diff --git a/SPECS/binutils/CVE-2025-1147.patch b/SPECS/binutils/CVE-2025-1147.patch new file mode 100644 index 00000000000..b37bf9554d9 --- /dev/null +++ b/SPECS/binutils/CVE-2025-1147.patch @@ -0,0 +1,110 @@ +From 7be4186c22f89a87fff048c28910f5d26a0f61ce Mon Sep 17 00:00:00 2001 +From: Dmitry Klochkov +Date: Tue, 9 Sep 2025 12:06:25 +0200 +Subject: [PATCH] nm: fix treating an ifunc symbol as a stab if + '--ifunc-chars=--' is given + +If an ifunc symbol is processed in print_symbol(), a 'type' field of a +'syminfo' structure is set to any character specified by a user with an +'--ifunc-chars' option. But afterwards the 'type' field is used to +check whether a symbol is a stab in print_symbol_info_{bsd,sysv}() +functions in order to print additional stab related data. If the 'type' +field equals '-', a symbol is treated as a stab. If '--ifunc-chars=--' +is given, all ifunc symbols will be treated as stab symbols and +uninitialized stab related fields of the 'syminfo' structure will be +printed which can lead to segmentation fault. + +To fix this, check if a symbol is a stab before override the 'type' +field. Also, add a test case for this fix. + + PR binutils/32556 + * nm.c (extended_symbol_info): Add is_stab. + (print_symbol): Check if a symbol is a stab. + (print_symbol_info_bsd): Use info->is_stab. + (print_symbol_info_sysv): Use info->is_stab. + * testsuite/binutils-all/nm.exp: Test nm --ifunc-chars=--. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=32556 +Fixes: e6f6aa8d184 ("Add option to nm to change the characters displayed for ifunc symbols") +Signed-off-by: Dmitry Klochkov + +Upstream Patch Reference: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=7be4186c22f89a87fff048c28910f5d26a0f61ce +--- + binutils/nm.c | 10 +++++++--- + binutils/testsuite/binutils-all/nm.exp | 17 +++++++++++++++++ + 2 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/binutils/nm.c b/binutils/nm.c +index f96cfa31..2370e1ca 100644 +--- a/binutils/nm.c ++++ b/binutils/nm.c +@@ -71,6 +71,7 @@ struct extended_symbol_info + bfd_vma ssize; + elf_symbol_type *elfinfo; + coff_symbol_type *coffinfo; ++ bool is_stab; + /* FIXME: We should add more fields for Type, Line, Section. */ + }; + #define SYM_VALUE(sym) (sym->sinfo->value) +@@ -1193,8 +1194,11 @@ print_symbol (bfd * abfd, + + bfd_get_symbol_info (abfd, sym, &syminfo); + ++ info.is_stab = false; ++ if (syminfo.type == '-') ++ info.is_stab = true; + /* PR 22967 - Distinguish between local and global ifunc symbols. */ +- if (syminfo.type == 'i' ++ else if (syminfo.type == 'i' + && sym->flags & BSF_GNU_INDIRECT_FUNCTION) + { + if (ifunc_type_chars == NULL || ifunc_type_chars[0] == 0) +@@ -1856,7 +1860,7 @@ print_symbol_info_bsd (struct extended_symbol_info *info, bfd *abfd) + + printf (" %c", SYM_TYPE (info)); + +- if (SYM_TYPE (info) == '-') ++ if (info->is_stab) + { + /* A stab. */ + printf (" "); +@@ -1885,7 +1889,7 @@ print_symbol_info_sysv (struct extended_symbol_info *info, bfd *abfd) + + printf ("| %c |", SYM_TYPE (info)); + +- if (SYM_TYPE (info) == '-') ++ if (info->is_stab) + { + /* A stab. */ + printf ("%18s| ", SYM_STAB_NAME (info)); /* (C) Type. */ +diff --git a/binutils/testsuite/binutils-all/nm.exp b/binutils/testsuite/binutils-all/nm.exp +index 91b519d9..4a1a5336 100644 +--- a/binutils/testsuite/binutils-all/nm.exp ++++ b/binutils/testsuite/binutils-all/nm.exp +@@ -323,6 +323,23 @@ if [is_elf_format] { + fail "$testname (local ifunc)" + } + ++ # PR 32556 ++ # Test nm --ifunc-chars=-- ++ ++ set got [binutils_run $NM "$NMFLAGS --ifunc-chars=-- $tmpfile"] ++ ++ if [regexp -line "^\\S+ - global_foo$" $got] then { ++ pass "$testname=-- (global ifunc)" ++ } else { ++ fail "$testname=-- (global ifunc)" ++ } ++ ++ if [regexp -line "^\\S+ - local_foo$" $got] then { ++ pass "$testname=-- (local ifunc)" ++ } else { ++ fail "$testname=-- (local ifunc)" ++ } ++ + if { $verbose < 1 } { + remote_file host delete "tmpdir/ifunc.o" + } +-- +2.45.4 + diff --git a/SPECS/binutils/CVE-2025-1148.patch b/SPECS/binutils/CVE-2025-1148.patch new file mode 100644 index 00000000000..162b99ddf09 --- /dev/null +++ b/SPECS/binutils/CVE-2025-1148.patch @@ -0,0 +1,592 @@ +From d4115c2c8d447e297ae353892de89192c1996211 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sat, 11 Jan 2025 16:19:09 +1030 +Subject: [PATCH] Replace xmalloc with stat_alloc in ld parser + +A few place dealing with ld script handling made some attempt to free +memory, but this was generally ignored and would be quite a lot of +work to implement. Instead, use the stat_obstack rather than +mallocing in many more cases. + + * ldexp.c (exp_get_fill): Use stat_alloc for fill. + * ldfile.c (ldfile_try_open_bfd): Don't free yylval fields. + * ldgram.y: Replace xmalloc with stat_alloc throughout. + * ldlang.c (stat_memdup, stat_strdup): New functions. + (ldirname): Use stat_memdup. Don't strdup ".". + (output_section_callback_sort): Use stat_alloc. + (output_section_callback_tree_to_list): Don't free. + (lang_memory_region_lookup): Use stat_strdup. + (lang_memory_region_alias): Likewise. + (add_excluded_libs): Use stat_alloc and stat_memdup. + (ldlang_add_undef, ldlang_add_require_defined): Use stat_strdup. + (lang_add_nocrossref, lang_leave_overlay): Use stat_alloc. + (realsymbol): Use stat_strdup for return value and always + free symbol. + (lang_new_vers_pattern, lang_new_vers_node): Use stat_alloc. + (lang_finalize_version_expr_head): Don't free. Delete FIXME. + (lang_register_vers_node): Don't free. + (lang_add_vers_depend): Use stat_alloc. + (lang_do_version_exports_section): Likewise. + (lang_add_unique): Use stat_alloc and stat_strdup. + (lang_append_dynamic_list): Use stat_alloc. + * ldlang.h (stat_memdup, stat_strdup): Declare. + * ldlex.l: Replace xstrdup with stat_strdup throughout. + Replace xmemdup with stat_memdup too. + * lexsup.c (parse_args): Don't free export list or dynamic + list. +Upstream Patch Reference: https://git.launchpad.net/ubuntu/+source/binutils/diff/debian/patches/CVE-2025-1148.patch?id=23551b7f3c0a1881dabbe2051d639bee43261514 +--- + ld/ldexp.c | 4 +-- + ld/ldfile.c | 17 ++--------- + ld/ldgram.y | 21 ++++++------- + ld/ldlang.c | 87 ++++++++++++++++++++++++++--------------------------- + ld/ldlang.h | 4 +++ + ld/ldlex.l | 23 +++++++------- + ld/lexsup.c | 22 +------------- + 7 files changed, 74 insertions(+), 104 deletions(-) + +diff --git a/ld/ldexp.c b/ld/ldexp.c +index 170e1ed7..343e6c0a 100644 +--- a/ld/ldexp.c ++++ b/ld/ldexp.c +@@ -1606,7 +1606,7 @@ exp_get_fill (etree_type *tree, fill_type *def, char *name) + { + unsigned char *dst; + unsigned char *s; +- fill = (fill_type *) xmalloc ((len + 1) / 2 + sizeof (*fill) - 1); ++ fill = stat_alloc ((len + 1) / 2 + sizeof (*fill) - 1); + fill->size = (len + 1) / 2; + dst = fill->data; + s = (unsigned char *) expld.result.str; +@@ -1631,7 +1631,7 @@ exp_get_fill (etree_type *tree, fill_type *def, char *name) + } + else + { +- fill = (fill_type *) xmalloc (4 + sizeof (*fill) - 1); ++ fill = stat_alloc (4 + sizeof (*fill) - 1); + val = expld.result.value; + fill->data[0] = (val >> 24) & 0xff; + fill->data[1] = (val >> 16) & 0xff; +diff --git a/ld/ldfile.c b/ld/ldfile.c +index df7c9cbd..be5a20e2 100644 +--- a/ld/ldfile.c ++++ b/ld/ldfile.c +@@ -425,18 +425,11 @@ ldfile_try_open_bfd (const char *attempt, + if (token == ',') + { + if ((token = yylex ()) != NAME) +- { +- free (arg1); +- continue; +- } ++ continue; + arg2 = yylval.name; + if ((token = yylex ()) != ',' + || (token = yylex ()) != NAME) +- { +- free (arg1); +- free (arg2); +- continue; +- } ++ continue; + arg3 = yylval.name; + token = yylex (); + } +@@ -455,18 +448,12 @@ ldfile_try_open_bfd (const char *attempt, + if (strcmp (arg, lang_get_output_target ()) != 0) + skip = 1; + } +- free (arg1); +- free (arg2); +- free (arg3); + break; + case NAME: + case LNAME: + case VERS_IDENTIFIER: + case VERS_TAG: +- free (yylval.name); +- break; + case INT: +- free (yylval.bigint.str); + break; + } + token = yylex (); +diff --git a/ld/ldgram.y b/ld/ldgram.y +index 081176ba..98c4030d 100644 +--- a/ld/ldgram.y ++++ b/ld/ldgram.y +@@ -508,7 +508,7 @@ section_name_spec: + sect_flag_list: NAME + { + struct flag_info_list *n; +- n = ((struct flag_info_list *) xmalloc (sizeof *n)); ++ n = stat_alloc (sizeof *n); + if ($1[0] == '!') + { + n->with = without_flags; +@@ -526,7 +526,7 @@ sect_flag_list: NAME + | sect_flag_list '&' NAME + { + struct flag_info_list *n; +- n = ((struct flag_info_list *) xmalloc (sizeof *n)); ++ n = stat_alloc (sizeof *n); + if ($3[0] == '!') + { + n->with = without_flags; +@@ -547,7 +547,7 @@ sect_flags: + INPUT_SECTION_FLAGS '(' sect_flag_list ')' + { + struct flag_info *n; +- n = ((struct flag_info *) xmalloc (sizeof *n)); ++ n = stat_alloc (sizeof *n); + n->flag_list = $3; + n->flags_initialized = false; + n->not_with_flags = 0; +@@ -560,7 +560,7 @@ exclude_name_list: + exclude_name_list wildcard_name + { + struct name_list *tmp; +- tmp = (struct name_list *) xmalloc (sizeof *tmp); ++ tmp = stat_alloc (sizeof *tmp); + tmp->name = $2; + tmp->next = $1; + $$ = tmp; +@@ -569,7 +569,7 @@ exclude_name_list: + wildcard_name + { + struct name_list *tmp; +- tmp = (struct name_list *) xmalloc (sizeof *tmp); ++ tmp = stat_alloc (sizeof *tmp); + tmp->name = $1; + tmp->next = NULL; + $$ = tmp; +@@ -580,7 +580,7 @@ section_name_list: + section_name_list opt_comma section_name_spec + { + struct wildcard_list *tmp; +- tmp = (struct wildcard_list *) xmalloc (sizeof *tmp); ++ tmp = stat_alloc (sizeof *tmp); + tmp->next = $1; + tmp->spec = $3; + $$ = tmp; +@@ -589,7 +589,7 @@ section_name_list: + section_name_spec + { + struct wildcard_list *tmp; +- tmp = (struct wildcard_list *) xmalloc (sizeof *tmp); ++ tmp = stat_alloc (sizeof *tmp); + tmp->next = NULL; + tmp->spec = $1; + $$ = tmp; +@@ -889,7 +889,7 @@ nocrossref_list: + { + struct lang_nocrossref *n; + +- n = (struct lang_nocrossref *) xmalloc (sizeof *n); ++ n = stat_alloc (sizeof *n); + n->name = $1; + n->next = $2; + $$ = n; +@@ -898,7 +898,7 @@ nocrossref_list: + { + struct lang_nocrossref *n; + +- n = (struct lang_nocrossref *) xmalloc (sizeof *n); ++ n = stat_alloc (sizeof *n); + n->name = $1; + n->next = $3; + $$ = n; +@@ -1188,8 +1188,7 @@ phdr_opt: + { + struct lang_output_section_phdr_list *n; + +- n = ((struct lang_output_section_phdr_list *) +- xmalloc (sizeof *n)); ++ n = stat_alloc (sizeof *n); + n->name = $3; + n->used = false; + n->next = $1; +diff --git a/ld/ldlang.c b/ld/ldlang.c +index a357f802..1f658d16 100644 +--- a/ld/ldlang.c ++++ b/ld/ldlang.c +@@ -177,6 +177,23 @@ stat_alloc (size_t size) + return obstack_alloc (&stat_obstack, size); + } + ++void * ++stat_memdup (const void *src, size_t copy_size, size_t alloc_size) ++{ ++ void *ret = obstack_alloc (&stat_obstack, alloc_size); ++ memcpy (ret, src, copy_size); ++ if (alloc_size > copy_size) ++ memset ((char *) ret + copy_size, 0, alloc_size - copy_size); ++ return ret; ++} ++ ++char * ++stat_strdup (const char *str) ++{ ++ size_t len = strlen (str) + 1; ++ return stat_memdup (str, len, len); ++} ++ + /* Code for handling simple wildcards without going through fnmatch, + which can be expensive because of charset translations etc. */ + +@@ -266,15 +283,13 @@ static char * + ldirname (const char *name) + { + const char *base = lbasename (name); +- char *dirname; + + while (base > name && IS_DIR_SEPARATOR (base[-1])) + --base; +- if (base == name) +- return strdup ("."); +- dirname = strdup (name); +- dirname[base - name] = '\0'; +- return dirname; ++ size_t len = base - name; ++ if (len == 0) ++ return "."; ++ return stat_memdup (name, len, len + 1); + } + + /* If PATTERN is of the form archive:file, return a pointer to the +@@ -705,7 +720,7 @@ output_section_callback_sort (lang_wild_statement_type *ptr, + if (wont_add_section_p (section, os)) + return; + +- node = (lang_section_bst_type *) xmalloc (sizeof (lang_section_bst_type)); ++ node = stat_alloc (sizeof (*node)); + node->left = 0; + node->right = 0; + node->section = section; +@@ -736,8 +751,6 @@ output_section_callback_tree_to_list (lang_wild_statement_type *ptr, + + if (tree->right) + output_section_callback_tree_to_list (ptr, tree->right, output); +- +- free (tree); + } + + +@@ -1405,7 +1418,7 @@ lang_memory_region_lookup (const char *const name, bool create) + + new_region = stat_alloc (sizeof (lang_memory_region_type)); + +- new_region->name_list.name = xstrdup (name); ++ new_region->name_list.name = stat_strdup (name); + new_region->name_list.next = NULL; + new_region->next = NULL; + new_region->origin_exp = NULL; +@@ -1460,7 +1473,7 @@ lang_memory_region_alias (const char *alias, const char *region_name) + + /* Add alias to region name list. */ + n = stat_alloc (sizeof (lang_memory_region_name)); +- n->name = xstrdup (alias); ++ n->name = stat_strdup (alias); + n->next = region->name_list.next; + region->name_list.next = n; + } +@@ -2905,11 +2918,9 @@ add_excluded_libs (const char *list) + end = strpbrk (p, ",:"); + if (end == NULL) + end = p + strlen (p); +- entry = (struct excluded_lib *) xmalloc (sizeof (*entry)); ++ entry = stat_alloc (sizeof (*entry)); + entry->next = excluded_libs; +- entry->name = (char *) xmalloc (end - p + 1); +- memcpy (entry->name, p, end - p); +- entry->name[end - p] = '\0'; ++ entry = stat_alloc (sizeof (*entry)); + excluded_libs = entry; + if (*end == '\0') + break; +@@ -3924,7 +3935,7 @@ ldlang_add_undef (const char *const name, bool cmdline ATTRIBUTE_UNUSED) + new_undef->next = ldlang_undef_chain_list_head; + ldlang_undef_chain_list_head = new_undef; + +- new_undef->name = xstrdup (name); ++ new_undef->name = stat_strdup (name); + + if (link_info.output_bfd != NULL) + insert_undefined (new_undef->name); +@@ -4003,7 +4014,7 @@ ldlang_add_require_defined (const char *const name) + ldlang_add_undef (name, true); + ptr = stat_alloc (sizeof (*ptr)); + ptr->next = require_defined_symbol_list; +- ptr->name = strdup (name); ++ ptr->name = stat_strdup (name); + require_defined_symbol_list = ptr; + } + +@@ -9004,7 +9015,7 @@ lang_add_nocrossref (lang_nocrossref_type *l) + { + struct lang_nocrossrefs *n; + +- n = (struct lang_nocrossrefs *) xmalloc (sizeof *n); ++ n = stat_alloc (sizeof *n); + n->next = nocrossref_list; + n->list = l; + n->onlyfirst = false; +@@ -9194,7 +9205,7 @@ lang_leave_overlay (etree_type *lma_expr, + { + lang_nocrossref_type *nc; + +- nc = (lang_nocrossref_type *) xmalloc (sizeof *nc); ++ nc = stat_alloc (sizeof *nc); + nc->name = l->os->name; + nc->next = nocrossref; + nocrossref = nc; +@@ -9374,13 +9385,10 @@ realsymbol (const char *pattern) + if (changed) + { + *s = '\0'; +- return symbol; +- } +- else +- { +- free (symbol); +- return pattern; ++ pattern = stat_strdup (symbol); + } ++ free (symbol); ++ return pattern; + } + + /* This is called for each variable name or match expression. NEW_NAME is +@@ -9395,7 +9403,7 @@ lang_new_vers_pattern (struct bfd_elf_version_expr *orig, + { + struct bfd_elf_version_expr *ret; + +- ret = (struct bfd_elf_version_expr *) xmalloc (sizeof *ret); ++ ret = stat_alloc (sizeof *ret); + ret->next = orig; + ret->symver = 0; + ret->script = 0; +@@ -9432,7 +9440,8 @@ lang_new_vers_node (struct bfd_elf_version_expr *globals, + { + struct bfd_elf_version_tree *ret; + +- ret = (struct bfd_elf_version_tree *) xcalloc (1, sizeof *ret); ++ ret = stat_alloc (sizeof (*ret)); ++ memset (ret, 0, sizeof (*ret)); + ret->globals.list = globals; + ret->locals.list = locals; + ret->match = lang_vers_match; +@@ -9514,15 +9523,7 @@ lang_finalize_version_expr_head (struct bfd_elf_version_expr_head *head) + } + while (e1 && strcmp (e1->pattern, e->pattern) == 0); + +- if (last == NULL) +- { +- /* This is a duplicate. */ +- /* FIXME: Memory leak. Sometimes pattern is not +- xmalloced alone, but in larger chunk of memory. */ +- /* free (e->pattern); */ +- free (e); +- } +- else ++ if (last != NULL) + { + e->next = last->next; + last->next = e; +@@ -9562,7 +9563,6 @@ lang_register_vers_node (const char *name, + { + einfo (_("%X%P: anonymous version tag cannot be combined" + " with other version tags\n")); +- free (version); + return; + } + +@@ -9655,7 +9655,7 @@ lang_add_vers_depend (struct bfd_elf_version_deps *list, const char *name) + struct bfd_elf_version_deps *ret; + struct bfd_elf_version_tree *t; + +- ret = (struct bfd_elf_version_deps *) xmalloc (sizeof *ret); ++ ret = stat_alloc (sizeof *ret); + ret->next = list; + + for (t = link_info.version_info; t != NULL; t = t->next) +@@ -9688,7 +9688,7 @@ lang_do_version_exports_section (void) + continue; + + len = sec->size; +- contents = (char *) xmalloc (len); ++ contents = stat_alloc (len); + if (!bfd_get_section_contents (is->the_bfd, sec, contents, 0, len)) + einfo (_("%X%P: unable to read .exports section contents\n"), sec); + +@@ -9699,8 +9699,6 @@ lang_do_version_exports_section (void) + p = strchr (p, '\0') + 1; + } + +- /* Do not free the contents, as we used them creating the regex. */ +- + /* Do not include this section in the link. */ + sec->flags |= SEC_EXCLUDE | SEC_KEEP; + } +@@ -9764,8 +9762,8 @@ lang_add_unique (const char *name) + if (strcmp (ent->name, name) == 0) + return; + +- ent = (struct unique_sections *) xmalloc (sizeof *ent); +- ent->name = xstrdup (name); ++ ent = stat_alloc (sizeof *ent); ++ ent->name = stat_strdup (name); + ent->next = unique_section_list; + unique_section_list = ent; + } +@@ -9788,7 +9786,8 @@ lang_append_dynamic_list (struct bfd_elf_dynamic_list **list_p, + { + struct bfd_elf_dynamic_list *d; + +- d = (struct bfd_elf_dynamic_list *) xcalloc (1, sizeof *d); ++ d = stat_alloc (sizeof (*d)); ++ memset (d, 0, sizeof (*d)); + d->head.list = dynamic; + d->match = lang_vers_match; + *list_p = d; +diff --git a/ld/ldlang.h b/ld/ldlang.h +index 463cce39..701b9ba3 100644 +--- a/ld/ldlang.h ++++ b/ld/ldlang.h +@@ -658,6 +658,10 @@ extern void lang_for_each_statement_worker + (void (*) (lang_statement_union_type *), lang_statement_union_type *); + extern void *stat_alloc + (size_t); ++extern void * stat_memdup ++ (const void *, size_t, size_t); ++extern char *stat_strdup ++ (const char *); + extern void strip_excluded_output_sections + (void); + extern void lang_clear_os_map +diff --git a/ld/ldlex.l b/ld/ldlex.l +index 1a6be1b6..24ebaec2 100644 +--- a/ld/ldlex.l ++++ b/ld/ldlex.l +@@ -188,7 +188,8 @@ V_IDENTIFIER [*?.$_a-zA-Z\[\]\-\!\^\\]([*?.$_a-zA-Z0-9\[\]\-\!\^\\]|::)* + && (yytext[1] == 'x' + || yytext[1] == 'X')) + { +- yylval.bigint.str = xstrdup (yytext + 2); ++ yylval.bigint.str ++ = stat_strdup (yytext + 2); + } + return INT; + } +@@ -388,32 +389,32 @@ V_IDENTIFIER [*?.$_a-zA-Z\[\]\-\!\^\\]([*?.$_a-zA-Z0-9\[\]\-\!\^\\]|::)* + + {FILENAMECHAR1}{NOCFILENAMECHAR}* { + /* Filename without commas, needed to parse mri stuff */ +- yylval.name = xstrdup (yytext); ++ yylval.name = stat_strdup (yytext); + return NAME; + } + + + {FILENAMECHAR1}{FILENAMECHAR}* { +- yylval.name = xstrdup (yytext); ++ yylval.name = stat_strdup (yytext); + return NAME; + } + "="{FILENAMECHAR1}{FILENAMECHAR}* { + /* Filename to be prefixed by --sysroot or when non-sysrooted, nothing. */ +- yylval.name = xstrdup (yytext); ++ yylval.name = stat_strdup (yytext); + return NAME; + } + "-l"{FILENAMECHAR}+ { +- yylval.name = xstrdup (yytext + 2); ++ yylval.name = stat_strdup (yytext + 2); + return LNAME; + } + {SYMBOLNAMECHAR1}{SYMBOLNAMECHAR}* { +- yylval.name = xstrdup (yytext); ++ yylval.name = stat_strdup (yytext); + return NAME; + } + /* The following rule is to prevent a fill expression on the output + section before /DISCARD/ interpreting the '/' as a divide. */ + "/DISCARD/" { +- yylval.name = xstrdup (yytext); ++ yylval.name = stat_strdup (yytext); + return NAME; + } + {WILDCHAR}* { +@@ -428,14 +429,14 @@ V_IDENTIFIER [*?.$_a-zA-Z\[\]\-\!\^\\]([*?.$_a-zA-Z0-9\[\]\-\!\^\\]|::)* + } + else + { +- yylval.name = xstrdup (yytext); ++ yylval.name = stat_strdup (yytext); + return NAME; + } + } + + "\""[^\"]*"\"" { + /* No matter the state, quotes give what's inside. */ +- yylval.name = xmemdup (yytext + 1, yyleng - 2, yyleng - 1); ++ yylval.name = stat_memdup (yytext + 1, yyleng - 2, yyleng - 1); + return NAME; + } + +@@ -454,10 +455,10 @@ V_IDENTIFIER [*?.$_a-zA-Z\[\]\-\!\^\\]([*?.$_a-zA-Z0-9\[\]\-\!\^\\]|::)* + + extern { RTOKEN(EXTERN); } + +-{V_IDENTIFIER} { yylval.name = xstrdup (yytext); ++{V_IDENTIFIER} { yylval.name = stat_strdup (yytext); + return VERS_IDENTIFIER; } + +-{V_TAG} { yylval.name = xstrdup (yytext); ++{V_TAG} { yylval.name = stat_strdup (yytext); + return VERS_TAG; } + + "{" { BEGIN(VERS_SCRIPT); return *yytext; } +diff --git a/ld/lexsup.c b/ld/lexsup.c +index fe872231..ae2e91ed 100644 +--- a/ld/lexsup.c ++++ b/ld/lexsup.c +@@ -1947,16 +1947,6 @@ parse_args (unsigned argc, char **argv) + if (opt_dynamic_list != dynamic_list_data) + opt_dynamic_list = dynamic_list; + } +- else +- { +- /* Free the export list. */ +- for (; head->next != NULL; head = next) +- { +- next = head->next; +- free (head); +- } +- free (export_list); +- } + } + + switch (opt_dynamic_list) +@@ -1980,17 +1970,7 @@ parse_args (unsigned argc, char **argv) + break; + case symbolic: + link_info.symbolic = true; +- if (link_info.dynamic_list) +- { +- struct bfd_elf_version_expr *ent, *next; +- for (ent = link_info.dynamic_list->head.list; ent; ent = next) +- { +- next = ent->next; +- free (ent); +- } +- free (link_info.dynamic_list); +- link_info.dynamic_list = NULL; +- } ++ link_info.dynamic_list = NULL; + break; + case symbolic_functions: + link_info.dynamic = true; +-- +2.45.4 + diff --git a/SPECS/binutils/CVE-2025-11839.patch b/SPECS/binutils/CVE-2025-11839.patch new file mode 100644 index 00000000000..33cd88e026a --- /dev/null +++ b/SPECS/binutils/CVE-2025-11839.patch @@ -0,0 +1,28 @@ +From 12ef7d5b7b02d0023db645d86eb9d0797bc747fe Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 3 Nov 2025 11:49:02 +0000 +Subject: [PATCH] Remove call to abort in the DGB debug format printing code, + thus allowing the display of a fuzzed input file to complete without + triggering an abort. + +PR 33448 +Upstream Patch Reference: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe +--- + binutils/prdbg.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/binutils/prdbg.c b/binutils/prdbg.c +index fb351476..15f40d44 100644 +--- a/binutils/prdbg.c ++++ b/binutils/prdbg.c +@@ -2449,7 +2449,6 @@ tg_tag_type (void *p, const char *name, unsigned int id, + t = "union class "; + break; + default: +- abort (); + return false; + } + +-- +2.45.4 + diff --git a/SPECS/binutils/binutils.spec b/SPECS/binutils/binutils.spec index 9b3af78c48d..85c30d4de1a 100644 --- a/SPECS/binutils/binutils.spec +++ b/SPECS/binutils/binutils.spec @@ -21,7 +21,7 @@ Summary: Contains a linker, an assembler, and other tools Name: binutils Version: 2.41 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -47,6 +47,10 @@ Patch13: CVE-2025-11082.patch Patch14: CVE-2025-11083.patch Patch15: CVE-2025-11412.patch Patch16: CVE-2025-11414.patch +Patch17: CVE-2025-1147.patch +Patch18: CVE-2025-1148.patch +Patch19: CVE-2025-11839.patch + Provides: bundled(libiberty) # Moving macro before the "SourceX" tags breaks PR checks parsing the specs. @@ -336,6 +340,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %do_files aarch64-linux-gnu %{build_aarch64} %changelog +* Wed Jan 07 2026 Jyoti Kanase - 2.41-11 +- Patch for CVE-2025-1147, CVE-2025-1148, CVE-2025-11839 + * Thu Oct 16 2025 Azure Linux Security Servicing Account - 2.41-10 - Patch for CVE-2025-11414, CVE-2025-11412 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index c5ae38d3346..ba28a04e373 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.aarch64.rpm file-5.45-1.azl3.aarch64.rpm file-devel-5.45-1.azl3.aarch64.rpm file-libs-5.45-1.azl3.aarch64.rpm -binutils-2.41-10.azl3.aarch64.rpm -binutils-devel-2.41-10.azl3.aarch64.rpm +binutils-2.41-11.azl3.aarch64.rpm +binutils-devel-2.41-11.azl3.aarch64.rpm gmp-6.3.0-1.azl3.aarch64.rpm gmp-devel-6.3.0-1.azl3.aarch64.rpm mpfr-4.2.1-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index be1bfd47a0e..06e292c9c75 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.x86_64.rpm file-5.45-1.azl3.x86_64.rpm file-devel-5.45-1.azl3.x86_64.rpm file-libs-5.45-1.azl3.x86_64.rpm -binutils-2.41-10.azl3.x86_64.rpm -binutils-devel-2.41-10.azl3.x86_64.rpm +binutils-2.41-11.azl3.x86_64.rpm +binutils-devel-2.41-11.azl3.x86_64.rpm gmp-6.3.0-1.azl3.x86_64.rpm gmp-devel-6.3.0-1.azl3.x86_64.rpm mpfr-4.2.1-1.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 7fe83a5826f..a2be85cf00c 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -30,9 +30,9 @@ bash-5.2.15-3.azl3.aarch64.rpm bash-debuginfo-5.2.15-3.azl3.aarch64.rpm bash-devel-5.2.15-3.azl3.aarch64.rpm bash-lang-5.2.15-3.azl3.aarch64.rpm -binutils-2.41-10.azl3.aarch64.rpm -binutils-debuginfo-2.41-10.azl3.aarch64.rpm -binutils-devel-2.41-10.azl3.aarch64.rpm +binutils-2.41-11.azl3.aarch64.rpm +binutils-debuginfo-2.41-11.azl3.aarch64.rpm +binutils-devel-2.41-11.azl3.aarch64.rpm bison-3.8.2-1.azl3.aarch64.rpm bison-debuginfo-3.8.2-1.azl3.aarch64.rpm bzip2-1.0.8-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 292ecbc00cc..00fcdb43d02 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -32,10 +32,10 @@ bash-5.2.15-3.azl3.x86_64.rpm bash-debuginfo-5.2.15-3.azl3.x86_64.rpm bash-devel-5.2.15-3.azl3.x86_64.rpm bash-lang-5.2.15-3.azl3.x86_64.rpm -binutils-2.41-10.azl3.x86_64.rpm -binutils-aarch64-linux-gnu-2.41-10.azl3.x86_64.rpm -binutils-debuginfo-2.41-10.azl3.x86_64.rpm -binutils-devel-2.41-10.azl3.x86_64.rpm +binutils-2.41-11.azl3.x86_64.rpm +binutils-aarch64-linux-gnu-2.41-11.azl3.x86_64.rpm +binutils-debuginfo-2.41-11.azl3.x86_64.rpm +binutils-devel-2.41-11.azl3.x86_64.rpm bison-3.8.2-1.azl3.x86_64.rpm bison-debuginfo-3.8.2-1.azl3.x86_64.rpm bzip2-1.0.8-1.azl3.x86_64.rpm @@ -70,7 +70,7 @@ cracklib-lang-2.9.11-1.azl3.x86_64.rpm createrepo_c-1.0.3-1.azl3.x86_64.rpm createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm -cross-binutils-common-2.41-10.azl3.noarch.rpm +cross-binutils-common-2.41-11.azl3.noarch.rpm cross-gcc-common-13.2.0-7.azl3.noarch.rpm curl-8.11.1-4.azl3.x86_64.rpm curl-debuginfo-8.11.1-4.azl3.x86_64.rpm