fix CVE-2024-57360 CVE-2024-53589 CVE-2025-0840 CVE-2025-1176 CVE-2025-1178

         CVE-2025-1182 CVE-2025-3198 CVE-2025-5244 CVE-2025-5245
         CVE-2025-7545 CVE-2025-7546 CVE-2025-8225

Author: zengwei

debian/changelog

@@ -1,3 +1,11 @@
+binutils (2.41-6deepin10) unstable; urgency=medium
+
+  *  fix CVE-2024-57360 CVE-2024-53589 CVE-2025-0840 CVE-2025-1176 CVE-2025-1178
+         CVE-2025-1182 CVE-2025-3198 CVE-2025-5244 CVE-2025-5245 
+         CVE-2025-7545 CVE-2025-7546 CVE-2025-8225
+
+ -- zengwei <zengwei1@uniontech.com>  Fri, 31 Oct 2025 16:12:25 +0800
+
 binutils (2.41-6deepin9) unstable; urgency=medium
 
   * feat: add sw64 support.

debian/patches/0001-CVE-2025-1176.patch

@@ -0,0 +1,152 @@
+From 94b928448447a2b00d008315fc362e93c2842689 Mon Sep 17 00:00:00 2001
+From: zengwei <zengwei1@uniontech.com>
+Date: Fri, 31 Oct 2025 15:35:05 +0800
+Subject: [PATCH] CVE-2025-1176
+
+---
+ bfd/elflink.c | 87 ++++++++++++++++++++++++++-------------------------
+ 1 file changed, 44 insertions(+), 43 deletions(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 7217c2f0..161cdf8d 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -62,22 +62,38 @@ struct elf_find_verdep_info
+ static bool _bfd_elf_fix_symbol_flags
+   (struct elf_link_hash_entry *, struct elf_info_failed *);
+ 
+-asection *
+-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
+-			     unsigned long r_symndx,
+-			     bool discard)
++static struct elf_link_hash_entry *
++get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
+ {
+-  if (r_symndx >= cookie->locsymcount
+-      || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
++  struct elf_link_hash_entry *h = NULL;
++
++  if ((r_symndx >= cookie->locsymcount
++       || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
++      /* Guard against corrupt input.  See PR 32636 for an example.  */
++      && r_symndx >= cookie->extsymoff)
+     {
+-      struct elf_link_hash_entry *h;
+ 
+       h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+ 
+       while (h->root.type == bfd_link_hash_indirect
+ 	     || h->root.type == bfd_link_hash_warning)
+ 	h = (struct elf_link_hash_entry *) h->root.u.i.link;
++    }
++
++  return h;
++}
++
++asection *
++_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
++                            unsigned long r_symndx,
++                            bool discard)
++{
++  struct elf_link_hash_entry *h;
+ 
++  h = get_ext_sym_hash (cookie, r_symndx);
++  
++  if (h != NULL)
++    {
+       if ((h->root.type == bfd_link_hash_defined
+ 	   || h->root.type == bfd_link_hash_defweak)
+ 	   && discarded_section (h->root.u.def.section))
+@@ -85,21 +101,19 @@ _bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
+       else
+ 	return NULL;
+     }
+-  else
+-    {
+-      /* It's not a relocation against a global symbol,
+-	 but it could be a relocation against a local
+-	 symbol for a discarded section.  */
+-      asection *isec;
+-      Elf_Internal_Sym *isym;
++  /* It's not a relocation against a global symbol,
++     but it could be a relocation against a local
++     symbol for a discarded section.  */
++  asection *isec;
++  Elf_Internal_Sym *isym;
++
++  /* Need to: get the symbol; get the section.  */
++  isym = &cookie->locsyms[r_symndx];
++  isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
++  if (isec != NULL
++      && discard ? discarded_section (isec) : 1)
++    return isec;
+ 
+-      /* Need to: get the symbol; get the section.  */
+-      isym = &cookie->locsyms[r_symndx];
+-      isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
+-      if (isec != NULL
+-	  && discard ? discarded_section (isec) : 1)
+-	return isec;
+-     }
+   return NULL;
+ }
+ 
+@@ -13731,22 +13745,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_info *info, asection *sec,
+   if (r_symndx == STN_UNDEF)
+     return NULL;
+ 
+-  if (r_symndx >= cookie->locsymcount
+-      || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
++  h = get_ext_sym_hash (cookie, r_symndx);
++  
++  if (h != NULL)
+     {
+       bool was_marked;
+ 
+-      h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+-      if (h == NULL)
+-	{
+-	  info->callbacks->einfo (_("%F%P: corrupt input: %pB\n"),
+-				  sec->owner);
+-	  return NULL;
+-	}
+-      while (h->root.type == bfd_link_hash_indirect
+-	     || h->root.type == bfd_link_hash_warning)
+-	h = (struct elf_link_hash_entry *) h->root.u.i.link;
+-
+       was_marked = h->mark;
+       h->mark = 1;
+       /* Keep all aliases of the symbol too.  If an object symbol
+@@ -14792,16 +14796,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
+       if (r_symndx == STN_UNDEF)
+ 	return true;
+ 
+-      if (r_symndx >= rcookie->locsymcount
+-	  || ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+-	{
+-	  struct elf_link_hash_entry *h;
+-
+-	  h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff];
++      struct elf_link_hash_entry *h;
+ 
+-	  while (h->root.type == bfd_link_hash_indirect
+-		 || h->root.type == bfd_link_hash_warning)
+-	    h = (struct elf_link_hash_entry *) h->root.u.i.link;
++      h = get_ext_sym_hash (rcookie, r_symndx);
++      
++      if (h != NULL)
++       {
+ 
+ 	  if ((h->root.type == bfd_link_hash_defined
+ 	       || h->root.type == bfd_link_hash_defweak)
+@@ -14826,6 +14826,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
+ 		  || discarded_section (isec)))
+ 	    return true;
+ 	}
++	
+       return false;
+     }
+   return false;
+-- 
+2.20.1
+

debian/patches/0001-CVE-2025-1182.patch

@@ -0,0 +1,36 @@
+From 9cd7e6d60bf90fa374b0dab8b779e2bb0edf44e7 Mon Sep 17 00:00:00 2001
+From: zengwei <zengwei1@uniontech.com>
+Date: Fri, 31 Oct 2025 15:51:53 +0800
+Subject: [PATCH] CVE-2025-1182
+
+---
+ bfd/elflink.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 161cdf8d..7c560027 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -14812,6 +14812,10 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
+ 	}
+       else
+ 	{
++      if (r_symndx >= rcookie->locsymcount)
++        /* This can happen with corrupt input.  */
++        return false;
++
+ 	  /* It's not a relocation against a global symbol,
+ 	     but it could be a relocation against a local
+ 	     symbol for a discarded section.  */
+@@ -14826,7 +14830,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
+ 		  || discarded_section (isec)))
+ 	    return true;
+ 	}
+-	
++
+       return false;
+     }
+   return false;
+-- 
+2.20.1
+

debian/patches/0001-CVE-2025-5244.patch

@@ -0,0 +1,27 @@
+From ed1ce52a7177dc1d103b751c875a2c188aea8a8a Mon Sep 17 00:00:00 2001
+From: zengwei <zengwei1@uniontech.com>
+Date: Fri, 31 Oct 2025 15:54:53 +0800
+Subject: [PATCH] CVE-2025-5244
+
+---
+ bfd/elflink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 7c560027..55fbaabe 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -14090,8 +14090,8 @@ elf_gc_sweep (bfd *abfd, struct bfd_link_info *info)
+ 	  if (o->flags & SEC_GROUP)
+ 	    {
+ 	      asection *first = elf_next_in_group (o);
+-	      o->gc_mark = first->gc_mark;
+-	    }
++          if (first != NULL)
++            o->gc_mark = first->gc_mark;	    }
+ 
+ 	  if (o->gc_mark)
+ 	    continue;
+-- 
+2.20.1
+

debian/patches/CVE-2024-53589.patch

@@ -0,0 +1,92 @@
+From e0323071916878e0634a6e24d8250e4faff67e88 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 11 Nov 2024 10:24:09 +1030
+Subject: [PATCH] Re: tekhex object file output fixes
+
+Commit 8b5a212495 supported *ABS* symbols by allowing "section" to be
+bfd_abs_section, but bfd_abs_section needs to be treated specially.
+In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr)
+is invalid.
+
+	PR 32347
+	* tekhex.c (first_phase): Guard against modification of
+	_bfd_std_section[] entries.
+---
+ bfd/tekhex.c | 38 ++++++++++++++++++++------------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/bfd/tekhex.c b/bfd/tekhex.c
+index aea2ebb23df..b305c1f96f1 100644
+--- a/bfd/tekhex.c
++++ b/bfd/tekhex.c
+@@ -361,6 +361,7 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+ {
+   asection *section, *alt_section;
+   unsigned int len;
++  bfd_vma addr;
+   bfd_vma val;
+   char sym[17];			/* A symbol can only be 16chars long.  */
+ 
+@@ -368,20 +369,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+     {
+     case '6':
+       /* Data record - read it and store it.  */
+-      {
+-	bfd_vma addr;
+-
+-	if (!getvalue (&src, &addr, src_end))
+-	  return false;
+-
+-	while (*src && src < src_end - 1)
+-	  {
+-	    insert_byte (abfd, HEX (src), addr);
+-	    src += 2;
+-	    addr++;
+-	  }
+-	return true;
+-      }
++      if (!getvalue (&src, &addr, src_end))
++	return false;
++
++      while (*src && src < src_end - 1)
++	{
++	  insert_byte (abfd, HEX (src), addr);
++	  src += 2;
++	  addr++;
++	}
++      return true;
+ 
+     case '3':
+       /* Symbol record, read the segment.  */
+@@ -406,13 +403,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+ 	    {
+ 	    case '1':		/* Section range.  */
+ 	      src++;
+-	      if (!getvalue (&src, &section->vma, src_end))
++	      if (!getvalue (&src, &addr, src_end))
+ 		return false;
+ 	      if (!getvalue (&src, &val, src_end))
+ 		return false;
+-	      if (val < section->vma)
+-		val = section->vma;
+-	      section->size = val - section->vma;
++	      if (bfd_is_const_section (section))
++		break;
++	      section->vma = addr;
++	      if (val < addr)
++		val = addr;
++	      section->size = val - addr;
+ 	      /* PR 17512: file: objdump-s-endless-loop.tekhex.
+ 		 Check for overlarge section sizes.  */
+ 	      if (section->size & 0x80000000)
+@@ -455,6 +455,8 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+ 		  new_symbol->symbol.flags = BSF_LOCAL;
+ 		if (stype == '2' || stype == '6')
+ 		  new_symbol->symbol.section = bfd_abs_section_ptr;
++		else if (bfd_is_const_section (section))
++		  ;
+ 		else if (stype == '3' || stype == '7')
+ 		  {
+ 		    if ((section->flags & SEC_DATA) == 0)
+-- 
+2.43.7

debian/patches/CVE-2025-0840.patch

@@ -0,0 +1,53 @@
+From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Jan 2025 19:13:43 +1030
+Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes
+
+There's always someone pushing the boundaries.
+
+	PR 32560
+	* objdump.c (MAX_INSN_WIDTH): Define.
+	(insn_width): Make it an unsigned long.
+	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index ecbe39e942e..80044dea580 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -117,7 +117,8 @@ static bool disassemble_all;		/* -D */
+ static int disassemble_zeroes;		/* --disassemble-zeroes */
+ static bool formats_info;		/* -i */
+ int wide_output;			/* -w */
+-static int insn_width;			/* --insn-width */
++#define MAX_INSN_WIDTH 49
++static unsigned long insn_width;	/* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;		/* --debugging */
+@@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf,
+ 	}
+       else
+ 	{
+-	  char buf[50];
++	  char buf[MAX_INSN_WIDTH + 1];
+ 	  unsigned int bpc = 0;
+ 	  unsigned int pb = 0;
+ 
+@@ -6070,8 +6071,9 @@ main (int argc, char **argv)
+ 	  break;
+ 	case OPTION_INSN_WIDTH:
+ 	  insn_width = strtoul (optarg, NULL, 0);
+-	  if (insn_width <= 0)
+-	    fatal (_("error: instruction width must be positive"));
++	  if (insn_width - 1 >= MAX_INSN_WIDTH)
++	    fatal (_("error: instruction width must be in the range 1 to "
++		     XSTRING (MAX_INSN_WIDTH)));
+ 	  break;
+ 	case OPTION_INLINES:
+ 	  unwind_inlines = true;
+-- 
+2.43.7