Bug 2404554

Summary: CVE-2025-11840 gdb: GNU Binutils out-of-bounds read [fedora-42]
Product: [Fedora] Fedora Reporter: Jon Moroney <jmoroney>
Component: gdbAssignee: Kevin Buettner <kevinb>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 42CC: ahajkova, fweimer, guinevere, jan, keiths, kevinb, mcermak, mkolar, suraj.ghimire7
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["ffad7a04-e5f2-4603-8304-40b675b78bf0"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-11-14 06:54:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2404481    

Description Jon Moroney 2025-10-16 18:03:40 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Comment 1 Kevin Buettner 2025-10-28 22:20:12 UTC 
I've looked at the upstream issue:

https://sourceware.org/bugzilla/show_bug.cgi?id=33455

H.J. Lu has proposed a patch which might fix the linker issue, but it has not yet been committed/pushed.

My analysis shows that GDB does not call the function which H.J. has changed in his proposed patch, but, since that patch isn't upstream yet, I cannot close this as NOTABUG.  Also, even if it is a bug, there is no backport available, as proposed patches should not be backported.

Therefore, I've assigned it to myself and will leave it open until there's movement on the upstream bug.
Comment 2 Kevin Buettner 2025-11-14 06:54:41 UTC 
Closing as NOTABUG – per the GNU Debugger Security Policy

CVE‑2025‑11840 concerns an out‑of‑bounds read in libbfd’s COFF loader
(`coff_slurp_reloc_table`). The only effect that can surface in GDB is a
non‑privileged crash (due to an attempted NULL pointer dereference) when the
gdb‑compile module loads a COFF object with a malformed relocation.

* The gdb‑compile module, when used on Linux, generates ELF objects and
  executables; it does NOT produce COFF files. Consequently, under normal
  Linux usage the COFF‑related path that contains the vulnerability is never
  exercised.

* Triggering the bug would require deliberately constructing a COFF file whose
  relocation’s `howto->name` is NULL and then loading that file via gdb‑compile –
  a highly contrived scenario that is not encountered in typical debugging
  sessions.

* The bug does NOT cross a privilege boundary, does not cause the inferior
  program to run without an explicit GDB command, and does not permit arbitrary
  code execution in the debugger.  According to the policy section
  “What Is Not A Security Bug”, an internal error that results merely in a
  crash is NOT a security bug.

Therefore this issue does not meet any of the four criteria that define a
security bug for GDB, and it should be closed as NOTABUG.

References:
- gdb/SECURITY.txt – “What Is Not A Security Bug” (items 1‑4)
- Binutils bug #33455 (https://sourceware.org/bugzilla/show_bug.cgi?id=33455)
- CVE‑2025‑11840 (https://access.redhat.com/security/cve/cve-2025-11840)