Hello,

On Tue Jun 30, 2026 at 10:25 AM CEST, Roland Kovács via lists.openembedded.org 
wrote:
> CVE-2025-69649:
>   Null pointer dereference in readelf before 2.46 results in segfault when
>   processing a crafted ELF binary with malformed header fields.
>   No evidence of memory corruption beyond the null pointer dereference, nor
>   any possibility of code execution, was observed.
>
> CVE-2025-69652:
>   Null pointer dereference in readelf when processing a crafted ELF binary
>   with malformed DWARF abbrev or debug information which leads to SIGABORT.
>   No evidence of memory corruption or code execution was observed; the impact
>   is limited to denial of service.
>
> Signed-off-by: Roland Kovacs <[email protected]>
> ---
>  .../binutils/binutils-2.42.inc                |  2 +
>  .../binutils/binutils/CVE-2025-69649.patch    | 36 +++++++++++++++++
>  .../binutils/binutils/CVE-2025-69652.patch    | 39 +++++++++++++++++++
>  3 files changed, 77 insertions(+)
>  create mode 100644 
> meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
>  create mode 100644 
> meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc 
> b/meta/recipes-devtools/binutils/binutils-2.42.inc
> index 1a865c45f4..da954fc138 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
> @@ -74,5 +74,7 @@ SRC_URI = "\
>       file://0030-CVE-2025-11840.patch \
>       file://CVE-2025-69647.patch \
>       file://CVE-2025-69648.patch \
> +     file://CVE-2025-69649.patch \
> +     file://CVE-2025-69652.patch \
>  "
>  S  = "${WORKDIR}/git"
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch 
> b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
> new file mode 100644
> index 0000000000..4865ad6535
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
> @@ -0,0 +1,36 @@
> +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001
> +From: Alan Modra <[email protected]>
> +Date: Mon, 8 Dec 2025 15:58:33 +1030
> +Subject: [PATCH] PR 33697, fuzzer segfault
> +
> +     PR 33697
> +     * readelf.c (process_relocs): Don't segfault on no sections.
> +
> +CVE: CVE-2025-69649
> +Upstream-Status: Backport 
> [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66]
> +
> +Signed-off-by: Roland Kovacs <[email protected]>
> +---
> + binutils/readelf.c | 6 +++---
> + 1 file changed, 3 insertions(+), 3 deletions(-)
> +
> +diff --git a/binutils/readelf.c b/binutils/readelf.c
> +index 5e4ad6ea6ad..8c1987ffaec 100644
> +--- a/binutils/readelf.c
> ++++ b/binutils/readelf.c
> +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata)
> +       size_t i;
> +       bool found = false;
> + 
> +-      for (i = 0, section = filedata->section_headers;
> +-       i < filedata->file_header.e_shnum;
> +-       i++, section++)
> ++      section = filedata->section_headers;
> ++      if (section != NULL)
> ++    for (i = 0; i < filedata->file_header.e_shnum; i++, section++)
> +     {
> +       if (   section->sh_type != SHT_RELA
> +           && section->sh_type != SHT_REL

This backport is sensibly different from the upstream commit. Upstream
has a short for loop but your patch is at the start of a really long
one!

Can you justify why your backport is safe & correct?

Thanks!
-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240387): 
https://lists.openembedded.org/g/openembedded-core/message/240387
Mute This Topic: https://lists.openembedded.org/mt/120043719/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to