crash: update to 9.0.0 and rework how vendored gdb patches are applied#15426
Merged
jslobodzian merged 6 commits into3.0-devfrom Jan 6, 2026
Merged
crash: update to 9.0.0 and rework how vendored gdb patches are applied#15426jslobodzian merged 6 commits into3.0-devfrom
jslobodzian merged 6 commits into3.0-devfrom
Conversation
Update to v9.0.0 which has improved crash dump features and fixes. crash v9.0.0 requires minimum gdb version of 16.2 during its build. Signed-off-by: Chris Co <chrco@microsoft.com>
Previously, gdb tarball was directly uploaded with patches already applied. This makes for difficult auditing of sources. Instead, use the official gdb source tarball, and split our %prep source prepping phase to selectively apply patch 0-99 to the original crash sources while applying patches 100+ to the gdb sources. CVEs: - CVE-2022-37434 - still apply fix to vendored zlib inside gdb. - CVE-2021-20197 - drop patch. Already applied in updated gdb. See commit ID 95b91a043aeaeb546d2fea556d84a2de1e917770 - CVE-2022-47673 - drop patch. Already applied in updated gdb. See commit ID 77c225bdeb410cf60da804879ad41622f5f1aa44 - CVE-2022-47696 - drop patch. Already applied in updated gdb. See commit ID d12f8998d2d086f0a6606589e5aedb7147e6f2f1 - CVE-2025-11082 - still apply fix to gdb Signed-off-by: Chris Co <chrco@microsoft.com>
microsoft-github-policy-service
bot
added
Packaging
3.0-dev
Signed-off-by: Chris Co <chrco@microsoft.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the crash kernel analysis utility from version 8.0.4 to 9.0.0, which requires updating the vendored gdb from version 10.2 to 16.2. The main improvement is a reworked patch application process that uses the official gdb source tarball instead of a pre-patched version, making future maintenance easier and more auditable.
Key Changes:
- Updated crash to 9.0.0 and gdb to 16.2 with corresponding hash updates
- Implemented a patch numbering scheme (0-99 for crash, 100+ for gdb) with selective patch application during the %prep phase
- Consolidated CVE patches: dropped 3 patches already fixed in gdb 16.2 (CVE-2021-20197, CVE-2022-47673, CVE-2022-47696) and kept 2 critical patches (CVE-2022-37434, CVE-2025-11082)
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| cgmanifest.json | Updated crash version and download URL from 8.0.4 to 9.0.0 |
| SPECS/crash/crash.spec | Updated gdb to 16.2 and crash to 9.0.0; reworked %prep section to extract, patch, and repackage gdb sources with new patch numbering scheme |
| SPECS/crash/crash.signatures.json | Updated SHA256 hashes for crash 9.0.0 and official gdb 16.2 tarballs |
| SPECS/crash/CVE-2025-11082.patch | Added patch to fix buffer overflow in gdb's .eh_frame parsing |
| SPECS/crash/CVE-2022-37434.patch | Added patch to fix buffer overflow in vendored zlib's inflate extra field handling |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Chris Co <chrco@microsoft.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jslobodzian
approved these changes
Jan 6, 2026
12 tasks
sandeepkarambelkar
pushed a commit
that referenced
this pull request
Jan 8, 2026
#15426) Signed-off-by: Chris Co <chrco@microsoft.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
sandeepkarambelkar
pushed a commit
that referenced
this pull request
Jan 9, 2026
#15426) Signed-off-by: Chris Co <chrco@microsoft.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
Update crash to v9.0.0 which has improved crash dump features
and fixes. crash v9.0.0 requires minimum gdb version of 16.2 during
its build.
Previously, gdb tarball was directly uploaded with patches already
applied. This makes future changes difficult to make, and is difficult
to audit.
Instead, use the official gdb source tarball, and split our %prep
source prepping phase to selectively apply patch 0-99 to the
original crash sources while applying patches 100+ to the gdb
sources.
Here is an analysis of the previous CVE fixes applied, and
whether we still need the fixes:
commit ID 95b91a043aeaeb546d2fea556d84a2de1e917770
commit ID 77c225bdeb410cf60da804879ad41622f5f1aa44
commit ID d12f8998d2d086f0a6606589e5aedb7147e6f2f1
Signed-off-by: Chris Co chrco@microsoft.com
Does this affect the toolchain?
NO
Associated issues
Test Methodology