Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/binutils: apply security patch for CVE-2025-3198

Browse Source 
This fixes a memory leaks that affects both binutils 2.43 and 2.44,
see https://www.cve.org/CVERecord?id=CVE-2025-3198

Fixes the following CVE:
- CVE-2025-3198: A vulnerability has been found in GNU Binutils 2.43/2.44
                 and classified as problematic. Affected by this
                 vulnerability is the function display_info of the file
                 binutils/bucomm.c of the component objdump.
                 The manipulation leads to memory leak.

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit is contained in:
Titouan Christophe
2025-05-19 16:00:42 +02:00
committed by Julien Olivain
parent fb992eb5a3
commit 4dc951f3ee
3 changed files with 65 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
package/binutils/2.43.1/0003-objdump-memleak.patch Normal file
View File

@@ -0,0 +1,31 @@
From ba6ad3a18cb26b79e0e3b84c39f707535bbc344d Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 19 Feb 2025 07:58:54 +1030
Subject: [PATCH] PR32716, objdump -i memory leak
PR binutils/32716
* bucomm.c (display_info): Free arg.info.
Upstream: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d
CVE: CVE-2025-3198
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
binutils/bucomm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/binutils/bucomm.c b/binutils/bucomm.c
index ccf54099154..d4554737db1 100644
--- a/binutils/bucomm.c
+++ b/binutils/bucomm.c
@@ -435,6 +435,7 @@ display_info (void)
if (!arg.error)
display_target_tables (&arg);
+ free (arg.info);
return arg.error;
}
--
2.43.5

31
package/binutils/2.44/0003-objdump-memleak.patch Normal file
View File

@@ -0,0 +1,31 @@
From ba6ad3a18cb26b79e0e3b84c39f707535bbc344d Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 19 Feb 2025 07:58:54 +1030
Subject: [PATCH] PR32716, objdump -i memory leak
PR binutils/32716
* bucomm.c (display_info): Free arg.info.
Upstream: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d
CVE: CVE-2025-3198
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
binutils/bucomm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/binutils/bucomm.c b/binutils/bucomm.c
index ccf54099154..d4554737db1 100644
--- a/binutils/bucomm.c
+++ b/binutils/bucomm.c
@@ -435,6 +435,7 @@ display_info (void)
if (!arg.error)
display_target_tables (&arg);
+ free (arg.info);
return arg.error;
}
--
2.43.5

3
package/binutils/binutils.mk
View File

@@ -31,6 +31,9 @@ BINUTILS_LICENSE = GPL-3.0+, libiberty LGPL-2.1+
BINUTILS_LICENSE_FILES = COPYING3 COPYING.LIB
BINUTILS_CPE_ID_VENDOR = gnu
# 0003-objdump-memleak.patch
BINUTILS_IGNORE_CVES += CVE-2025-3198
ifeq ($(BINUTILS_FROM_GIT),y)
BINUTILS_DEPENDENCIES += host-flex host-bison
HOST_BINUTILS_DEPENDENCIES += host-flex host-bison