Merge changes for 2.0 monthly update (microsoft#15021)

Author: jslobodzian

SPECS-EXTENDED/samba/CVE-2025-49716-netlogon.patch

@@ -85,7 +85,7 @@
 
 Name:           samba
 Version:        4.12.5
-Release:        6%{?dist}
+Release:        7%{?dist}
 
 
 %define samba_depver %{version}-%{release}
@@ -247,6 +247,8 @@ BuildRequires: krb5-server >= %{required_mit_krb5}
 BuildRequires: bind
 %endif
 
+Patch0: CVE-2025-49716-netlogon.patch
+
 # filter out perl requirements pulled in from examples in the docdir.
 %global __requires_exclude_from ^%{_docdir}/.*$
 %global __provides_exclude_from ^%{_docdir}/.*$
@@ -796,6 +798,7 @@ and use CTDB instead.
 
 
 %prep
+%autosetup -p1
 xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
 %autosetup -n samba-%{version}%{pre_release} -p1
 # Remove `xsltproc` binary if installed. This is only used for docs, which we do not build
@@ -3438,6 +3441,9 @@ fi
 %endif
 
 %changelog
+* Fri Oct 10 2025 Andy Zaugg <[email protected]> - 4.12.5-7
+- Fix winbind netlogon issue with Windows security update 2025 CVE-2025-49716
+
 * Wed Apr 17 2024 Andrew Phelps <[email protected]> - 4.12.5-6
 - Fix build issue with docs by removing xsltproc
 

SPECS-EXTENDED/samba/samba.spec

@@ -0,0 +1,47 @@
+From 1a2eb7a4a288ffe6d1a7a6a7260c1a59d8638f46 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <[email protected]>
+Date: Mon, 22 Sep 2025 15:20:34 +0800
+Subject: [PATCH] elf: Don't read beyond .eh_frame section size
+
+	PR ld/33464
+	* elf-eh-frame.c (_bfd_elf_parse_eh_frame): Don't read beyond
+	.eh_frame section size.
+
+Signed-off-by: H.J. Lu <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/bminor/binutils-gdb/commit/ea1a0737c7692737a644af0486b71e4a392cbca8.patch
+---
+ bfd/elf-eh-frame.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/binutils-2.37/bfd/elf-eh-frame.c b/binutils-2.37/bfd/elf-eh-frame.c
+index 6ce6d225..f1f6b463 100644
+--- a/bfd/elf-eh-frame.c
++++ b/bfd/elf-eh-frame.c
+@@ -733,6 +733,7 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info,
+       if (hdr_id == 0)
+ 	{
+ 	  unsigned int initial_insn_length;
++	  char *null_byte;
+ 
+ 	  /* CIE  */
+ 	  this_inf->cie = 1;
+@@ -749,10 +750,13 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info,
+ 	  REQUIRE (cie->version == 1
+ 		   || cie->version == 3
+ 		   || cie->version == 4);
+-	  REQUIRE (strlen ((char *) buf) < sizeof (cie->augmentation));
++	  null_byte = memchr ((char *) buf, 0, end - buf);
++	  REQUIRE (null_byte != NULL);
++	  REQUIRE ((size_t) (null_byte - (char *) buf)
++		   < sizeof (cie->augmentation));
+ 
+ 	  strcpy (cie->augmentation, (char *) buf);
+-	  buf = (bfd_byte *) strchr ((char *) buf, '\0') + 1;
++	  buf = (bfd_byte *) null_byte + 1;
+ 	  this_inf->u.cie.aug_str_len = buf - start - 1;
+ 	  ENSURE_NO_RELOCS (buf);
+ 	  if (buf[0] == 'e' && buf[1] == 'h')
+-- 
+2.45.4
+

SPECS/binutils/CVE-2025-11082.patch

@@ -0,0 +1,80 @@
+From b3847cb425387f93f099513980721e3d87c236de Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Wed, 1 Oct 2025 19:12:40 +0000
+Subject: [PATCH] bfd/elf: Avoid matching corrupt section header in linker
+ input (PR ld/33457)
+
+- Change elf_swap_shdr_in to return bool; return false for corrupt section header when abfd->is_linker_input.
+- In elf_object_p, check return value of elf_swap_shdr_in and reject on failure.
+- Preserve warning message and set abfd->read_only after rejection logic.
+
+Backport of upstream patch 9ca499644a21ceb3f946d1c179c38a83be084490.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/bminor/binutils-gdb/commit/9ca499644a21ceb3f946d1c179c38a83be084490.patch
+---
+ bfd/elfcode.h | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index 7eb27c2e..8195b92e 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -298,7 +298,7 @@ elf_swap_ehdr_out (bfd *abfd,
+ /* Translate an ELF section header table entry in external format into an
+    ELF section header table entry in internal format.  */
+ 
+-static void
++static bool
+ elf_swap_shdr_in (bfd *abfd,
+ 		  const Elf_External_Shdr *src,
+ 		  Elf_Internal_Shdr *dst)
+@@ -325,9 +325,12 @@ elf_swap_shdr_in (bfd *abfd,
+ 	  && ((ufile_ptr) dst->sh_offset > filesize
+ 	      || dst->sh_size > filesize - dst->sh_offset))
+ 	{
+-	  abfd->read_only = 1;
+ 	  _bfd_error_handler (_("warning: %pB has a section "
+ 				"extending past end of file"), abfd);
++	  /* PR ld/33457: Don't match corrupt section header.  */
++	  if (abfd->is_linker_input)
++	 	return false;
++	  abfd->read_only = 1;
+ 	}
+     }
+   dst->sh_link = H_GET_32 (abfd, src->sh_link);
+@@ -336,6 +339,7 @@ elf_swap_shdr_in (bfd *abfd,
+   dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize);
+   dst->bfd_section = NULL;
+   dst->contents = NULL;
++  return true;
+ }
+ 
+ /* Translate an ELF section header table entry in internal format into an
+@@ -628,9 +632,9 @@ elf_object_p (bfd *abfd)
+ 
+       /* Read the first section header at index 0, and convert to internal
+ 	 form.  */
+-      if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
++      if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
++         || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr))
+ 	goto got_no_match;
+-      elf_swap_shdr_in (abfd, &x_shdr, &i_shdr);
+ 
+       /* If the section count is zero, the actual count is in the first
+ 	 section header.  */
+@@ -716,9 +720,9 @@ elf_object_p (bfd *abfd)
+ 	 to internal form.  */
+       for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++)
+ 	{
+-	  if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
++         if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
++             || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex))
+ 	    goto got_no_match;
+-	  elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
+ 
+ 	  /* Sanity check sh_link and sh_info.  */
+ 	  if (i_shdrp[shindex].sh_link >= num_sec)
+-- 
+2.45.4
+

SPECS/binutils/CVE-2025-11083.patch

@@ -0,0 +1,37 @@
+From eee96bd5f9200a9b74df45fd6ae116bad7417236 Mon Sep 17 00:00:00 2001
+From: Alan Modra <[email protected]>
+Date: Thu, 25 Sep 2025 08:22:24 +0930
+Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry
+
+Limit addends on vtentry relocs, otherwise ld might attempt to
+allocate a stupidly large array.  This also fixes the expression
+overflow leading to pr33452.  A vtable of 33M entries on a 64-bit
+host is surely large enough, especially considering that VTINHERIT
+and VTENTRY relocations are to support -fvtable-gc that disappeared
+from gcc over 20 years ago.
+
+	PR ld/33452
+	* elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/bminor/binutils-gdb/commit/047435dd988a3975d40c6626a8f739a0b2e154bc.patch
+---
+ bfd/elflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 51790953..37caba7e 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -14235,7 +14235,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec,
+   const struct elf_backend_data *bed = get_elf_backend_data (abfd);
+   unsigned int log_file_align = bed->s->log_file_align;
+ 
+-  if (!h)
++  if (!h || addend > 1u << 28)
+     {
+       /* xgettext:c-format */
+       _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"),
+-- 
+2.45.4
+

SPECS/binutils/CVE-2025-11412.patch

@@ -0,0 +1,85 @@
+From 576abdc0a868acbcf0d363c720e4d6eaf25b3089 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <[email protected]>
+Date: Tue, 23 Sep 2025 08:52:26 +0800
+Subject: [PATCH] elf: Return error on unsorted symbol table if not allowed
+
+Normally ELF symbol table should be sorted, i.e., local symbols precede
+global symbols.  Irix 6 is an exception and its elf_bad_symtab is set
+to true.  Issue an error if elf_bad_symtab is false and symbol table is
+unsorted.
+
+	PR ld/33450
+	* elflink.c (set_symbol_value): Change return type to bool and
+	return false on error.  Issue an error on unsorted symbol table
+	if not allowed.
+	(elf_link_input_bfd): Return false if set_symbol_value reurns
+	false.
+
+Signed-off-by: H.J. Lu <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/bminor/binutils-gdb/commit/aeaaa9af6359c8e394ce9cf24911fec4f4d23703.patch
+---
+ bfd/elflink.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 37caba7e..b841a750 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -8623,7 +8623,7 @@ struct elf_outext_info
+    <binary-operator> := as in C
+    <unary-operator> := as in C, plus "0-" for unambiguous negation.  */
+ 
+-static void
++static bool
+ set_symbol_value (bfd *bfd_with_globals,
+ 		  Elf_Internal_Sym *isymbuf,
+ 		  size_t locsymcount,
+@@ -8644,9 +8644,15 @@ set_symbol_value (bfd *bfd_with_globals,
+ 	     "absolute" section and give it a value.  */
+ 	  sym->st_shndx = SHN_ABS;
+ 	  sym->st_value = val;
+-	  return;
++	  return true;
++	}
++      if (!elf_bad_symtab (bfd_with_globals))
++	{
++	  _bfd_error_handler (_("%pB: corrupt symbol table"),
++			      bfd_with_globals);
++	  bfd_set_error (bfd_error_bad_value);
++	  return false;
+ 	}
+-      BFD_ASSERT (elf_bad_symtab (bfd_with_globals));
+       extsymoff = 0;
+     }
+ 
+@@ -8656,11 +8662,12 @@ set_symbol_value (bfd *bfd_with_globals,
+   if (h == NULL)
+     {
+       /* FIXMEL What should we do ?  */
+-      return;
++      return false;
+     }
+   h->root.type = bfd_link_hash_defined;
+   h->root.u.def.value = val;
+   h->root.u.def.section = bfd_abs_section_ptr;
++  return true;
+ }
+ 
+ static bool
+@@ -11369,8 +11376,10 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd)
+ 		    return false;
+ 
+ 		  /* Symbol evaluated OK.  Update to absolute value.  */
+-		  set_symbol_value (input_bfd, isymbuf, locsymcount,
+-				    r_symndx, val);
++		  if (!set_symbol_value (input_bfd, isymbuf, locsymcount, r_symndx,
++					 val))
++		    return false;
++
+ 		  continue;
+ 		}
+ 
+-- 
+2.45.4
+

SPECS/binutils/CVE-2025-11414.patch

@@ -21,13 +21,13 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.37
-Release:        17%{?dist}
+Release:        19%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Base
 URL:            https://www.gnu.org/software/binutils
-Source0:        https://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz
+Source0:        https://sourceware.org/pub/binutils/releases/%{name}-%{version}.tar.xz
 # Patch was derived from source: https://src.fedoraproject.org/rpms/binutils/blob/f34/f/binutils-export-demangle.h.patch
 Patch0:         export-demangle-header.patch
 # Patch1 Source https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=6b86da53d5ee2022b9065f445d23356190380746
@@ -56,6 +56,10 @@ Patch21:         CVE-2025-5244.patch
 Patch22:         CVE-2025-7545.patch
 Patch23:         CVE-2025-7546.patch
 Patch24:        CVE-2025-8225.patch
+Patch25:        CVE-2025-11412.patch
+Patch26:        CVE-2025-11414.patch
+Patch27:        CVE-2025-11082.patch
+Patch28:        CVE-2025-11083.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -312,6 +316,12 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Thu Oct 23 2025 Azure Linux Security Servicing Account <[email protected]> - 2.37-19
+- Patch for CVE-2025-11083, CVE-2025-11082
+
+* Thu Oct 16 2025 Azure Linux Security Servicing Account <[email protected]> - 2.37-18
+- Patch for CVE-2025-11414, CVE-2025-11412
+
 * Mon Jul 28 2025 Azure Linux Security Servicing Account <[email protected]> - 2.37-17
 - Patch for CVE-2025-8225