Skip to content

Commit 5ffa8c4

Browse files
deepin-ci-robothudeng-go
authored andcommitted
fix(cve): security fixes for binutils
CVE: CVE-2025-11412 Description: PR 33452 SEGV in bfd_elf_gc_record_vtentry Upstream: https://api.atomgit.com/api/v5/repos/src-openeuler/binutils/contents/backport-CVE-2025-11412-PR-33452-SEGV-in-bfd_elf_gc_record_vtentry.patch CVE: CVE-2026-3441 Description: xcofflink buffer overflows Upstream: https://api.atomgit.com/api/v5/repos/src-openeuler/binutils/contents/backport-CVE-2026-3441-CVE-2026-3442.patch Generated-By: deepseek-v4-flash Co-Authored-By: hudeng hudeng@deepin.org
1 parent 1343c02 commit 5ffa8c4

4 files changed

Lines changed: 89 additions & 8 deletions

File tree

debian/changelog

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
1+
binutils (2.41-6deepin13) unstable; urgency=medium
2+
3+
* * Security fixes: * CVE-2025-11412: Patch from src-
4+
openeuler/binutils * CVE-2026-3441: Patch from src-
5+
openeuler/binutils
6+
7+
-- deepin-ci-robot <packages@deepin.org> Thu, 28 May 2026 21:13:29 +0800
8+
19
binutils (2.41-6deepin12) unstable; urgency=medium
210

311
* Remove cross-compiler g++ packages from build dependencies
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001
2+
From: Alan Modra <amodra@gmail.com>
3+
Date: Thu, 25 Sep 2025 08:22:24 +0930
4+
Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry
5+
6+
Limit addends on vtentry relocs, otherwise ld might attempt to
7+
allocate a stupidly large array. This also fixes the expression
8+
overflow leading to pr33452. A vtable of 33M entries on a 64-bit
9+
host is surely large enough, especially considering that VTINHERIT
10+
and VTENTRY relocations are to support -fvtable-gc that disappeared
11+
from gcc over 20 years ago.
12+
13+
PR ld/33452
14+
* elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
15+
---
16+
bfd/elflink.c | 2 +-
17+
1 file changed, 1 insertion(+), 1 deletion(-)
18+
19+
--- binutils.orig/bfd/elflink.c
20+
+++ binutils/bfd/elflink.c
21+
@@ -14501,7 +14501,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, as
22+
const struct elf_backend_data *bed = get_elf_backend_data (abfd);
23+
unsigned int log_file_align = bed->s->log_file_align;
24+
25+
- if (!h)
26+
+ if (!h || addend > 1u << 28)
27+
{
28+
/* xgettext:c-format */
29+
_bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"),

debian/patches/CVE-2026-3441.patch

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
From c2bf7de1eb77a91d7a3c86d56408bf57de540faf Mon Sep 17 00:00:00 2001
2+
From: Alan Modra <amodra@gmail.com>
3+
Date: Sat, 28 Feb 2026 13:16:40 +1030
4+
Subject: [PATCH] xcofflink buffer overflows
5+
6+
This fixes two fuzzed object file out-of-bounds accesses.
7+
8+
* xcofflink.c (xcoff_link_add_symbols): Properly bounds check
9+
XTY_LD x_scnlen index. Sanity check r_symndx before using it
10+
to index sym hashes.
11+
Conflict:NA
12+
Reference:https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf
13+
---
14+
bfd/xcofflink.c | 10 ++++------
15+
1 file changed, 4 insertions(+), 6 deletions(-)
16+
17+
--- binutils.orig/bfd/xcofflink.c
18+
+++ binutils/bfd/xcofflink.c
19+
@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struc
20+
follow its appropriate XTY_SD symbol. The .set pseudo op can
21+
cause the XTY_LD to not follow the XTY_SD symbol. */
22+
{
23+
- bool bad;
24+
-
25+
- bad = false;
26+
- if (aux.x_csect.x_scnlen.u64
27+
- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd)))
28+
- bad = true;
29+
+ bool bad = (aux.x_csect.x_scnlen.u64
30+
+ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd))
31+
+ / symesz));
32+
if (! bad)
33+
{
34+
section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64];
35+
@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struc
36+
functions imported from dynamic objects. */
37+
if (info->output_bfd->xvec == abfd->xvec
38+
&& *rel_csect != bfd_und_section_ptr
39+
+ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd)
40+
&& obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL)
41+
{
42+
struct xcoff_link_hash_entry *h;

debian/patches/series

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -175,17 +175,9 @@ LoongArch-binutils-compatible-with-older-gcc.diff
175175
LoongArch-remove-test-cases-for-compatibility.patch
176176
PR32238-ld-r-slowdown-since-21401fc7bf.patch
177177
0001-CVE-2024-57360.patch
178-
CVE-2024-53589.patch
179-
CVE-2025-0840.patch
180178
0001-CVE-2025-1176.patch
181-
CVE-2025-1178.patch
182179
0001-CVE-2025-1182.patch
183-
CVE-2025-3198.patch
184180
0001-CVE-2025-5244.patch
185-
CVE-2025-5245.patch
186-
CVE-2025-7545.patch
187-
CVE-2025-7546.patch
188-
CVE-2025-8225.patch
189181
0001-LoongArch-Default-to-a-maximum-page-size-of-64KiB.patch
190182
0002-LoongArch-Check-PC-relative-relocations-for-shared-l.patch
191183
0003-LoongArch-Fix-resolution-of-undefined-weak-hidden-pr.patch
@@ -204,3 +196,13 @@ CVE-2025-8225.patch
204196
0016-LoongArch-Fix-incorrect-display-of-FDEs-address-rang.patch
205197
0017-LoongArch-Use-more-appropriate-assertions-for-the-re.patch
206198
0018-LoongArch-set-PRSTATUS_SIZE-0x1e0-to-match-kernel-s-.patch
199+
CVE-2025-11412.patch
200+
CVE-2026-3441.patch
201+
CVE-2024-53589.patch
202+
CVE-2025-0840.patch
203+
CVE-2025-1178.patch
204+
CVE-2025-3198.patch
205+
CVE-2025-5245.patch
206+
CVE-2025-7545.patch
207+
CVE-2025-7546.patch
208+
CVE-2025-8225.patch

0 commit comments

Comments
 (0)