!153 fix CVE-2025-1352 CVE-2025-1372 CVE-2025-1376 CVE-2025-1377

From: @tong_1001 
Reviewed-by: @hubin95 
Signed-off-by: @hubin95

Fix-error-of-parsing-object-file-perms.patch

@@ -1,46 +0,0 @@
-From 9e18fcfeb2c8ff471c11da58b05215e219be20fd Mon Sep 17 00:00:00 2001
-From: yixiangzhike <yixiangzhike007@163.com>
-Date: Tue, 16 Aug 2022 09:49:35 +0800
-Subject: [PATCH] fix error of parsing object file perms
-
----
- libelf/elf_begin.c | 20 +++++++++++++++++++-
- 1 file changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
-index 17d9b1f..581d8ef 100644
---- a/libelf/elf_begin.c
-+++ b/libelf/elf_begin.c
-@@ -997,10 +997,28 @@ __libelf_next_arhdr_wrlock (Elf *elf)
-     }									      \
-   while (0)
- 
-+#define INT_FIELD_HN(FIELD, HN)						      \
-+  do									      \
-+    {									      \
-+      char buf[sizeof (ar_hdr->FIELD) + 1];				      \
-+      const char *string = ar_hdr->FIELD;				      \
-+      if (ar_hdr->FIELD[sizeof (ar_hdr->FIELD) - 1] != ' ')		      \
-+	{								      \
-+	  *((char *) mempcpy (buf, ar_hdr->FIELD, sizeof (ar_hdr->FIELD)))  \
-+	    = '\0';							      \
-+	  string = buf;							      \
-+	}								      \
-+      if (sizeof (elf_ar_hdr->FIELD) <= sizeof (long int))		      \
-+	elf_ar_hdr->FIELD = (__typeof (elf_ar_hdr->FIELD)) strtol (string, NULL, HN);     \
-+      else								      \
-+	elf_ar_hdr->FIELD = (__typeof (elf_ar_hdr->FIELD)) strtoll (string, NULL, HN);    \
-+    }									      \
-+  while (0)
-+
-   INT_FIELD (ar_date);
-   INT_FIELD (ar_uid);
-   INT_FIELD (ar_gid);
--  INT_FIELD (ar_mode);
-+  INT_FIELD_HN (ar_mode, 8);
-   INT_FIELD (ar_size);
- 
-   if (elf_ar_hdr->ar_size < 0)
--- 
-2.27.0
-

Fix-segfault-in-eu-ar-m.patch

@@ -0,0 +1,34 @@
+From 7170b990d3dc3974b8e670b3c0e4ca6dcc20c853 Mon Sep 17 00:00:00 2001
+From: xiezhipeng <xiezhipeng1@huawei.com>
+Date: Wed, 8 Dec 2021 09:47:36 +0800
+Subject: [PATCH] fix segfault in eu-ar -m
+
+Fix segfaultineu-ar-m.
+
+---
+ src/ar.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/ar.c b/src/ar.c
+index ab6098f..ed5fe2f 100644
+--- a/src/ar.c
++++ b/src/ar.c
+@@ -1159,6 +1159,7 @@ do_oper_insert (int oper, const char *arfname, char **argv, int argc,
+ 	goto next;
+ 
+       struct armem *newp = alloca (sizeof (struct armem));
++      memset (newp, '\0', sizeof(struct armem));
+       newp->old_off = elf_getaroff (subelf);
+       newp->size = arhdr->ar_size;
+       newp->sec = arhdr->ar_date;
+@@ -1251,6 +1252,7 @@ do_oper_insert (int oper, const char *arfname, char **argv, int argc,
+ 	  if (found[cnt] == NULL)
+ 	    {
+ 	      found[cnt] = alloca (sizeof (struct armem));
++              memset (found[cnt], '\0', sizeof(struct armem));
+ 	      found[cnt]->old_off = -1;
+ 
+ 	      remember_long_name (found[cnt], bname, bnamelen);
+-- 
+2.27.0
+

backport-CVE-2021-33294-readelf-Sanity-check-verneed-and-verdef-offsets-in-h.patch

@@ -0,0 +1,55 @@
+From 480b6fa3662ba8ffeee274bf0d37423413c01e55 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 3 Mar 2021 21:40:53 +0100
+Subject: [PATCH] readelf: Sanity check verneed and verdef offsets in
+ handle_symtab.
+
+We are going through vna_next, vn_next and vd_next in a while loop.
+Make sure that all offsets are sane. We don't want things to wrap
+around so we go in cycles.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=27501
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ src/readelf.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/readelf.c b/src/readelf.c
+index 715af3b3..b9740455 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -2554,7 +2554,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
+ 						 &vernaux_mem);
+ 		      while (vernaux != NULL
+ 			     && vernaux->vna_other != *versym
+-			     && vernaux->vna_next != 0)
++			     && vernaux->vna_next != 0
++			     && (verneed_data->d_size - vna_offset
++				 >= vernaux->vna_next))
+ 			{
+ 			  /* Update the offset.  */
+ 			  vna_offset += vernaux->vna_next;
+@@ -2571,6 +2573,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
+ 			/* Found it.  */
+ 			break;
+ 
++		      if (verneed_data->d_size - vn_offset < verneed->vn_next)
++			break;
++
+ 		      vn_offset += verneed->vn_next;
+ 		      verneed = (verneed->vn_next == 0
+ 				 ? NULL
+@@ -2606,6 +2611,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
+ 			/* Found the definition.  */
+ 			break;
+ 
++		      if (verdef_data->d_size - vd_offset < verdef->vd_next)
++			break;
++
+ 		      vd_offset += verdef->vd_next;
+ 		      verdef = (verdef->vd_next == 0
+ 				? NULL
+-- 
+2.27.0
+

backport-CVE-2025-1352.patch

@@ -0,0 +1,149 @@
+From 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sat, 8 Feb 2025 20:00:12 +0100
+Subject: [PATCH] libdw: Simplify __libdw_getabbrev and fix dwarf_offabbrev
+ issue
+
+__libdw_getabbrev could crash on reading a bad abbrev by trying to
+deallocate memory it didn't allocate itself. This could happen because
+dwarf_offabbrev would supply its own memory when calling
+__libdw_getabbrev. No other caller did this.
+
+Simplify the __libdw_getabbrev common code by not taking external
+memory to put the abbrev result in (this would also not work correctly
+if the abbrev was already cached). And make dwarf_offabbrev explicitly
+copy the result (if there was no error or end of abbrev).
+
+     * libdw/dwarf_getabbrev.c (__libdw_getabbrev): Don't take
+     Dwarf_Abbrev result argument. Always just allocate abb when
+     abbrev not found in cache.
+     (dwarf_getabbrev): Don't pass NULL as last argument to
+     __libdw_getabbrev.
+    * libdw/dwarf_tag.c (__libdw_findabbrev): Likewise.
+    * libdw/dwarf_offabbrev.c (dwarf_offabbrev): Likewise. And copy
+    abbrev into abbrevp on success.
+    * libdw/libdw.h (dwarf_offabbrev): Document return values.
+    * libdw/libdwP.h (__libdw_getabbrev): Don't take Dwarf_Abbrev
+    result argument.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32650
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ libdw/dwarf_getabbrev.c | 12 ++++--------
+ libdw/dwarf_offabbrev.c | 10 +++++++---
+ libdw/dwarf_tag.c       |  3 +--
+ libdw/libdw.h           |  4 +++-
+ libdw/libdwP.h          |  3 +--
+ 5 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/libdw/dwarf_getabbrev.c b/libdw/dwarf_getabbrev.c
+index 5b02333f..d9a6c022 100644
+--- a/libdw/dwarf_getabbrev.c
++++ b/libdw/dwarf_getabbrev.c
+@@ -1,5 +1,6 @@
+ /* Get abbreviation at given offset.
+    Copyright (C) 2003, 2004, 2005, 2006, 2014, 2017 Red Hat, Inc.
++   Copyright (C) 2025 Mark J. Wielaard <mark@klomp.org>
+    This file is part of elfutils.
+    Written by Ulrich Drepper <drepper@redhat.com>, 2003.
+ 
+@@ -38,7 +39,7 @@
+ Dwarf_Abbrev *
+ internal_function
+ __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset,
+-		   size_t *lengthp, Dwarf_Abbrev *result)
++		   size_t *lengthp)
+ {
+   /* Don't fail if there is not .debug_abbrev section.  */
+   if (dbg->sectiondata[IDX_debug_abbrev] == NULL)
+@@ -85,12 +86,7 @@ __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset,
+   Dwarf_Abbrev *abb = NULL;
+   if (cu == NULL
+       || (abb = Dwarf_Abbrev_Hash_find (&cu->abbrev_hash, code)) == NULL)
+-    {
+-      if (result == NULL)
+-	abb = libdw_typed_alloc (dbg, Dwarf_Abbrev);
+-      else
+-	abb = result;
+-    }
++    abb = libdw_typed_alloc (dbg, Dwarf_Abbrev);
+   else
+     {
+       foundit = true;
+@@ -183,5 +179,5 @@ dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, size_t *lengthp)
+       return NULL;
+     }
+ 
+-  return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp, NULL);
++  return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp);
+ }
+diff --git a/libdw/dwarf_offabbrev.c b/libdw/dwarf_offabbrev.c
+index 27cdad64..41df69bf 100644
+--- a/libdw/dwarf_offabbrev.c
++++ b/libdw/dwarf_offabbrev.c
+@@ -41,11 +41,15 @@ dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp,
+   if (dbg == NULL)
+     return -1;
+ 
+-  Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp,
+-					    abbrevp);
++  Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp);
+ 
+   if (abbrev == NULL)
+     return -1;
+ 
+-  return abbrev == DWARF_END_ABBREV ? 1 : 0;
++  if (abbrev == DWARF_END_ABBREV)
++    return 1;
++
++  *abbrevp = *abbrev;
++
++  return 0;
+ }
+diff --git a/libdw/dwarf_tag.c b/libdw/dwarf_tag.c
+index d784970c..218382a1 100644
+--- a/libdw/dwarf_tag.c
++++ b/libdw/dwarf_tag.c
+@@ -53,8 +53,7 @@ __libdw_findabbrev (struct Dwarf_CU *cu, unsigned int code)
+ 
+ 	/* Find the next entry.  It gets automatically added to the
+ 	   hash table.  */
+-	abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length,
+-				 NULL);
++	abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length);
+ 	if (abb == NULL || abb == DWARF_END_ABBREV)
+ 	  {
+ 	    /* Make sure we do not try to search for it again.  */
+diff --git a/libdw/libdw.h b/libdw/libdw.h
+index d53dc787..ec4713a6 100644
+--- a/libdw/libdw.h
++++ b/libdw/libdw.h
+@@ -587,7 +587,9 @@ extern int dwarf_srclang (Dwarf_Die *die);
+ extern Dwarf_Abbrev *dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset,
+ 				      size_t *lengthp);
+ 
+-/* Get abbreviation at given offset in .debug_abbrev section.  */
++/* Get abbreviation at given offset in .debug_abbrev section.  On
++   success return zero and fills in ABBREVP.  When there is no (more)
++   abbrev at offset returns one.  On error returns a negative value.  */
+ extern int dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp,
+ 			    Dwarf_Abbrev *abbrevp)
+      __nonnull_attribute__ (4);
+diff --git a/libdw/libdwP.h b/libdw/libdwP.h
+index d6bab606..0cff5c26 100644
+--- a/libdw/libdwP.h
++++ b/libdw/libdwP.h
+@@ -795,8 +795,7 @@ extern Dwarf_Abbrev *__libdw_findabbrev (struct Dwarf_CU *cu,
+ 
+ /* Get abbreviation at given offset.  */
+ extern Dwarf_Abbrev *__libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu,
+-					Dwarf_Off offset, size_t *lengthp,
+-					Dwarf_Abbrev *result)
++					Dwarf_Off offset, size_t *lengthp)
+      __nonnull_attribute__ (1) internal_function;
+ 
+ /* Get abbreviation of given DIE, and optionally set *READP to the DIE memory
+-- 
+2.27.0
+

backport-CVE-2025-1372.patch

@@ -0,0 +1,46 @@
+From 73db9d2021cab9e23fd734b0a76a612d52a6f1db Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 9 Feb 2025 00:07:39 +0100
+Subject: [PATCH] readelf: Skip trying to uncompress sections without a name
+
+When combining eu-readelf -z with -x or -p to dump the data or strings
+in an (corrupted ELF) unnamed numbered section eu-readelf could crash
+trying to check whether the section name starts with .zdebug. Fix this
+by skipping sections without a name.
+
+   * src/readelf.c (dump_data_section): Don't try to gnu decompress a
+   section without a name.
+   (print_string_section): Likewise.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32656
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ src/readelf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/readelf.c b/src/readelf.c
+index 10cba6d..9ce85c0 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -12530,7 +12530,7 @@ dump_data_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name)
+ 			gettext ("Couldn't uncompress section"),
+ 			elf_ndxscn (scn));
+ 	    }
+-	  else if (strncmp (name, ".zdebug", strlen (".zdebug")) == 0)
++	  else if (name && strncmp (name, ".zdebug", strlen (".zdebug")) == 0)
+ 	    {
+ 	      if (elf_compress_gnu (scn, 0, 0) < 0)
+ 		printf ("WARNING: %s [%zd]\n",
+@@ -12581,7 +12581,7 @@ print_string_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name)
+ 			gettext ("Couldn't uncompress section"),
+ 			elf_ndxscn (scn));
+ 	    }
+-	  else if (strncmp (name, ".zdebug", strlen (".zdebug")) == 0)
++	  else if (name && strncmp (name, ".zdebug", strlen (".zdebug")) == 0)
+ 	    {
+ 	      if (elf_compress_gnu (scn, 0, 0) < 0)
+ 		printf ("WARNING: %s [%zd]\n",
+-- 
+2.27.0
+

backport-CVE-2025-1376.patch

@@ -0,0 +1,53 @@
+From b16f441cca0a4841050e3215a9f120a6d8aea918 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 13 Feb 2025 00:02:32 +0100
+Subject: [PATCH] libelf: Handle elf_strptr on section without any data
+
+In the unlikely situation that elf_strptr was called on a section with
+sh_size already set, but that doesn't have any data yet we could crash
+trying to verify the string to return.
+
+This could happen for example when a new section was created with
+elf_newscn, but no data having been added yet.
+
+	* libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base
+	is not NULL.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32672
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ libelf/elf_strptr.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c
+index c5a94f82..7be7f5e8 100644
+--- a/libelf/elf_strptr.c
++++ b/libelf/elf_strptr.c
+@@ -1,5 +1,6 @@
+ /* Return string pointer from string section.
+    Copyright (C) 1998-2002, 2004, 2008, 2009, 2015 Red Hat, Inc.
++   Copyright (C) 2025 Mark J. Wielaard <mark@klomp.org>
+    This file is part of elfutils.
+    Contributed by Ulrich Drepper <drepper@redhat.com>, 1998.
+ 
+@@ -183,9 +184,12 @@ elf_strptr (Elf *elf, size_t idx, size_t offset)
+       // initialized yet (when data_read is zero). So we cannot just
+       // look at the rawdata.d.d_size.
+ 
+-      /* Make sure the string is NUL terminated.  Start from the end,
+-	 which very likely is a NUL char.  */
+-      if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
++      /* First check there actually is any data.  This could be a new
++         section which hasn't had any data set yet.  Then make sure
++         the string is at a valid offset and NUL terminated.  */
++      if (unlikely (strscn->rawdata_base == NULL))
++	__libelf_seterrno (ELF_E_INVALID_SECTION);
++      else if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
+ 	result = &strscn->rawdata_base[offset];
+       else
+ 	__libelf_seterrno (ELF_E_INVALID_INDEX);
+-- 
+2.33.0
+
+

backport-CVE-2025-1377.patch

@@ -0,0 +1,63 @@
+From fbf1df9ca286de3323ae541973b08449f8d03aba Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 13 Feb 2025 14:59:34 +0100
+Subject: [PATCH] strip: Verify symbol table is a real symbol table
+
+We didn't check the symbol table referenced from the relocation table
+was a real symbol table. This could cause a crash if that section
+happened to be an SHT_NOBITS section without any data. Fix this by
+adding an explicit check.
+
+* src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a
+message string to display.
+(INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1).
+(remove_debug_relocations): Check the sh_link referenced
+section is real and isn't a SHT_NOBITS section.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32673
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ src/strip.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/strip.c b/src/strip.c
+index 48792a7..7744a23 100644
+--- a/src/strip.c
++++ b/src/strip.c
+@@ -127,13 +127,14 @@ static char *tmp_debug_fname = NULL;
+ /* Close debug file descriptor, if opened. And remove temporary debug file.  */
+ static void cleanup_debug (void);
+ 
+-#define INTERNAL_ERROR(fname) \
++#define INTERNAL_ERROR_MSG(fname, msg) \
+   do { \
+     cleanup_debug (); \
+     error (EXIT_FAILURE, 0, gettext ("%s: INTERNAL ERROR %d (%s): %s"),      \
+-	   fname, __LINE__, PACKAGE_VERSION, elf_errmsg (-1)); \
++	   fname, __LINE__, PACKAGE_VERSION, msg); \
+   } while (0)
+ 
++#define INTERNAL_ERROR(fname) INTERNAL_ERROR_MSG(fname, elf_errmsg (-1))
+ 
+ /* Name of the output file.  */
+ static const char *output_fname;
+@@ -511,7 +512,14 @@ remove_debug_relocations (Ebl *ebl, Elf *elf, GElf_Ehdr *ehdr,
+ 	     resolve relocation symbol indexes.  */
+ 	  Elf64_Word symt = shdr->sh_link;
+ 	  Elf_Data *symdata, *xndxdata;
+-	  Elf_Scn * symscn = elf_getscn (elf, symt);
++	  Elf_Scn *symscn = elf_getscn (elf, symt);
++	  GElf_Shdr symshdr_mem;
++	  GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
++	  if (symshdr == NULL)
++	    INTERNAL_ERROR (fname);
++	  if (symshdr->sh_type == SHT_NOBITS)
++	    INTERNAL_ERROR_MSG (fname, "NOBITS section");
++
+ 	  symdata = elf_getdata (symscn, NULL);
+ 	  xndxdata = get_xndxdata (elf, symscn);
+ 	  if (symdata == NULL)
+-- 
+2.27.0
+

backport-libelf-Correctly-decode-ar_mode-as-octal-string.patch

@@ -0,0 +1,64 @@
+From ee188125b10d1588a0536af033d7b7b1bbbaafaf Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 28 Aug 2022 19:51:13 +0200
+Subject: [PATCH] libelf: Correctly decode ar_mode as octal string
+
+ar_mode is encoded as an octal ascii string, not decimal. Add a new
+OCT_FIELD macro to decode it.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=28729
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ libelf/elf_begin.c | 25 +++++++++++++++++++++++--
+ 1 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
+index 17d9b1f3..71eb3594 100644
+--- a/libelf/elf_begin.c
++++ b/libelf/elf_begin.c
+@@ -977,7 +977,8 @@ __libelf_next_arhdr_wrlock (Elf *elf)
+      atoll depending on the size of the types.  We are also prepared
+      for the case where the whole field in the `struct ar_hdr' is
+      filled in which case we cannot simply use atol/l but instead have
+-     to create a temporary copy.  */
++     to create a temporary copy.  Note that all fields use decimal
++     encoding, except ar_mode which uses octal.  */
+ 
+ #define INT_FIELD(FIELD)						      \
+   do									      \
+@@ -997,10 +998,30 @@ __libelf_next_arhdr_wrlock (Elf *elf)
+     }									      \
+   while (0)
+ 
++#define OCT_FIELD(FIELD)						      \
++  do									      \
++    {									      \
++      char buf[sizeof (ar_hdr->FIELD) + 1];				      \
++      const char *string = ar_hdr->FIELD;				      \
++      if (ar_hdr->FIELD[sizeof (ar_hdr->FIELD) - 1] != ' ')		      \
++	{								      \
++	  *((char *) mempcpy (buf, ar_hdr->FIELD, sizeof (ar_hdr->FIELD)))  \
++	    = '\0';							      \
++	  string = buf;							      \
++	}								      \
++      if (sizeof (elf_ar_hdr->FIELD) <= sizeof (long int))		      \
++	elf_ar_hdr->FIELD						      \
++	  = (__typeof (elf_ar_hdr->FIELD)) strtol (string, NULL, 8);	      \
++      else								      \
++	elf_ar_hdr->FIELD						      \
++	  = (__typeof (elf_ar_hdr->FIELD)) strtoll (string, NULL, 8);	      \
++    }									      \
++  while (0)
++
+   INT_FIELD (ar_date);
+   INT_FIELD (ar_uid);
+   INT_FIELD (ar_gid);
+-  INT_FIELD (ar_mode);
++  OCT_FIELD (ar_mode);
+   INT_FIELD (ar_size);
+ 
+   if (elf_ar_hdr->ar_size < 0)
+-- 
+2.27.0
+

elfutils.spec

@@ -1,16 +1,22 @@
 # -*- rpm-spec from http://elfutils.org/ -*-
 Name: elfutils
 Version: 0.180
-Release: 9
+Release: 17
 Summary: A collection of utilities and DSOs to handle ELF files and DWARF data
 URL: http://elfutils.org/
 License: GPLv3+ and (GPLv2+ or LGPLv3+)
 Source: ftp://sourceware.org/pub/elfutils/%{version}/elfutils-%{version}.tar.bz2
 
 Patch0: backport-elfclassify-Fix-no-stdin-flag.patch
-Patch1: Fix-error-of-parsing-object-file-perms.patch
+Patch1: backport-libelf-Correctly-decode-ar_mode-as-octal-string.patch
 Patch2: Fix-issue-of-moving-files-by-ar-or-br.patch
 Patch3: Get-instance-correctly-for-eu-ar-N-option.patch
+Patch4: backport-CVE-2021-33294-readelf-Sanity-check-verneed-and-verdef-offsets-in-h.patch
+Patch5: Fix-segfault-in-eu-ar-m.patch
+Patch6000: backport-CVE-2025-1352.patch
+Patch6001: backport-CVE-2025-1372.patch
+Patch6002: backport-CVE-2025-1376.patch
+Patch6003: backport-CVE-2025-1377.patch
 
 Requires: elfutils-libelf = %{version}-%{release}
 Requires: elfutils-libs = %{version}-%{release}
@@ -18,7 +24,6 @@ Requires: glibc >= 2.7 libstdc++
 
 BuildRoot: %{_tmppath}/%{name}-root
 BuildRequires: gcc >= 4.1.2-33 m4 zlib-devel gdb-headless gcc-c++
-BuildRequires: bzip2-devel xz-devel xz-libs
 
 # For debuginfod
 BuildRequires: pkgconfig(libmicrohttpd) >= 0.9.33
@@ -128,6 +133,7 @@ License: GPLv3+ and (GPLv2+ or LGPLv3+)
 
 %package debuginfod-client-devel
 Summary: Libraries and headers to build debuginfod client applications
+Requires: %{name}-debuginfod-client = %{version}-%{release}
 License: GPLv2+ or LGPLv3+
 
 %package debuginfod
@@ -302,6 +308,22 @@ exit 0
 %systemd_postun_with_restart debuginfod.service
 
 %changelog
+* Sun Feb 16 2025 shixuantong <shixuantong1@huawei.com> - 0.180-17
+- fix CVE-2025-1352 CVE-2025-1372 CVE-2025-1376 CVE-2025-1377
+
+* Wed Feb 05 2025 Funda Wang <fundawang@yeah.net> - 0.180-16
+- correctly fix libdebuginfod.so requirement
+
+* Fri Sep 01 2023 fuanan <fuanan3@h-partners.com> - 0.180-15
+- Fix segfault in eu-ar -m
+- Use upstream patch for Fix error of parsing object file perms
+
+* Wed Jul 19 2023 fuanan <fuanan3@h-partners.com> - 0.180-14
+- Fix CVE-2021-33294
+
+* Thu Dec 15 2022 zhangruifang <zhangruifang1@h-partners.com> - 0.180-13
+- revert commit "add some compression support"
+
 * Fri Sep 9 2022 fuanan <fuanan3@h-partners.com> - 0.180-9
 - Fix "/usr/lib64/libdebuginfod.so.1" not found when uninstall elfutils-debuginfod-client-devel
 - Fix Obsoletes in spec