diff --git a/debian/changelog b/debian/changelog index 1e7df44e..40203539 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +binutils (2.41-6deepin12) unstable; urgency=medium + + * Fix multiple CVEs + - CVE-2025-11082: elf: Don't read beyond .eh_frame section size + - CVE-2025-11412: PR 33452 SEGV in bfd_elf_gc_record_vtentry + - CVE-2025-11494: x86: Keep _GLOBAL_OFFSET_TABLE_ for .eh_frame + - CVE-2025-11495: x86: Disallow TLS relocation in non executable section + - CVE-2025-11839: Remove call to abort in DGB debug format printing + - CVE-2025-11840: PR 33455 SEGV in vfinfo at ldmisc.c + + -- lichenggang Wed, 22 Apr 2026 18:05:10 +0800 + binutils (2.41-6deepin11) unstable; urgency=medium * LoongArch: common sync from upstream diff --git a/debian/patches/CVE-2025-11082.patch b/debian/patches/CVE-2025-11082.patch new file mode 100644 index 00000000..804e37d7 --- /dev/null +++ b/debian/patches/CVE-2025-11082.patch @@ -0,0 +1,45 @@ +From ea1a0737c7692737a644af0486b71e4a392cbca8 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Mon, 22 Sep 2025 15:20:34 +0800 +Subject: [PATCH] elf: Don't read beyond .eh_frame section size + + PR ld/33464 + * elf-eh-frame.c (_bfd_elf_parse_eh_frame): Don't read beyond + .eh_frame section size. + +Signed-off-by: H.J. Lu +--- + bfd/elf-eh-frame.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/bfd/elf-eh-frame.c b/bfd/elf-eh-frame.c +index dc0d2e097f5..30bb313489c 100644 +--- a/bfd/elf-eh-frame.c ++++ b/bfd/elf-eh-frame.c +@@ -737,6 +737,7 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info, + if (hdr_id == 0) + { + unsigned int initial_insn_length; ++ char *null_byte; + + /* CIE */ + this_inf->cie = 1; +@@ -753,10 +754,13 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info, + REQUIRE (cie->version == 1 + || cie->version == 3 + || cie->version == 4); +- REQUIRE (strlen ((char *) buf) < sizeof (cie->augmentation)); ++ null_byte = memchr ((char *) buf, 0, end - buf); ++ REQUIRE (null_byte != NULL); ++ REQUIRE ((size_t) (null_byte - (char *) buf) ++ < sizeof (cie->augmentation)); + + strcpy (cie->augmentation, (char *) buf); +- buf = (bfd_byte *) strchr ((char *) buf, '\0') + 1; ++ buf = (bfd_byte *) null_byte + 1; + this_inf->u.cie.aug_str_len = buf - start - 1; + ENSURE_NO_RELOCS (buf); + if (buf[0] == 'e' && buf[1] == 'h') +-- +2.43.7 + diff --git a/debian/patches/CVE-2025-11412.patch b/debian/patches/CVE-2025-11412.patch new file mode 100644 index 00000000..e3b8d93d --- /dev/null +++ b/debian/patches/CVE-2025-11412.patch @@ -0,0 +1,34 @@ +From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 25 Sep 2025 08:22:24 +0930 +Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry + +Limit addends on vtentry relocs, otherwise ld might attempt to +allocate a stupidly large array. This also fixes the expression +overflow leading to pr33452. A vtable of 33M entries on a 64-bit +host is surely large enough, especially considering that VTINHERIT +and VTENTRY relocations are to support -fvtable-gc that disappeared +from gcc over 20 years ago. + + PR ld/33452 + * elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend. +--- + bfd/elflink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 54f0d6e957e..0a0456177c2 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -14865,7 +14865,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec, + const struct elf_backend_data *bed = get_elf_backend_data (abfd); + unsigned int log_file_align = bed->s->log_file_align; + +- if (!h) ++ if (!h || addend > 1u << 28) + { + /* xgettext:c-format */ + _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"), +-- +2.43.7 + diff --git a/debian/patches/CVE-2025-11494.patch b/debian/patches/CVE-2025-11494.patch new file mode 100644 index 00000000..5bc53c23 --- /dev/null +++ b/debian/patches/CVE-2025-11494.patch @@ -0,0 +1,48 @@ +From b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 30 Sep 2025 08:13:56 +0800 +Subject: [PATCH] x86: Keep _GLOBAL_OFFSET_TABLE_ for .eh_frame + +Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep +_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output +.eh_frame section is non-empty. + + PR ld/33499 + * elfxx-x86.c (_bfd_x86_elf_late_size_sections): Keep + _GLOBAL_OFFSET_TABLE_ if there is dynamic section and the + output .eh_frame section is non-empty. + +Signed-off-by: H.J. Lu +--- + bfd/elfxx-x86.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c +index d8c653a9ad2..140e86888a6 100644 +--- a/bfd/elfxx-x86.c ++++ b/bfd/elfxx-x86.c +@@ -2456,6 +2456,8 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd, + + if (htab->elf.sgotplt) + { ++ asection *eh_frame; ++ + /* Don't allocate .got.plt section if there are no GOT nor PLT + entries and there is no reference to _GLOBAL_OFFSET_TABLE_. */ + if ((htab->elf.hgot == NULL +@@ -2468,7 +2470,11 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd, + && (htab->elf.iplt == NULL + || htab->elf.iplt->size == 0) + && (htab->elf.igotplt == NULL +- || htab->elf.igotplt->size == 0)) ++ || htab->elf.igotplt->size == 0) ++ && (!htab->elf.dynamic_sections_created ++ || (eh_frame = bfd_get_section_by_name (output_bfd, ++ ".eh_frame")) == NULL ++ || eh_frame->rawsize == 0)) + { + htab->elf.sgotplt->size = 0; + /* Solaris requires to keep _GLOBAL_OFFSET_TABLE_ even if it +-- +2.43.7 + diff --git a/debian/patches/CVE-2025-11495.patch b/debian/patches/CVE-2025-11495.patch new file mode 100644 index 00000000..b6c64a7e --- /dev/null +++ b/debian/patches/CVE-2025-11495.patch @@ -0,0 +1,152 @@ +From 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 30 Sep 2025 08:18:29 +0800 +Subject: [PATCH] x86: Disallow TLS relocation in non executable section + +Since TLS relocations are applied to executable machine instructions, +disallow TLS relocation in non-SHT_PROGBITS, non-SHF_EXECINSTR section. + + PR ld/33451 + PR ld/33502 + * elf32-i386.c (elf_i386_tls_transition): Disallow TLS relocation + in non-SHT_PROGBITS, non-SHF_EXECINSTR section. + (elf_i386_scan_relocs): Likewise. + * elf64-x86-64.c (elf_x86_64_tls_transition): Likewise. + (elf_x86_64_scan_relocs): Likewise. + * elfxx-x86.c (_bfd_x86_elf_link_report_tls_invalid_section_error): + New. + * elfxx-x86.h (_bfd_x86_elf_link_report_tls_invalid_section_error): + Likewise. + +Signed-off-by: H.J. Lu +--- + bfd/elf32-i386.c | 19 +++++++++++++++++++ + bfd/elf64-x86-64.c | 20 ++++++++++++++++++++ + bfd/elfxx-x86.c | 20 ++++++++++++++++++++ + bfd/elfxx-x86.h | 4 ++++ + 4 files changed, 63 insertions(+) + +diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c +index 507a0762aff..0d60eded701 100644 +--- a/bfd/elf32-i386.c ++++ b/bfd/elf32-i386.c +@@ -1166,6 +1166,15 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd, + return true; + } + ++ if ((elf_section_type (sec) != SHT_PROGBITS ++ || (sec->flags & SEC_CODE) == 0)) ++ { ++ reloc_howto_type *howto = elf_i386_rtype_to_howto (from_type); ++ _bfd_x86_elf_link_report_tls_invalid_section_error ++ (abfd, sec, symtab_hdr, h, sym, howto); ++ return false; ++ } ++ + /* Return TRUE if there is no transition. */ + if (from_type == to_type) + return true; +@@ -1733,6 +1742,16 @@ elf_i386_scan_relocs (bfd *abfd, + tls_type = GOT_TLS_IE_POS; break; + } + ++ if (tls_type >= GOT_TLS_GD ++ && tls_type <= GOT_TLS_GDESC ++ && (elf_section_type (sec) != SHT_PROGBITS ++ || (sec->flags & SEC_CODE) == 0)) ++ { ++ _bfd_x86_elf_link_report_tls_invalid_section_error ++ (abfd, sec, symtab_hdr, h, isym, howto); ++ goto error_return; ++ } ++ + if (h != NULL) + { + h->got.refcount = 1; +diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c +index 620b6a380cd..59b43149897 100644 +--- a/bfd/elf64-x86-64.c ++++ b/bfd/elf64-x86-64.c +@@ -1626,6 +1626,16 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd, + return true; + } + ++ if ((elf_section_type (sec) != SHT_PROGBITS ++ || (sec->flags & SEC_CODE) == 0)) ++ { ++ reloc_howto_type *howto = elf_x86_64_rtype_to_howto (abfd, ++ from_type); ++ _bfd_x86_elf_link_report_tls_invalid_section_error ++ (abfd, sec, symtab_hdr, h, sym, howto); ++ return false; ++ } ++ + /* Return TRUE if there is no transition. */ + if (from_type == to_type + || (from_type == R_X86_64_CODE_4_GOTTPOFF +@@ -2757,6 +2767,16 @@ need_got: + break; + } + ++ if (tls_type >= GOT_TLS_GD ++ && tls_type <= GOT_TLS_GDESC ++ && (elf_section_type (sec) != SHT_PROGBITS ++ || (sec->flags & SEC_CODE) == 0)) ++ { ++ _bfd_x86_elf_link_report_tls_invalid_section_error ++ (abfd, sec, symtab_hdr, h, isym, howto); ++ goto error_return; ++ } ++ + if (h != NULL) + { + h->got.refcount = 1; +diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c +index 0d389968c91..d8c653a9ad2 100644 +--- a/bfd/elfxx-x86.c ++++ b/bfd/elfxx-x86.c +@@ -3365,6 +3365,26 @@ _bfd_x86_elf_link_report_tls_transition_error + bfd_set_error (bfd_error_bad_value); + } + ++/* Report TLS invalid section error. */ ++ ++void ++_bfd_x86_elf_link_report_tls_invalid_section_error ++ (bfd *abfd, asection *sec, Elf_Internal_Shdr *symtab_hdr, ++ struct elf_link_hash_entry *h, Elf_Internal_Sym *sym, ++ reloc_howto_type *howto) ++{ ++ const char *name; ++ if (h) ++ name = h->root.root.string; ++ else ++ name = bfd_elf_sym_name (abfd, symtab_hdr, sym, NULL); ++ _bfd_error_handler ++ /* xgettext:c-format */ ++ (_("%pB: relocation %s against thread local symbol `%s' in " ++ "invalid section `%pA'"), abfd, howto->name, name, sec); ++ bfd_set_error (bfd_error_bad_value); ++} ++ + /* Return TRUE if symbol should be hashed in the `.gnu.hash' section. */ + + bool +diff --git a/bfd/elfxx-x86.h b/bfd/elfxx-x86.h +index 1ebc9d2f2e5..f8a24a77577 100644 +--- a/bfd/elfxx-x86.h ++++ b/bfd/elfxx-x86.h +@@ -951,6 +951,10 @@ extern void _bfd_x86_elf_link_report_tls_transition_error + const Elf_Internal_Rela *, const char *, const char *, + enum elf_x86_tls_error_type); + ++extern void _bfd_x86_elf_link_report_tls_invalid_section_error ++ (bfd *, asection *, Elf_Internal_Shdr *, struct elf_link_hash_entry *, ++ Elf_Internal_Sym *, reloc_howto_type *); ++ + #define bfd_elf64_mkobject \ + _bfd_x86_elf_mkobject + #define bfd_elf32_mkobject \ +-- +2.43.7 + diff --git a/debian/patches/CVE-2025-11839.patch b/debian/patches/CVE-2025-11839.patch new file mode 100644 index 00000000..64fb012a --- /dev/null +++ b/debian/patches/CVE-2025-11839.patch @@ -0,0 +1,27 @@ +From 12ef7d5b7b02d0023db645d86eb9d0797bc747fe Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 3 Nov 2025 11:49:02 +0000 +Subject: [PATCH] Remove call to abort in the DGB debug format printing code, + thus allowing the display of a fuzzed input file to complete without + triggering an abort. + +PR 33448 +--- + binutils/prdbg.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/binutils/prdbg.c b/binutils/prdbg.c +index c239aeb1a79..5d405c48e3d 100644 +--- a/binutils/prdbg.c ++++ b/binutils/prdbg.c +@@ -2449,7 +2449,6 @@ tg_tag_type (void *p, const char *name, unsigned int id, + t = "union class "; + break; + default: +- abort (); + return false; + } + +-- +2.43.7 + diff --git a/debian/patches/CVE-2025-11840.patch b/debian/patches/CVE-2025-11840.patch new file mode 100644 index 00000000..c94b6840 --- /dev/null +++ b/debian/patches/CVE-2025-11840.patch @@ -0,0 +1,32 @@ +From f6b0f53a36820da91eadfa9f466c22f92e4256e0 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Mon, 3 Nov 2025 09:03:37 +1030 +Subject: [PATCH] PR 33455 SEGV in vfinfo at ldmisc.c:527 + +A reloc howto set up with EMPTY_HOWTO has a NULL name. More than one +place emitting diagnostics assumes a reloc howto won't have a NULL +name. + + PR 33455 + * coffcode.h (coff_slurp_reloc_table): Don't allow a howto with + a NULL name. +--- + bfd/coffcode.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/coffcode.h b/bfd/coffcode.h +index 1e5acc0032c..ce1e39131b4 100644 +--- a/bfd/coffcode.h ++++ b/bfd/coffcode.h +@@ -5345,7 +5345,7 @@ coff_slurp_reloc_table (bfd * abfd, sec_ptr asect, asymbol ** symbols) + RTYPE2HOWTO (cache_ptr, &dst); + #endif /* RELOC_PROCESSING */ + +- if (cache_ptr->howto == NULL) ++ if (cache_ptr->howto == NULL || cache_ptr->howto->name == NULL) + { + _bfd_error_handler + /* xgettext:c-format */ +-- +2.43.7 + diff --git a/debian/patches/series b/debian/patches/series index e6ddd212..78da2bb2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -204,3 +204,9 @@ CVE-2025-8225.patch 0016-LoongArch-Fix-incorrect-display-of-FDEs-address-rang.patch 0017-LoongArch-Use-more-appropriate-assertions-for-the-re.patch 0018-LoongArch-set-PRSTATUS_SIZE-0x1e0-to-match-kernel-s-.patch +CVE-2025-11082.patch +CVE-2025-11412.patch +CVE-2025-11494.patch +CVE-2025-11495.patch +CVE-2025-11839.patch +CVE-2025-11840.patch