From 76c57e74071f8f2f312d5c62e1f7a1ac74db54be Mon Sep 17 00:00:00 2001 From: Soumya Sambu Date: Wed, 13 Aug 2025 17:41:00 +0530 Subject: [PATCH] elfutils: Fix CVE-2025-1372 A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1372 https://ubuntu.com/security/CVE-2025-1372 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../elfutils/elfutils_0.192.bb | 1 + .../elfutils/files/CVE-2025-1372.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb index 2f34bfeebb..4dcc774bb9 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb @@ -25,6 +25,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://CVE-2025-1352.patch \ file://CVE-2025-1365.patch \ file://CVE-2025-1371.patch \ + file://CVE-2025-1372.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch new file mode 100644 index 0000000000..c202d8359c --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch @@ -0,0 +1,51 @@ +From 73db9d2021cab9e23fd734b0a76a612d52a6f1db Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sun, 9 Feb 2025 00:07:39 +0100 +Subject: [PATCH] readelf: Skip trying to uncompress sections without a name + +When combining eu-readelf -z with -x or -p to dump the data or strings +in an (corrupted ELF) unnamed numbered section eu-readelf could crash +trying to check whether the section name starts with .zdebug. Fix this +by skipping sections without a name. + + * src/readelf.c (dump_data_section): Don't try to gnu decompress a + section without a name. + (print_string_section): Likewise. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32656 + +CVE: CVE-2025-1372 + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db] + +Signed-off-by: Mark Wielaard +Signed-off-by: Soumya Sambu +--- + src/readelf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/readelf.c b/src/readelf.c +index a526fa8..89ee80a 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -13321,7 +13321,7 @@ dump_data_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name) + _("Couldn't uncompress section"), + elf_ndxscn (scn)); + } +- else if (startswith (name, ".zdebug")) ++ else if (name && startswith (name, ".zdebug")) + { + if (elf_compress_gnu (scn, 0, 0) < 0) + printf ("WARNING: %s [%zd]\n", +@@ -13372,7 +13372,7 @@ print_string_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name) + _("Couldn't uncompress section"), + elf_ndxscn (scn)); + } +- else if (startswith (name, ".zdebug")) ++ else if (name && startswith (name, ".zdebug")) + { + if (elf_compress_gnu (scn, 0, 0) < 0) + printf ("WARNING: %s [%zd]\n", +-- +2.43.2 + -- 2.47.3