[AutoPR- Security] Patch binutils for CVE-2025-7546, CVE-2025-7545 [MEDIUM] (microsoft#14331)

azurelinux-security · kevin-b-lockwood · web-flow · commit a38722542ee1 · 2025-07-28T13:34:17.000+05:30
Co-authored-by: Kevin Lockwood &lt;v-klockwood@microsoft.com&gt;
diff --git a/SPECS/binutils/CVE-2025-7545.patch b/SPECS/binutils/CVE-2025-7545.patch
@@ -0,0 +1,38 @@
+From 255c74cb9030905028a4f9ce07aff56039844152 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Thu, 17 Jul 2025 08:46:38 +0000
+Subject: [PATCH] Fix CVE CVE-2025-7545 in binutils
+
+Upstream Patch Reference: https://github.com/bminor/binutils-gdb/commit/08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944.patch
+---
+ binutils/objcopy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/binutils/objcopy.c b/binutils/objcopy.c
+index 3569b890..c09d85d1 100644
+--- a/binutils/objcopy.c
++++ b/binutils/objcopy.c
+@@ -4514,6 +4514,7 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg)
+ 	  char *to = (char *) memhunk;
+ 	  char *end = (char *) memhunk + size;
+ 	  int i;
++	  bfd_size_type memhunk_size = size;
+ 
+ 	  /* If the section address is not exactly divisible by the interleave,
+ 	     then we must bias the from address.  If the copy_byte is less than
+@@ -4533,6 +4534,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg)
+ 	      }
+ 
+ 	  size = (size + interleave - 1 - copy_byte) / interleave * copy_width;
++
++	  /* Don't extend the output section size.  */
++	  if (size > memhunk_size)
++	    size = memhunk_size;
++
+ 	  osection->lma /= interleave;
+ 	  if (copy_byte < extra)
+ 	    osection->lma++;
+-- 
+2.45.3
+
diff --git a/SPECS/binutils/CVE-2025-7546.patch b/SPECS/binutils/CVE-2025-7546.patch
@@ -0,0 +1,49 @@
+From 35b1514eba18a239c85867ab4132408d85e1e120 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Thu, 17 Jul 2025 08:48:22 +0000
+Subject: [PATCH] Fix CVE CVE-2025-7546 in binutils
+
+Upstream Patch Reference: https://github.com/bminor/binutils-gdb/commit/41461010eb7c79fee7a9d5f6209accdaac66cc6b.patch
+---
+ bfd/elf.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index d38e0aff..1de0cec0 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -4120,20 +4120,17 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec, void *failedptrarg)
+ 	break;
+     }
+ 
+-  /* We should always get here with loc == sec->contents + 4, but it is
+-     possible to craft bogus SHT_GROUP sections that will cause segfaults
+-     in objcopy without checking loc here and in the loop above.  */
+-  if (loc == sec->contents)
+-    BFD_ASSERT (0);
+-  else
++  /* We should always get here with loc == sec->contents + 4.  Return
++     an error for bogus SHT_GROUP sections.  */
++  loc -= 4;
++  if (loc != sec->contents)
+     {
+-      loc -= 4;
+-      if (loc != sec->contents)
+-	{
+-	  BFD_ASSERT (0);
+-	  memset (sec->contents + 4, 0, loc - sec->contents);
+-	  loc = sec->contents;
+-	}
++      /* xgettext:c-format */
++      _bfd_error_handler (_("%pB: corrupted group section: `%pA'"),
++			  abfd, sec);
++      bfd_set_error (bfd_error_bad_value);
++      *failedptr = true;
++      return;
+     }
+ 
+   H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
+-- 
+2.45.3
+
diff --git a/SPECS/binutils/binutils.spec b/SPECS/binutils/binutils.spec
@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.41
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -40,6 +40,8 @@ Patch6:         CVE-2025-0840.patch
 Patch7:		CVE-2025-1744.patch
 Patch8:         CVE-2025-5245.patch
 Patch9:         CVE-2025-5244.patch
+Patch10:        CVE-2025-7546.patch
+Patch11:        CVE-2025-7545.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -329,6 +331,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Thu Jul 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.41-7
+- Patch for CVE-2025-7546, CVE-2025-7545
+
 * Wed May 28 2025 Akarsh Chaudhary <v-akarshc@microsoft.com> - 2.41-6
 - Patch CVE-2025-5245 , CVE-2025-5244
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
 file-devel-5.45-1.azl3.aarch64.rpm
 file-libs-5.45-1.azl3.aarch64.rpm
-binutils-2.41-6.azl3.aarch64.rpm
-binutils-devel-2.41-6.azl3.aarch64.rpm
+binutils-2.41-7.azl3.aarch64.rpm
+binutils-devel-2.41-7.azl3.aarch64.rpm
 gmp-6.3.0-1.azl3.aarch64.rpm
 gmp-devel-6.3.0-1.azl3.aarch64.rpm
 mpfr-4.2.1-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
 file-devel-5.45-1.azl3.x86_64.rpm
 file-libs-5.45-1.azl3.x86_64.rpm
-binutils-2.41-6.azl3.x86_64.rpm
-binutils-devel-2.41-6.azl3.x86_64.rpm
+binutils-2.41-7.azl3.x86_64.rpm
+binutils-devel-2.41-7.azl3.x86_64.rpm
 gmp-6.3.0-1.azl3.x86_64.rpm
 gmp-devel-6.3.0-1.azl3.x86_64.rpm
 mpfr-4.2.1-1.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -30,9 +30,9 @@ bash-5.2.15-3.azl3.aarch64.rpm
 bash-debuginfo-5.2.15-3.azl3.aarch64.rpm
 bash-devel-5.2.15-3.azl3.aarch64.rpm
 bash-lang-5.2.15-3.azl3.aarch64.rpm
-binutils-2.41-6.azl3.aarch64.rpm
-binutils-debuginfo-2.41-6.azl3.aarch64.rpm
-binutils-devel-2.41-6.azl3.aarch64.rpm
+binutils-2.41-7.azl3.aarch64.rpm
+binutils-debuginfo-2.41-7.azl3.aarch64.rpm
+binutils-devel-2.41-7.azl3.aarch64.rpm
 bison-3.8.2-1.azl3.aarch64.rpm
 bison-debuginfo-3.8.2-1.azl3.aarch64.rpm
 bzip2-1.0.8-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -32,10 +32,10 @@ bash-5.2.15-3.azl3.x86_64.rpm
 bash-debuginfo-5.2.15-3.azl3.x86_64.rpm
 bash-devel-5.2.15-3.azl3.x86_64.rpm
 bash-lang-5.2.15-3.azl3.x86_64.rpm
-binutils-2.41-6.azl3.x86_64.rpm
-binutils-aarch64-linux-gnu-2.41-6.azl3.x86_64.rpm
-binutils-debuginfo-2.41-6.azl3.x86_64.rpm
-binutils-devel-2.41-6.azl3.x86_64.rpm
+binutils-2.41-7.azl3.x86_64.rpm
+binutils-aarch64-linux-gnu-2.41-7.azl3.x86_64.rpm
+binutils-debuginfo-2.41-7.azl3.x86_64.rpm
+binutils-devel-2.41-7.azl3.x86_64.rpm
 bison-3.8.2-1.azl3.x86_64.rpm
 bison-debuginfo-3.8.2-1.azl3.x86_64.rpm
 bzip2-1.0.8-1.azl3.x86_64.rpm
@@ -70,7 +70,7 @@ cracklib-lang-2.9.11-1.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
-cross-binutils-common-2.41-6.azl3.noarch.rpm
+cross-binutils-common-2.41-7.azl3.noarch.rpm
 cross-gcc-common-13.2.0-7.azl3.noarch.rpm
 curl-8.11.1-3.azl3.x86_64.rpm
 curl-debuginfo-8.11.1-3.azl3.x86_64.rpm
