#1108986 binutils: Fix CVE-2025-1176, CVE-2025-1178, CVE-2025-1180, CVE-2025-1181, and CVE-2025-1182 for Trixie

Package:
binutils
Source:
binutils
Description:
GNU assembler, linker and binary utilities
Submitter:
Yang Wang
Date:
2025-08-17 09:33:01 UTC
Severity:
normal
Tags:
#1108986#5
Date:
2025-07-08 21:58:46 UTC
From:
To:
Dear Maintainer,

Please find attached an updated patch for the binutils source package. This patch updates the package to version 2.44-3.2 and addresses the following CVEs:
---

**CVE-2025-1176** (Sourceware Bug #32636)
A heap buffer overflow was discovered in `readelf.c` when processing SHT_GROUP sections. A crafted ELF file with an invalid `sh_info` field can cause an out-of-bounds access due to missing bounds checks on section index references in group headers.

**CVE-2025-1178** (Sourceware Bug #32638)
Memory corruption in `bfd_putl64` in `libbfd.c`, triggered by incorrect handling of overlapping sections and alignment in crafted binaries. This may result in heap corruption during linking or analysis.

**CVE-2025-1180** (Sourceware Bug #32642)
Heap buffer overflow in `objdump` due to wide-character string printing in malformed debug sections. An attacker could craft inputs that bypass internal length checks.

**CVE-2025-1181** (Sourceware Bug #32643)
Out-of-bounds read in `objdump` caused by improper handling of multi-byte wide strings in corrupted debug sections, leading to potential crashes.

**CVE-2025-1182** (Sourceware Bug #32644)
Another heap buffer overflow in `objdump` related to malformed wide strings, caused by invalid formatting logic under specific character encodings.
--- This patch applies all five upstream commits, bringing the Debian package in line with upstream's latest security fixes. - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814 - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0 - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=18cc11a2771d9e40180485da9a4fb660c03efac3 - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=931494c9a89558acb36a03a340c01726545eef24 - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b425859021d17adf62f06fb904797cf8642986ad ### Previous Submission A few days ago, I submitted a patch fixing **CVE-2025-1176 only**, as part of bug report **#1108762**, updating the version to **2.44-3.1**. Since this new patch (2.44-3.2) **includes that fix** and addresses four additional CVEs, please consider **dropping the earlier patch from #1108762** in favor of this one. Thank you for reviewing and maintaining binutils. Best regards, Yang Wang <yang.wang@windriver.com>