Hello, On Tue Jun 30, 2026 at 10:25 AM CEST, Roland Kovács via lists.openembedded.org wrote: > CVE-2025-69649: > Null pointer dereference in readelf before 2.46 results in segfault when > processing a crafted ELF binary with malformed header fields. > No evidence of memory corruption beyond the null pointer dereference, nor > any possibility of code execution, was observed. > > CVE-2025-69652: > Null pointer dereference in readelf when processing a crafted ELF binary > with malformed DWARF abbrev or debug information which leads to SIGABORT. > No evidence of memory corruption or code execution was observed; the impact > is limited to denial of service. > > Signed-off-by: Roland Kovacs <[email protected]> > --- > .../binutils/binutils-2.42.inc | 2 + > .../binutils/binutils/CVE-2025-69649.patch | 36 +++++++++++++++++ > .../binutils/binutils/CVE-2025-69652.patch | 39 +++++++++++++++++++ > 3 files changed, 77 insertions(+) > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc > b/meta/recipes-devtools/binutils/binutils-2.42.inc > index 1a865c45f4..da954fc138 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > @@ -74,5 +74,7 @@ SRC_URI = "\ > file://0030-CVE-2025-11840.patch \ > file://CVE-2025-69647.patch \ > file://CVE-2025-69648.patch \ > + file://CVE-2025-69649.patch \ > + file://CVE-2025-69652.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch > b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch > new file mode 100644 > index 0000000000..4865ad6535 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch > @@ -0,0 +1,36 @@ > +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001 > +From: Alan Modra <[email protected]> > +Date: Mon, 8 Dec 2025 15:58:33 +1030 > +Subject: [PATCH] PR 33697, fuzzer segfault > + > + PR 33697 > + * readelf.c (process_relocs): Don't segfault on no sections. > + > +CVE: CVE-2025-69649 > +Upstream-Status: Backport > [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66] > + > +Signed-off-by: Roland Kovacs <[email protected]> > +--- > + binutils/readelf.c | 6 +++--- > + 1 file changed, 3 insertions(+), 3 deletions(-) > + > +diff --git a/binutils/readelf.c b/binutils/readelf.c > +index 5e4ad6ea6ad..8c1987ffaec 100644 > +--- a/binutils/readelf.c > ++++ b/binutils/readelf.c > +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata) > + size_t i; > + bool found = false; > + > +- for (i = 0, section = filedata->section_headers; > +- i < filedata->file_header.e_shnum; > +- i++, section++) > ++ section = filedata->section_headers; > ++ if (section != NULL) > ++ for (i = 0; i < filedata->file_header.e_shnum; i++, section++) > + { > + if ( section->sh_type != SHT_RELA > + && section->sh_type != SHT_REL
This backport is sensibly different from the upstream commit. Upstream has a short for loop but your patch is at the start of a really long one! Can you justify why your backport is safe & correct? Thanks! -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240387): https://lists.openembedded.org/g/openembedded-core/message/240387 Mute This Topic: https://lists.openembedded.org/mt/120043719/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
