On Wed Jul 8, 2026 at 9:18 AM CEST, Roland Kovács wrote: > On Tue, 2026-07-07 at 15:45 +0200, Yoann Congal wrote: >> Hello, >> >> On Tue Jun 30, 2026 at 10:25 AM CEST, Roland Kovács via >> lists.openembedded.org wrote: >> > CVE-2025-69649: >> > Null pointer dereference in readelf before 2.46 results in segfault when >> > processing a crafted ELF binary with malformed header fields. >> > No evidence of memory corruption beyond the null pointer dereference, nor >> > any possibility of code execution, was observed. >> > >> > CVE-2025-69652: >> > Null pointer dereference in readelf when processing a crafted ELF binary >> > with malformed DWARF abbrev or debug information which leads to SIGABORT. >> > No evidence of memory corruption or code execution was observed; the >> > impact >> > is limited to denial of service. >> > >> > Signed-off-by: Roland Kovacs <[email protected]> >> > --- >> > .../binutils/binutils-2.42.inc | 2 + >> > .../binutils/binutils/CVE-2025-69649.patch | 36 +++++++++++++++++ >> > .../binutils/binutils/CVE-2025-69652.patch | 39 +++++++++++++++++++ >> > 3 files changed, 77 insertions(+) >> > create mode 100644 >> > meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch >> > create mode 100644 >> > meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch >> > >> > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc >> > b/meta/recipes- >> > devtools/binutils/binutils-2.42.inc >> > index 1a865c45f4..da954fc138 100644 >> > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc >> > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc >> > @@ -74,5 +74,7 @@ SRC_URI = "\ >> > file://0030-CVE-2025-11840.patch \ >> > file://CVE-2025-69647.patch \ >> > file://CVE-2025-69648.patch \ >> > + file://CVE-2025-69649.patch \ >> > + file://CVE-2025-69652.patch \ >> > " >> > S = "${WORKDIR}/git" >> > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch >> > b/meta/recipes- >> > devtools/binutils/binutils/CVE-2025-69649.patch >> > new file mode 100644 >> > index 0000000000..4865ad6535 >> > --- /dev/null >> > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch >> > @@ -0,0 +1,36 @@ >> > +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001 >> > +From: Alan Modra <[email protected]> >> > +Date: Mon, 8 Dec 2025 15:58:33 +1030 >> > +Subject: [PATCH] PR 33697, fuzzer segfault >> > + >> > + PR 33697 >> > + * readelf.c (process_relocs): Don't segfault on no sections. >> > + >> > +CVE: CVE-2025-69649 >> > +Upstream-Status: Backport >> > [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d >> > 7f66] >> > + >> > +Signed-off-by: Roland Kovacs <[email protected]> >> > +--- >> > + binutils/readelf.c | 6 +++--- >> > + 1 file changed, 3 insertions(+), 3 deletions(-) >> > + >> > +diff --git a/binutils/readelf.c b/binutils/readelf.c >> > +index 5e4ad6ea6ad..8c1987ffaec 100644 >> > +--- a/binutils/readelf.c >> > ++++ b/binutils/readelf.c >> > +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata) >> > + size_t i; >> > + bool found = false; >> > + >> > +- for (i = 0, section = filedata->section_headers; >> > +- i < filedata->file_header.e_shnum; >> > +- i++, section++) >> > ++ section = filedata->section_headers; >> > ++ if (section != NULL) >> > ++ for (i = 0; i < filedata->file_header.e_shnum; i++, section++) >> > + { >> > + if ( section->sh_type != SHT_RELA >> > + && section->sh_type != SHT_REL >> >> This backport is sensibly different from the upstream commit. Upstream >> has a short for loop but your patch is at the start of a really long >> one! >> >> Can you justify why your backport is safe & correct? >> >> Thanks! > > Yes, on 2.42 the formatted printing of relocations is in-line, while on 2.46 > that code mostly has > been moved into 'display_relocations()' as part of > 8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305. > See: > https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=binutils/readelf.c;h=fa0de3a7e0d9c2acc18fe047a7019e09f1ce3894;hp=c1006480b7bc3e83dd87fb20d215342375614af9;hb=8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305;hpb=31c21e2c13d85793b525f74aa911eb28700ed89c
This is a good explanation, can you add it to the CVE-2025-69649 patch with the line you added (ie the "CVE: ", "Upstream-status:", ... lines)? Thanks! > > Cheers, > Roland -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240443): https://lists.openembedded.org/g/openembedded-core/message/240443 Mute This Topic: https://lists.openembedded.org/mt/120043719/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
