From 8c6590c3bb7ca5fb714c4d97687f4beb368cfe39 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 16 Dec 2025 11:13:07 +0000 Subject: [PATCH] Fix a potential illegal memory access when copying a corrupt input file. Resolves: RHEL-132254 --- binutils-CVE-2025-7546.patch | 49 ++++++++++++++++++++++++++++++++++++ binutils.spec | 10 +++++++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 binutils-CVE-2025-7546.patch diff --git a/binutils-CVE-2025-7546.patch b/binutils-CVE-2025-7546.patch new file mode 100644 index 0000000..b663177 --- /dev/null +++ b/binutils-CVE-2025-7546.patch @@ -0,0 +1,49 @@ +From 41461010eb7c79fee7a9d5f6209accdaac66cc6b Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Sat, 21 Jun 2025 06:52:00 +0800 +Subject: [PATCH] elf: Report corrupted group section + +Report corrupted group section instead of trying to recover. + + PR binutils/33050 + * elf.c (bfd_elf_set_group_contents): Report corrupted group + section. + +Signed-off-by: H.J. Lu +--- + bfd/elf.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +--- binutils-2.41.orig/bfd/elf.c 2025-12-16 09:04:43.724584660 +0000 ++++ binutils-2.41/bfd/elf.c 2025-12-16 09:04:52.974831776 +0000 +@@ -4127,20 +4127,17 @@ bfd_elf_set_group_contents (bfd *abfd, a + break; + } + +- /* We should always get here with loc == sec->contents + 4, but it is +- possible to craft bogus SHT_GROUP sections that will cause segfaults +- in objcopy without checking loc here and in the loop above. */ +- if (loc == sec->contents) +- BFD_ASSERT (0); +- else ++ /* We should always get here with loc == sec->contents + 4. Return ++ an error for bogus SHT_GROUP sections. */ ++ loc -= 4; ++ if (loc != sec->contents) + { +- loc -= 4; +- if (loc != sec->contents) +- { +- BFD_ASSERT (0); +- memset (sec->contents + 4, 0, loc - sec->contents); +- loc = sec->contents; +- } ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: corrupted group section: `%pA'"), ++ abfd, sec); ++ bfd_set_error (bfd_error_bad_value); ++ *failedptr = true; ++ return; + } + + H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc); diff --git a/binutils.spec b/binutils.spec index 0cb1543..c30ba5c 100644 --- a/binutils.spec +++ b/binutils.spec @@ -2,7 +2,7 @@ Summary: A GNU collection of binary utilities Name: binutils%{?_with_debug:-debug} Version: 2.41 -Release: 60%{?dist} +Release: 61%{?dist} License: GPL-3.0-or-later AND (GPL-3.0-or-later WITH Bison-exception-2.2) AND (LGPL-2.0-or-later WITH GCC-exception-2.0) AND BSD-3-Clause AND GFDL-1.3-or-later AND GPL-2.0-or-later AND LGPL-2.1-or-later AND LGPL-2.0-or-later URL: https://sourceware.org/binutils @@ -397,6 +397,11 @@ Patch63: binutils-CVE-2025-11082.patch # Lifetime: Fixed in 2.46 Patch64: binutils-CVE-2025-11083.patch +# Purpose: Stops a potential illegal memory access when copying a corrupt +# input file. PR 33050 +# Lifetime: Fixed in 2.46 +Patch65: binutils-CVE-2025-7546.patch + #---------------------------------------------------------------------------- # Purpose: Suppress the x86 linker's p_align-1 tests due to kernel bug on CentOS-10 @@ -1436,6 +1441,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Tue Dec 16 2025 Nick Clifton - 2.41-61 +- Fix a potential illegal memory access when copying a corrupt input file. (RHEL-132254) + * Mon Nov 10 2025 Nick Clifton - 2.41-60 - Fix a potential illegal memory access when linking a corrupt input file. (RHEL-126877)