[AutoPR- Security] Patch binutils for CVE-2025-8225 [MEDIUM] (microsoft#14406)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: jykanase <v-jykanase@microsoft.com>

Author: 3 people

SPECS/binutils/CVE-2025-8225.patch

@@ -0,0 +1,35 @@
+From 6c3dde2579de7010c77abc23d2b2234f5a9a4aeb Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Mon, 28 Jul 2025 18:45:41 +0000
+Subject: [PATCH] Fix CVE CVE-2025-8225 in binutils
+
+Upstream Patch Reference: https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4.patch
+---
+ binutils/dwarf.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 4f695bf2..ea83e35a 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -3625,13 +3625,11 @@ process_debug_info (struct dwarf_section * section,
+     }
+ 
+   if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
+-      && num_debug_info_entries == 0
+-      && ! do_types)
++      && alloc_num_debug_info_entries == 0
++      && !do_types)
+     {
+-
+       /* Then allocate an array to hold the information.  */
+-      debug_information = (debug_info *) cmalloc (num_units,
+-						  sizeof (* debug_information));
++      debug_information = cmalloc (num_units, sizeof (*debug_information));
+       if (debug_information == NULL)
+ 	{
+ 	  error (_("Not enough memory for a debug info array of %u entries\n"),
+-- 
+2.45.4
+

SPECS/binutils/binutils.spec

@@ -21,13 +21,13 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.41
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/Base
 URL:            https://www.gnu.org/software/binutils
-Source0:        https://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz
+Source0:        https://sourceware.org/pub/binutils/releases/%{name}-%{version}.tar.xz
 # Patch was derived from source: https://src.fedoraproject.org/rpms/binutils/blob/f34/f/binutils-export-demangle.h.patch
 Patch0:         export-demangle-header.patch
 # The gold linker doesn't understand the 'module_info.ld' script passed to all linkers and the tests fail to correctly link.
@@ -42,6 +42,7 @@ Patch8:         CVE-2025-5245.patch
 Patch9:         CVE-2025-5244.patch
 Patch10:        CVE-2025-7546.patch
 Patch11:        CVE-2025-7545.patch
+Patch12:        CVE-2025-8225.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -331,6 +332,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Mon Jul 28 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.41-8
+- Patch for CVE-2025-8225
+
 * Thu Jul 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.41-7
 - Patch for CVE-2025-7546, CVE-2025-7545
 

cgmanifest.json

@@ -1128,7 +1128,7 @@
         "other": {
           "name": "binutils",
           "version": "2.41",
-          "downloadUrl": "https://ftp.gnu.org/gnu/binutils/binutils-2.41.tar.xz"
+          "downloadUrl": "https://sourceware.org/pub/binutils/releases/binutils-2.41.tar.xz"
         }
       }
     },

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
 file-devel-5.45-1.azl3.aarch64.rpm
 file-libs-5.45-1.azl3.aarch64.rpm
-binutils-2.41-7.azl3.aarch64.rpm
-binutils-devel-2.41-7.azl3.aarch64.rpm
+binutils-2.41-8.azl3.aarch64.rpm
+binutils-devel-2.41-8.azl3.aarch64.rpm
 gmp-6.3.0-1.azl3.aarch64.rpm
 gmp-devel-6.3.0-1.azl3.aarch64.rpm
 mpfr-4.2.1-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -13,8 +13,8 @@ zlib-devel-1.3.1-1.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
 file-devel-5.45-1.azl3.x86_64.rpm
 file-libs-5.45-1.azl3.x86_64.rpm
-binutils-2.41-7.azl3.x86_64.rpm
-binutils-devel-2.41-7.azl3.x86_64.rpm
+binutils-2.41-8.azl3.x86_64.rpm
+binutils-devel-2.41-8.azl3.x86_64.rpm
 gmp-6.3.0-1.azl3.x86_64.rpm
 gmp-devel-6.3.0-1.azl3.x86_64.rpm
 mpfr-4.2.1-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -30,9 +30,9 @@ bash-5.2.15-3.azl3.aarch64.rpm
 bash-debuginfo-5.2.15-3.azl3.aarch64.rpm
 bash-devel-5.2.15-3.azl3.aarch64.rpm
 bash-lang-5.2.15-3.azl3.aarch64.rpm
-binutils-2.41-7.azl3.aarch64.rpm
-binutils-debuginfo-2.41-7.azl3.aarch64.rpm
-binutils-devel-2.41-7.azl3.aarch64.rpm
+binutils-2.41-8.azl3.aarch64.rpm
+binutils-debuginfo-2.41-8.azl3.aarch64.rpm
+binutils-devel-2.41-8.azl3.aarch64.rpm
 bison-3.8.2-1.azl3.aarch64.rpm
 bison-debuginfo-3.8.2-1.azl3.aarch64.rpm
 bzip2-1.0.8-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -32,10 +32,10 @@ bash-5.2.15-3.azl3.x86_64.rpm
 bash-debuginfo-5.2.15-3.azl3.x86_64.rpm
 bash-devel-5.2.15-3.azl3.x86_64.rpm
 bash-lang-5.2.15-3.azl3.x86_64.rpm
-binutils-2.41-7.azl3.x86_64.rpm
-binutils-aarch64-linux-gnu-2.41-7.azl3.x86_64.rpm
-binutils-debuginfo-2.41-7.azl3.x86_64.rpm
-binutils-devel-2.41-7.azl3.x86_64.rpm
+binutils-2.41-8.azl3.x86_64.rpm
+binutils-aarch64-linux-gnu-2.41-8.azl3.x86_64.rpm
+binutils-debuginfo-2.41-8.azl3.x86_64.rpm
+binutils-devel-2.41-8.azl3.x86_64.rpm
 bison-3.8.2-1.azl3.x86_64.rpm
 bison-debuginfo-3.8.2-1.azl3.x86_64.rpm
 bzip2-1.0.8-1.azl3.x86_64.rpm
@@ -70,7 +70,7 @@ cracklib-lang-2.9.11-1.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
-cross-binutils-common-2.41-7.azl3.noarch.rpm
+cross-binutils-common-2.41-8.azl3.noarch.rpm
 cross-gcc-common-13.2.0-7.azl3.noarch.rpm
 curl-8.11.1-3.azl3.x86_64.rpm
 curl-debuginfo-8.11.1-3.azl3.x86_64.rpm