From: ssambu <soumya.sambu@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [OE-core][scarthgap][PATCH 2/2] elfutils: Fix CVE-2025-1377
Date: Fri, 24 Oct 2025 18:51:03 +0530 [thread overview]
Message-ID: <20251024132103.1246994-1-soumya.sambu@windriver.com> (raw)
From: Soumya Sambu <soumya.sambu@windriver.com>
A vulnerability, which was classified as problematic, has been found in GNU elfutils
0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the
component eu-strip. The manipulation leads to denial of service. The attack needs to
be approached locally. The exploit has been disclosed to the public and may be used.
The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is
recommended to apply a patch to fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-1377
Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
.../elfutils/elfutils_0.191.bb | 1 +
.../elfutils/files/CVE-2025-1377.patch | 69 +++++++++++++++++++
2 files changed, 70 insertions(+)
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.191.bb b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
index c5f357eb93..0fd6d31af1 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.191.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
file://CVE-2025-1371.patch \
file://0007-Fix-build-with-gcc-15.patch \
file://CVE-2025-1376.patch \
+ file://CVE-2025-1377.patch \
"
SRC_URI:append:libc-musl = " \
file://0003-musl-utils.patch \
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch
new file mode 100644
index 0000000000..31a9ec33f2
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch
@@ -0,0 +1,69 @@
+From fbf1df9ca286de3323ae541973b08449f8d03aba Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 13 Feb 2025 14:59:34 +0100
+Subject: [PATCH] strip: Verify symbol table is a real symbol table
+
+We didn't check the symbol table referenced from the relocation table
+was a real symbol table. This could cause a crash if that section
+happened to be an SHT_NOBITS section without any data. Fix this by
+adding an explicit check.
+
+ * src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a
+ message string to display.
+ (INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1).
+ (remove_debug_relocations): Check the sh_link referenced
+ section is real and isn't a SHT_NOBITS section.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32673
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+CVE: CVE-2025-1377
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/strip.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/strip.c b/src/strip.c
+index 6436443..16922e9 100644
+--- a/src/strip.c
++++ b/src/strip.c
+@@ -126,13 +126,14 @@ static char *tmp_debug_fname = NULL;
+ /* Close debug file descriptor, if opened. And remove temporary debug file. */
+ static void cleanup_debug (void);
+
+-#define INTERNAL_ERROR(fname) \
++#define INTERNAL_ERROR_MSG(fname, msg) \
+ do { \
+ cleanup_debug (); \
+ error_exit (0, _("%s: INTERNAL ERROR %d (%s): %s"), \
+- fname, __LINE__, PACKAGE_VERSION, elf_errmsg (-1)); \
++ fname, __LINE__, PACKAGE_VERSION, msg); \
+ } while (0)
+
++#define INTERNAL_ERROR(fname) INTERNAL_ERROR_MSG(fname, elf_errmsg (-1))
+
+ /* Name of the output file. */
+ static const char *output_fname;
+@@ -631,7 +632,14 @@ remove_debug_relocations (Ebl *ebl, Elf *elf, GElf_Ehdr *ehdr,
+ resolve relocation symbol indexes. */
+ Elf64_Word symt = shdr->sh_link;
+ Elf_Data *symdata, *xndxdata;
+- Elf_Scn * symscn = elf_getscn (elf, symt);
++ Elf_Scn *symscn = elf_getscn (elf, symt);
++ GElf_Shdr symshdr_mem;
++ GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
++ if (symshdr == NULL)
++ INTERNAL_ERROR (fname);
++ if (symshdr->sh_type == SHT_NOBITS)
++ INTERNAL_ERROR_MSG (fname, "NOBITS section");
++
+ symdata = elf_getdata (symscn, NULL);
+ xndxdata = get_xndxdata (elf, symscn);
+ if (symdata == NULL)
+--
+2.40.0
+
--
2.40.0
reply other threads:[~2025-10-24 13:21 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251024132103.1246994-1-soumya.sambu@windriver.com \
--to=soumya.sambu@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox