not allowed.
+	(elf_link_input_bfd): Return false if set_symbol_value reurns
+	false.
+
+Signed-off-by: H.J. Lu <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/bminor/binutils-gdb/commit/aeaaa9af6359c8e394ce9cf24911fec4f4d23703.patch
+---
+ bfd/elflink.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 3ec41fd5..1a86f9d2 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -8846,7 +8846,7 @@ struct elf_outext_info
+    <binary-operator> := as in C
+    <unary-operator> := as in C, plus "0-" for unambiguous negation.  */
+ 
+-static void
++static bool
+ set_symbol_value (bfd *bfd_with_globals,
+ 		  Elf_Internal_Sym *isymbuf,
+ 		  size_t locsymcount,
+@@ -8867,9 +8867,15 @@ set_symbol_value (bfd *bfd_with_globals,
+ 	     "absolute" section and give it a value.  */
+ 	  sym->st_shndx = SHN_ABS;
+ 	  sym->st_value = val;
+-	  return;
++	  return true;
++	}
++      if (!elf_bad_symtab (bfd_with_globals))
++	{
++	  _bfd_error_handler (_("%pB: corrupt symbol table"),
++			      bfd_with_globals);
++	  bfd_set_error (bfd_error_bad_value);
++	  return false;
+ 	}
+-      BFD_ASSERT (elf_bad_symtab (bfd_with_globals));
+       extsymoff = 0;
+     }
+ 
+@@ -8879,11 +8885,12 @@ set_symbol_value (bfd *bfd_with_globals,
+   if (h == NULL)
+     {
+       /* FIXMEL What should we do ?  */
+-      return;
++      return false;
+     }
+   h->root.type = bfd_link_hash_defined;
+   h->root.u.def.value = val;
+   h->root.u.def.section = bfd_abs_section_ptr;
++  return true;
+ }
+ 
+ static bool
+@@ -11573,8 +11580,10 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd)
+ 		    return false;
+ 
+ 		  /* Symbol evaluated OK.  Update to absolute value.  */
+-		  set_symbol_value (input_bfd, isymbuf, locsymcount,
+-				    r_symndx, val);
++		  if (!set_symbol_value (input_bfd, isymbuf, locsymcount, r_symndx,
++					 val))
++		    return false;
++
+ 		  continue;
+ 		}
+ 
+-- 
+2.45.4
+

SPECS/binutils/binutils.spec

@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.41
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -45,6 +45,8 @@ Patch11:        CVE-2025-7545.patch
 Patch12:        CVE-2025-8225.patch
 Patch13:        CVE-2025-11082.patch
 Patch14:        CVE-2025-11083.patch
+Patch15:        CVE-2025-11412.patch
+Patch16:        CVE-2025-11414.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -334,6 +336,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Thu Oct 16 2025 Azure Linux Security Servicing Account <[email protected]> - 2.41-10
+- Patch for CVE-2025-11414, CVE-2025-11412
+
 * Wed Oct 01 2025 Azure Linux Security Servicing Account <[email protected]> - 2.41-9
 - Patch for CVE-2025-11083, CVE-2025-11082
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
 file-devel-5.45-1.azl3.aarch64.rpm
 file-libs-5.45-1.azl3.aarch64.rpm
-binutils-2.41-9.azl3.aarch64.rpm
-binutils-devel-2.41-9.azl3.aarch64.rpm
+binutils-2.41-10.azl3.aarch64.rpm
+binutils-devel-2.41-10.azl3.aarch64.rpm
 gmp-6.3.0-1.azl3.aarch64.rpm
 gmp-devel-6.3.0-1.azl3.aarch64.rpm
 mpfr-4.2.1-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
 file-devel-5.45-1.azl3.x86_64.rpm
 file-libs-5.45-1.azl3.x86_64.rpm
-binutils-2.41-9.azl3.x86_64.rpm
-binutils-devel-2.41-9.azl3.x86_64.rpm
+binutils-2.41-10.azl3.x86_64.rpm
+binutils-devel-2.41-10.azl3.x86_64.rpm
 gmp-6.3.0-1.azl3.x86_64.rpm
 gmp-devel-6.3.0-1.azl3.x86_64.rpm
 mpfr-4.2.1-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -30,9 +30,9 @@ bash-5.2.15-3.azl3.aarch64.rpm
 bash-debuginfo-5.2.15-3.azl3.aarch64.rpm
 bash-devel-5.2.15-3.azl3.aarch64.rpm
 bash-lang-5.2.15-3.azl3.aarch64.rpm
-binutils-2.41-9.azl3.aarch64.rpm
-binutils-debuginfo-2.41-9.azl3.aarch64.rpm
-binutils-devel-2.41-9.azl3.aarch64.rpm
+binutils-2.41-10.azl3.aarch64.rpm
+binutils-debuginfo-2.41-10.azl3.aarch64.rpm
+binutils-devel-2.41-10.azl3.aarch64.rpm
 bison-3.8.2-1.azl3.aarch64.rpm
 bison-debuginfo-3.8.2-1.azl3.aarch64.rpm
 bzip2-1.0.8-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -32,10 +32,10 @@ bash-5.2.15-3.azl3.x86_64.rpm
 bash-debuginfo-5.2.15-3.azl3.x86_64.rpm
 bash-devel-5.2.15-3.azl3.x86_64.rpm
 bash-lang-5.2.15-3.azl3.x86_64.rpm
-binutils-2.41-9.azl3.x86_64.rpm
-binutils-aarch64-linux-gnu-2.41-9.azl3.x86_64.rpm
-binutils-debuginfo-2.41-9.azl3.x86_64.rpm
-binutils-devel-2.41-9.azl3.x86_64.rpm
+binutils-2.41-10.azl3.x86_64.rpm
+binutils-aarch64-linux-gnu-2.41-10.azl3.x86_64.rpm
+binutils-debuginfo-2.41-10.azl3.x86_64.rpm
+binutils-devel-2.41-10.azl3.x86_64.rpm
 bison-3.8.2-1.azl3.x86_64.rpm
 bison-debuginfo-3.8.2-1.azl3.x86_64.rpm
 bzip2-1.0.8-1.azl3.x86_64.rpm
@@ -70,7 +70,7 @@ cracklib-lang-2.9.11-1.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
-cross-binutils-common-2.41-9.azl3.noarch.rpm
+cross-binutils-common-2.41-10.azl3.noarch.rpm
 cross-gcc-common-13.2.0-7.azl3.noarch.rpm
 curl-8.11.1-4.azl3.x86_64.rpm
 curl-debuginfo-8.11.1-4.azl3.x86_64.rpm