Hi,

I'm looking at three XCOFF CVEs against binutils 2.46 and want to check the 
preferred disposition before sending anything.
All three are in the XCOFF code (xcofflink.c / coff-rs6000.c):

CVE-2026-3441<https://nvd.nist.gov/vuln/detail/CVE-2026-3441>, 
3442<https://nvd.nist.gov/vuln/detail/CVE-2026-3442> 
<https://nvd.nist.gov/vuln/detail/CVE-2026-3442> — both fixed by commit 
c2bf7de1eb7<https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf>
 
<https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf>
 ("xcofflink buffer overflows"). One commit covers both: the x_scnlen bounds 
check is 3441, the r_symndx check is 3442. No CVE in the commit message (Modra 
doesn't add them), but the diff matches the Red Hat bug descriptions exactly 
(bugs 2443826 and 2443828).

CVE-2026-6846<https://nvd.nist.gov/vuln/detail/CVE-2026-6846>  - fixed by 
7a089e03<https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a089e0302382f4d4e077941156e1eaa68d01393>
 
<https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a089e0302382f4d4e077941156e1eaa68d01393>
   (PR34049<https://sourceware.org/bugzilla/show_bug.cgi?id=34049>).

None of these are in the 2.46 release (checked against binutils-2_46), so it'd 
be a backport, same as how CVE-2026-4647 was handled in 
42115ea9<https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/binutils?id=42115ea98a6aed68120ec1df703f07905f7dddd9>.

One thing I checked while looking at this: only binutils-native actually builds 
the XCOFF backend (it gets --enable-targets=all). The target, cross, crosssdk 
and cross-canadian variants are ELF+PE only - confirmed with objdump -i on 
native and bfd_backends on the others. So, the vulnerable code is present only 
in native, a build-host tool. That made me unsure whether not-applicable-config 
fits, since the code isn't entirely absent from the recipe.

There's also the upstream side: binutils SECURITY.txt was updated last month 
(commit 
e1428067748<https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=e1428067748d6b713637241855d1c315fb657c8b>)
 to say a bug from crafted input has to cross a trust boundary to count as a 
security bug (Discussion: RFC 
Thread<https://sourceware.org/pipermail/binutils/2026-May/149207.html>). These 
three are all crafted-XCOFF OOB issues in tools that assume trusted input, so 
by that policy they arguably aren't security bugs at all.

So, I'm not sure which way to go:


  *
backport the fixes (like 4647), or
  *
mark CVE_STATUS as disputed, given the updated upstream policy.

Happy to send the backport patches if that's preferred - c2bf7de1 applies 
cleanly on the 2.46 branch. Just wanted to check the direction first.

Thanks,
Sunil Dora
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#238898): 
https://lists.openembedded.org/g/openembedded-core/message/238898
Mute This Topic: https://lists.openembedded.org/mt/119832836/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • [OE-core] binutils: dispositi... Dora, Sunil Kumar via lists.openembedded.org

Reply via email to