[AutoPR- Security] Patch binutils for CVE-2025-8225 [MEDIUM]

[azurelinux-security]

Auto Patch binutils for CVE-2025-8225

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner-chatbot/_build/results?buildId=883259&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch binutils for CVE-2025-8225 (MEDIUM)

Change Log

• CVE-2025-8225

Does this affect the toolchain?

YES

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-8225

Test Methodology

• Pipeline build id: Buddy Build URL

[Malateshk007]

@Sumynwa, gentle reminder for your review and approval!

[Sumynwa]

As per the upstream patch, update patch to also remove the stale comments:
Reference
* elf.c (bfd_elf_get_str_section): Remove outdated comment, and tweak shstrtabsize test to suit.

[Sumynwa]

Full Build

[Kanishk-Bansal]

Full Build

[Kanishk-Bansal]

Re Full Build

[Kanishk-Bansal]

Full Build passed

[Malateshk007]

@Sumynwa. could you please share your review and signoff on this PR?

[Sumynwa]

Signing off Patch changes.

Upstream Patch:
CVE-2025-8224
CVE-2025-8225

Backported: YES
CVE-2025-8224 Patch is backported.

Toolchain Packages: YES

FULL Build RUN: YES, Pass

Patch Applies Cleanly
X86_64

Arm64

[kgodara912]

This doesn't seem to fix the CVE because this condition was same previously as well, for the unsigned integer shstrtabsize, the only value which makes above condition true is 0. (0 + 1 <= 1). All the other values will be positive and +1 will always be > 1 so it will go to same path. From the upstream reference,

Since bfd_section for .strtab isn't set, print the section index
instead.  Also, don't return NULL on this error as that results in
multiple mmap/read of the string table.

(We could return NULL if we
arranged to set sh_size zero first, but just what we do with fuzzed
object files is of no concern, and terminating the table might make a
faulty object file usable.)

The upstream reference has return NULL,

-           (_("%pB(%pA): string table is corrupt"),
-            abfd, i_shdrp[shindex]->bfd_section);
-         return NULL;
+           (_("%pB: string table [%u] is corrupt"), abfd, shindex);
+         shstrtab[shstrtabsize - 1] = 0;

And one extra condition is there. As per the description, that removal of return NULL should be preventing the extra reads. @Sumynwa, could you please check once, may be my observation is not correct.

[sandeepkarambelkar]

I agree to what @kgodara912 is saying The actual fix is not returning NULL. However if we don't have the code causing the crash, we can actually dispute the CVE. Based on the CVE description, it is found in 2.44 version and we are at 2.41. We need to verify all the impacted code and if its not present, dispute this.

[Kanishk-Bansal]

Buddy Build

[kgodara912]

There were few other follow-ups, one with segv, please check once: https://sourceware.org/bugzilla/show_bug.cgi?id=32109

[Kanishk-Bansal]

Buddy Build

[Kanishk-Bansal]

Full Build

[sandeepkarambelkar]

Patch applied cleanly in the BB
Full Build Successful, no issues found in the toolchain
Changes LGTM

[kgodara912]

Patch matches with upstream reference; buddy build is successful. Full build has one failure in container golden build which looks unrelated to this PR. LGTM.