[walnascar,5/6] elfutils: Fix CVE-2025-1376

Message ID	20250813121102.779009-5-soumya.sambu@windriver.com
State	New
Headers	show Return-Path: <soumya.sambu@windriver.com> ip: 205.220.178.238, mailfrom: prvs=0320ba7ade=soumya.sambu@windriver.com) From: ssambu <soumya.sambu@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [OE-core][walnascar][PATCH 5/6] elfutils: Fix CVE-2025-1376 Date: Wed, 13 Aug 2025 17:41:01 +0530 Message-ID: <20250813121102.779009-5-soumya.sambu@windriver.com> In-Reply-To: <20250813121102.779009-1-soumya.sambu@windriver.com> References: <20250813121102.779009-1-soumya.sambu@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[walnascar,1/6] elfutils: Fix CVE-2025-1352 \| expand [walnascar,1/6] elfutils: Fix CVE-2025-1352 [walnascar,2/6] elfutils: Fix CVE-2025-1365 [walnascar,3/6] elfutils: Fix CVE-2025-1371 [walnascar,4/6] elfutils: Fix CVE-2025-1372 [walnascar,5/6] elfutils: Fix CVE-2025-1376 [walnascar,6/6] elfutils: Fix CVE-2025-1377

Message ID

20250813121102.779009-5-soumya.sambu@windriver.com

State

New

Headers

From: ssambu <soumya.sambu@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [OE-core][walnascar][PATCH 5/6] elfutils: Fix CVE-2025-1376
Date: Wed, 13 Aug 2025 17:41:01 +0530
Message-ID: <20250813121102.779009-5-soumya.sambu@windriver.com>
In-Reply-To: <20250813121102.779009-1-soumya.sambu@windriver.com>
References: <20250813121102.779009-1-soumya.sambu@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[walnascar,1/6] elfutils: Fix CVE-2025-1352 | expand

Commit Message

ssambu Aug. 13, 2025, 12:11 p.m. UTC

From: Soumya Sambu <soumya.sambu@windriver.com>

A vulnerability classified as problematic was found in GNU elfutils 0.192.
This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c
of the component eu-strip. The manipulation leads to denial of service. It is possible
to launch the attack on the local host. The complexity of an attack is rather high. The
exploitation appears to be difficult. The exploit has been disclosed to the public and
may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is
recommended to apply a patch to fix this issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-1376
https://ubuntu.com/security/CVE-2025-1376

Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
 .../elfutils/elfutils_0.192.bb                |  1 +
 .../elfutils/files/CVE-2025-1376.patch        | 57 +++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb
index 4dcc774bb9..f8cf083ec6 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb
@@ -26,6 +26,7 @@  SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://CVE-2025-1365.patch \
            file://CVE-2025-1371.patch \
            file://CVE-2025-1372.patch \
+           file://CVE-2025-1376.patch \
            "
 SRC_URI:append:libc-musl = " \
            file://0003-musl-utils.patch \
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch
new file mode 100644
index 0000000000..ebffb2bd72
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch
@@ -0,0 +1,57 @@ 
+From b16f441cca0a4841050e3215a9f120a6d8aea918 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 13 Feb 2025 00:02:32 +0100
+Subject: [PATCH] libelf: Handle elf_strptr on section without any data
+
+In the unlikely situation that elf_strptr was called on a section with
+sh_size already set, but that doesn't have any data yet we could crash
+trying to verify the string to return.
+
+This could happen for example when a new section was created with
+elf_newscn, but no data having been added yet.
+
+	* libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base
+	is not NULL.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32672
+
+CVE: CVE-2025-1376
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918]
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ libelf/elf_strptr.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c
+index c5a94f8..7be7f5e 100644
+--- a/libelf/elf_strptr.c
++++ b/libelf/elf_strptr.c
+@@ -1,5 +1,6 @@
+ /* Return string pointer from string section.
+    Copyright (C) 1998-2002, 2004, 2008, 2009, 2015 Red Hat, Inc.
++   Copyright (C) 2025 Mark J. Wielaard <mark@klomp.org>
+    This file is part of elfutils.
+    Contributed by Ulrich Drepper <drepper@redhat.com>, 1998.
+ 
+@@ -183,9 +184,12 @@ elf_strptr (Elf *elf, size_t idx, size_t offset)
+       // initialized yet (when data_read is zero). So we cannot just
+       // look at the rawdata.d.d_size.
+ 
+-      /* Make sure the string is NUL terminated.  Start from the end,
+-	 which very likely is a NUL char.  */
+-      if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
++      /* First check there actually is any data.  This could be a new
++         section which hasn't had any data set yet.  Then make sure
++         the string is at a valid offset and NUL terminated.  */
++      if (unlikely (strscn->rawdata_base == NULL))
++	__libelf_seterrno (ELF_E_INVALID_SECTION);
++      else if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
+ 	result = &strscn->rawdata_base[offset];
+       else
+ 	__libelf_seterrno (ELF_E_INVALID_INDEX);
+-- 
+2.43.2
+

[walnascar,5/6] elfutils: Fix CVE-2025-1376

Commit Message

Patch