Patch crash for CVE-2025-11082 in gdb tarball [MEDIUM] (microsoft#14781)

azurelinux-security · jykanase · web-flow · commit e899b5edb23e · 2025-10-15T23:17:17.000+05:30
Co-authored-by: jykanase &lt;v-jykanase@microsoft.com&gt;
diff --git a/SPECS/crash/crash.signatures.json b/SPECS/crash/crash.signatures.json
@@ -1,6 +1,6 @@
 {
   "Signatures": {
-    "gdb-10.2-3.tar.gz": "0d322f3c3ee75b364eb4f90b394c9ecc17800d2a94d2913a5ea845acead26bd2",
+    "gdb-10.2-4.tar.gz": "f2902cd89e725e0dd2e4ac007d4a31bf0237ad3b1a38191455d801ee6096246b",
     "crash-8.0.4.tar.gz": "94df600c183301013787cd47112044e358fb37bb8e2b5544f40377dda98ee78f"
   }
 }
diff --git a/SPECS/crash/crash.spec b/SPECS/crash/crash.spec
@@ -1,7 +1,7 @@
 %global gdb_version 10.2
 Name:          crash
 Version:       8.0.4
-Release:       4%{?dist}
+Release:       5%{?dist}
 Summary:       kernel crash analysis utility for live systems, netdump, diskdump, kdump, LKCD or mcore dumpfiles
 Group:         Development/Tools
 Vendor:        Microsoft Corporation
@@ -11,7 +11,8 @@ Source0:       https://github.com/crash-utility/%{name}/archive/%{version}.tar.g
 # crash requires gdb tarball for the build. There is no option to use the host gdb. For crash 8.0.1 the newest supported gdb version is 10.2.
 # '-2' version of the tarball contains fix for CVE-2022-37434 which cannot be applied as a .patch because source1 is only untar'ed during crash make
 # '-3' version of the tarball contains fix for CVE-2021-20197, CVE-2022-47673, CVE-2022-47696 which cannot be applied as a .patch because source1 is only untar'ed during crash make
-Source1:       gdb-%{gdb_version}-3.tar.gz
+# '-4' version of the tarball contains fix for CVE-2025-11082 which cannot be applied as a .patch because source1 is only untar'ed during crash make
+Source1:       gdb-%{gdb_version}-4.tar.gz
 # lzo patch sourced from https://src.fedoraproject.org/rpms/crash/blob/rawhide/f/lzo_snappy_zstd.patch
 Patch0:        lzo_snappy_zstd.patch
 License:       GPLv3+
@@ -97,6 +98,9 @@ cp -p defs.h %{buildroot}%{_includedir}/crash
 %endif
 
 %changelog
+* Fri Oct 03 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.0.4-5
+- Update gdb-10.2-4.tar.gz to address CVE-2025-11082
+
 * Mon Apr 21 2025 Kanishk Bansal <kanbansal@microsoft.com> - 8.0.4-4
 - Update gdb-10.2-3.tar.gz to address CVE-2021-20197, CVE-2022-47673, CVE-2022-47696
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`		`- "gdb-10.2-3.tar.gz": "0d322f3c3ee75b364eb4f90b394c9ecc17800d2a94d2913a5ea845acead26bd2",`
	`3`	`+ "gdb-10.2-4.tar.gz": "f2902cd89e725e0dd2e4ac007d4a31bf0237ad3b1a38191455d801ee6096246b",`
`4`	`4`	`"crash-8.0.4.tar.gz": "94df600c183301013787cd47112044e358fb37bb8e2b5544f40377dda98ee78f"`
`5`	`5`	`}`
`6`	`6`	`}`