[Low] patch binutils for CVE-2025-1147, CVE-2025-1148, CVE-2025-11839

[jykanase]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

patch binutils for CVE-2025-1147, CVE-2025-1148, CVE-2025-11839
Patch Modified: No
CVE-2025-1147 : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=7be4186c22f89a87fff048c28910f5d26a0f61ce
CVE-2025-1148 : https://git.launchpad.net/ubuntu/+source/binutils/diff/debian/patches/CVE-2025-1148.patch?id=23551b7f3c0a1881dabbe2051d639bee43261514
CVE-2025-11839 : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe

Change Log

• binutils.spec

Does this affect the toolchain?

YES

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-1147
• https://nvd.nist.gov/vuln/detail/CVE-2025-1148
• https://nvd.nist.gov/vuln/detail/CVE-2025-11839

Test Methodology

• Local build

[Kanishk-Bansal]

Buddy Build

[Kanishk-Bansal]

Patch Analysis (the patch applies cleanly)
Fix for SPECS/binutils/CVE-2025-1148.patch has been taken from Ubuntu as binutils have not released any patch for it yet.

Although the diff shows indentation differences but the developer has applied the patch by patching command and its getting build as well. LGTM

• Buddy Build 
• patch applied during the build (check rpm.log)
• patch include an upstream reference
• PR has security tag

[0xba1a]

Patch Analysis (the patch applies cleanly) Fix for SPECS/binutils/CVE-2025-1148.patch has been taken from Ubuntu as binutils have not released any patch for it yet.

Although the diff shows indentation differences but the developer has applied the patch by patching command and its getting build as well. LGTM

• Buddy Build
• patch applied during the build (check rpm.log)
• patch include an upstream reference
• PR has security tag

@Kanishk-Bansal Thanks for the details. Can you please consider following checks too?

• Full build as the patch is modifying toolchain packages
• Individual patch analysis with respect to the vulnerability and security-signoff for backport

[Kanishk-Bansal]

Patches apply cleanly and no backporting has been done
Full Build