Dear Maintainer, Please find attached an updated patch for the binutils source package. This patch updates the package to version 2.44-3.2 and addresses the following CVEs: --- **CVE-2025-1176** (Sourceware Bug #32636) A heap buffer overflow was discovered in `readelf.c` when processing SHT_GROUP sections. A crafted ELF file with an invalid `sh_info` field can cause an out-of-bounds access due to missing bounds checks on section index references in group headers. **CVE-2025-1178** (Sourceware Bug #32638) Memory corruption in `bfd_putl64` in `libbfd.c`, triggered by incorrect handling of overlapping sections and alignment in crafted binaries. This may result in heap corruption during linking or analysis. **CVE-2025-1180** (Sourceware Bug #32642) Heap buffer overflow in `objdump` due to wide-character string printing in malformed debug sections. An attacker could craft inputs that bypass internal length checks. **CVE-2025-1181** (Sourceware Bug #32643) Out-of-bounds read in `objdump` caused by improper handling of multi-byte wide strings in corrupted debug sections, leading to potential crashes. **CVE-2025-1182** (Sourceware Bug #32644) Another heap buffer overflow in `objdump` related to malformed wide strings, caused by invalid formatting logic under specific character encodings.--- This patch applies all five upstream commits, bringing the Debian package in line with upstream's latest security fixes. - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814 - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0 - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=18cc11a2771d9e40180485da9a4fb660c03efac3 - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=931494c9a89558acb36a03a340c01726545eef24 - https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b425859021d17adf62f06fb904797cf8642986ad ### Previous Submission A few days ago, I submitted a patch fixing **CVE-2025-1176 only**, as part of bug report **#1108762**, updating the version to **2.44-3.1**. Since this new patch (2.44-3.2) **includes that fix** and addresses four additional CVEs, please consider **dropping the earlier patch from #1108762** in favor of this one. Thank you for reviewing and maintaining binutils. Best regards, Yang Wang <yang.wang@windriver.com>