CVE-2025-69649: Null pointer dereference in readelf before 2.46 results in segfault when processing a crafted ELF binary with malformed header fields. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.
CVE-2025-69652: Null pointer dereference in readelf when processing a crafted ELF binary with malformed DWARF abbrev or debug information which leads to SIGABORT. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service. Signed-off-by: Roland Kovacs <[email protected]> --- .../binutils/binutils-2.42.inc | 2 + .../binutils/binutils/CVE-2025-69649.patch | 36 +++++++++++++++++ .../binutils/binutils/CVE-2025-69652.patch | 39 +++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 1a865c45f4..da954fc138 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -74,5 +74,7 @@ SRC_URI = "\ file://0030-CVE-2025-11840.patch \ file://CVE-2025-69647.patch \ file://CVE-2025-69648.patch \ + file://CVE-2025-69649.patch \ + file://CVE-2025-69652.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch new file mode 100644 index 0000000000..4865ad6535 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch @@ -0,0 +1,36 @@ +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001 +From: Alan Modra <[email protected]> +Date: Mon, 8 Dec 2025 15:58:33 +1030 +Subject: [PATCH] PR 33697, fuzzer segfault + + PR 33697 + * readelf.c (process_relocs): Don't segfault on no sections. + +CVE: CVE-2025-69649 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66] + +Signed-off-by: Roland Kovacs <[email protected]> +--- + binutils/readelf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/binutils/readelf.c b/binutils/readelf.c +index 5e4ad6ea6ad..8c1987ffaec 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata) + size_t i; + bool found = false; + +- for (i = 0, section = filedata->section_headers; +- i < filedata->file_header.e_shnum; +- i++, section++) ++ section = filedata->section_headers; ++ if (section != NULL) ++ for (i = 0; i < filedata->file_header.e_shnum; i++, section++) + { + if ( section->sh_type != SHT_RELA + && section->sh_type != SHT_REL +-- +2.34.1 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch new file mode 100644 index 0000000000..a085d20095 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch @@ -0,0 +1,39 @@ +From 034627143b85563fe4b4e416422d9dea8e66bd6f Mon Sep 17 00:00:00 2001 +From: Alan Modra <[email protected]> +Date: Mon, 8 Dec 2025 16:04:44 +1030 +Subject: [PATCH] PR 33701, abort in byte_get_little_endian + + PR 33701 + * dwarf.c (process_debug_info): Set debug_info_p NULL when + DEBUG_INFO_UNAVAILABLE. + +CVE: CVE-2025-69652 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01] + +Signed-off-by: Roland Kovacs <[email protected]> +--- + binutils/dwarf.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 615e051b2bf..13b11b46e41 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -4222,9 +4222,11 @@ process_debug_info (struct dwarf_section * section, + break; + } + +- debug_info *debug_info_p = +- (debug_information && unit < alloc_num_debug_info_entries) +- ? debug_information + unit : NULL; ++ debug_info *debug_info_p = NULL; ++ if (debug_information ++ && num_debug_info_entries != DEBUG_INFO_UNAVAILABLE ++ && unit < alloc_num_debug_info_entries) ++ debug_info_p = debug_information + unit; + + assert (!debug_info_p + || (debug_info_p->num_loc_offsets +-- +2.34.1 + -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239868): https://lists.openembedded.org/g/openembedded-core/message/239868 Mute This Topic: https://lists.openembedded.org/mt/120043719/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
