elfutils: Fix CVE-2025-1372

A vulnerability was found in GNU elfutils 0.192. It has been declared as critical.
Affected by this vulnerability is the function dump_data_section/print_string_section
of the file readelf.c of the component eu-readelf. The manipulation of the argument
z/x leads to buffer overflow. An attack has to be approached locally. The exploit
has been disclosed to the public and may be used. The identifier of the patch is
73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix
this issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-1372
https://ubuntu.com/security/CVE-2025-1372

Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb
index 2f34bfeebb470bf347609b116805e18c452d0947..4dcc774bb92b001319509a33278764e715ffe15a 100644 (file)
--- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://CVE-2025-1352.patch \
            file://CVE-2025-1365.patch \
            file://CVE-2025-1371.patch \
+           file://CVE-2025-1372.patch \
            "
 SRC_URI:append:libc-musl = " \
            file://0003-musl-utils.patch \

diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch
new file mode 100644 (file)
index 0000000..c202d83
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch
@@ -0,0 +1,51 @@
+From 73db9d2021cab9e23fd734b0a76a612d52a6f1db Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 9 Feb 2025 00:07:39 +0100
+Subject: [PATCH] readelf: Skip trying to uncompress sections without a name
+
+When combining eu-readelf -z with -x or -p to dump the data or strings
+in an (corrupted ELF) unnamed numbered section eu-readelf could crash
+trying to check whether the section name starts with .zdebug. Fix this
+by skipping sections without a name.
+
+   * src/readelf.c (dump_data_section): Don't try to gnu decompress a
+   section without a name.
+   (print_string_section): Likewise.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32656
+
+CVE: CVE-2025-1372
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db]
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/readelf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/readelf.c b/src/readelf.c
+index a526fa8..89ee80a 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -13321,7 +13321,7 @@ dump_data_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name)
+                       _("Couldn't uncompress section"),
+                       elf_ndxscn (scn));
+           }
+-        else if (startswith (name, ".zdebug"))
++        else if (name && startswith (name, ".zdebug"))
+           {
+             if (elf_compress_gnu (scn, 0, 0) < 0)
+               printf ("WARNING: %s [%zd]\n",
+@@ -13372,7 +13372,7 @@ print_string_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name)
+                       _("Couldn't uncompress section"),
+                       elf_ndxscn (scn));
+           }
+-        else if (startswith (name, ".zdebug"))
++        else if (name && startswith (name, ".zdebug"))
+           {
+             if (elf_compress_gnu (scn, 0, 0) < 0)
+               printf ("WARNING: %s [%zd]\n",
+-- 
+2.43.2
+