[AutoPR- Security] Patch binutils for CVE-2025-69647 [MEDIUM]

SPECS/binutils/CVE-2025-69647.patch

@@ -0,0 +1,59 @@
+From c6bc894cbb64bfbd7a751e1a94fc47eaefa170f1 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Tue, 17 Mar 2026 08:48:48 +0000
+Subject: [PATCH] PR 33639: Limit .debug_loclists output: validate header
+ length, clamp to section size, cap offset count to prevent endless table;
+ also adjust return length semantics
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=455446bbdc8675f34808187de2bbad4682016ff7
+---
+ binutils-2.41/binutils/dwarf.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/binutils-2.41/binutils/dwarf.c b/binutils-2.41/binutils/dwarf.c
+index ea83e35a..92d3bbe1 100644
+--- a/binutils-2.41/binutils/dwarf.c
++++ b/binutils-2.41/binutils/dwarf.c
+@@ -7026,8 +7026,9 @@ display_offset_entry_loclists (struct dwarf_section *section)
+       uint32_t offset_entry_count;
+       uint32_t i;
+       bool is_64bit;
++      uint64_t table_offset;
+
+-      printf (_("Table at Offset %#tx\n"), start - section->start);
++      table_offset = start - section->start;
+
+       SAFE_BYTE_GET_AND_INC (length, start, 4, end);
+       if (length == 0xffffffff)
+@@ -7038,6 +7039,11 @@ display_offset_entry_loclists (struct dwarf_section *section)
+       else
+ 	is_64bit = false;
+
++      if (length < 8)
++	return 0;
++
++      printf (_("Table at Offset %#tx\n"), table_offset);
++
+       SAFE_BYTE_GET_AND_INC (version, start, 2, end);
+       SAFE_BYTE_GET_AND_INC (address_size, start, 1, end);
+       SAFE_BYTE_GET_AND_INC (segment_selector_size, start, 1, end);
+@@ -7049,6 +7055,15 @@ display_offset_entry_loclists (struct dwarf_section *section)
+       printf (_("  Segment size:    %u\n"), segment_selector_size);
+       printf (_("  Offset entries:  %u\n"), offset_entry_count);
+
++      if (length > section->size - table_offset)
++	length = section->size - table_offset;
++
++      {
++	uint64_t max_off_count = length >> (is_64bit ? 3 : 2);
++	if (offset_entry_count > max_off_count)
++	  offset_entry_count = max_off_count;
++      }
++
+       if (version < 5)
+ 	{
+ 	  warn (_("The %s section contains a corrupt or "
+-- 
+2.45.4
+

SPECS/binutils/binutils.spec

@@ -21,7 +21,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.41
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -47,6 +47,7 @@ Patch13:        CVE-2025-11082.patch
 Patch14:        CVE-2025-11083.patch
 Patch15:        CVE-2025-11412.patch
 Patch16:        CVE-2025-11414.patch
+Patch17:        CVE-2025-69647.patch
 Provides:       bundled(libiberty)
 
 # Moving macro before the "SourceX" tags breaks PR checks parsing the specs.
@@ -336,6 +337,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %do_files aarch64-linux-gnu %{build_aarch64}
 
 %changelog
+* Tue Mar 17 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.41-11
+- Patch for CVE-2025-69647
+
 * Thu Oct 16 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.41-10
 - Patch for CVE-2025-11414, CVE-2025-11412
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -13,8 +13,8 @@ zlib-devel-1.3.2-1.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
 file-devel-5.45-1.azl3.aarch64.rpm
 file-libs-5.45-1.azl3.aarch64.rpm
-binutils-2.41-10.azl3.aarch64.rpm
-binutils-devel-2.41-10.azl3.aarch64.rpm
+binutils-2.41-11.azl3.aarch64.rpm
+binutils-devel-2.41-11.azl3.aarch64.rpm
 gmp-6.3.0-1.azl3.aarch64.rpm
 gmp-devel-6.3.0-1.azl3.aarch64.rpm
 mpfr-4.2.1-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -13,8 +13,8 @@ zlib-devel-1.3.2-1.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
 file-devel-5.45-1.azl3.x86_64.rpm
 file-libs-5.45-1.azl3.x86_64.rpm
-binutils-2.41-10.azl3.x86_64.rpm
-binutils-devel-2.41-10.azl3.x86_64.rpm
+binutils-2.41-11.azl3.x86_64.rpm
+binutils-devel-2.41-11.azl3.x86_64.rpm
 gmp-6.3.0-1.azl3.x86_64.rpm
 gmp-devel-6.3.0-1.azl3.x86_64.rpm
 mpfr-4.2.1-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -30,9 +30,9 @@ bash-5.2.15-3.azl3.aarch64.rpm
 bash-debuginfo-5.2.15-3.azl3.aarch64.rpm
 bash-devel-5.2.15-3.azl3.aarch64.rpm
 bash-lang-5.2.15-3.azl3.aarch64.rpm
-binutils-2.41-10.azl3.aarch64.rpm
-binutils-debuginfo-2.41-10.azl3.aarch64.rpm
-binutils-devel-2.41-10.azl3.aarch64.rpm
+binutils-2.41-11.azl3.aarch64.rpm
+binutils-debuginfo-2.41-11.azl3.aarch64.rpm
+binutils-devel-2.41-11.azl3.aarch64.rpm
 bison-3.8.2-1.azl3.aarch64.rpm
 bison-debuginfo-3.8.2-1.azl3.aarch64.rpm
 bzip2-1.0.8-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -32,10 +32,10 @@ bash-5.2.15-3.azl3.x86_64.rpm
 bash-debuginfo-5.2.15-3.azl3.x86_64.rpm
 bash-devel-5.2.15-3.azl3.x86_64.rpm
 bash-lang-5.2.15-3.azl3.x86_64.rpm
-binutils-2.41-10.azl3.x86_64.rpm
-binutils-aarch64-linux-gnu-2.41-10.azl3.x86_64.rpm
-binutils-debuginfo-2.41-10.azl3.x86_64.rpm
-binutils-devel-2.41-10.azl3.x86_64.rpm
+binutils-2.41-11.azl3.x86_64.rpm
+binutils-aarch64-linux-gnu-2.41-11.azl3.x86_64.rpm
+binutils-debuginfo-2.41-11.azl3.x86_64.rpm
+binutils-devel-2.41-11.azl3.x86_64.rpm
 bison-3.8.2-1.azl3.x86_64.rpm
 bison-debuginfo-3.8.2-1.azl3.x86_64.rpm
 bzip2-1.0.8-1.azl3.x86_64.rpm
@@ -70,7 +70,7 @@ cracklib-lang-2.9.11-1.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
-cross-binutils-common-2.41-10.azl3.noarch.rpm
+cross-binutils-common-2.41-11.azl3.noarch.rpm
 cross-gcc-common-13.2.0-7.azl3.noarch.rpm
 curl-8.11.1-5.azl3.x86_64.rpm
 curl-debuginfo-8.11.1-5.azl3.x86_64.rpm