On Wed, 2026-07-08 at 10:02 +0200, Yoann Congal wrote: > On Wed Jul 8, 2026 at 9:18 AM CEST, Roland Kovács wrote: > > On Tue, 2026-07-07 at 15:45 +0200, Yoann Congal wrote: > > > Hello, > > > > > > On Tue Jun 30, 2026 at 10:25 AM CEST, Roland Kovács via > > > lists.openembedded.org wrote: > > > > CVE-2025-69649: > > > > Null pointer dereference in readelf before 2.46 results in segfault > > > > when > > > > processing a crafted ELF binary with malformed header fields. > > > > No evidence of memory corruption beyond the null pointer dereference, > > > > nor > > > > any possibility of code execution, was observed. > > > > > > > > CVE-2025-69652: > > > > Null pointer dereference in readelf when processing a crafted ELF > > > > binary > > > > with malformed DWARF abbrev or debug information which leads to > > > > SIGABORT. > > > > No evidence of memory corruption or code execution was observed; the > > > > impact > > > > is limited to denial of service. > > > > > > > > Signed-off-by: Roland Kovacs <[email protected]> > > > > --- > > > > .../binutils/binutils-2.42.inc | 2 + > > > > .../binutils/binutils/CVE-2025-69649.patch | 36 +++++++++++++++++ > > > > .../binutils/binutils/CVE-2025-69652.patch | 39 +++++++++++++++++++ > > > > 3 files changed, 77 insertions(+) > > > > create mode 100644 > > > > meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch > > > > create mode 100644 > > > > meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch > > > > > > > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc > > > > b/meta/recipes- > > > > devtools/binutils/binutils-2.42.inc > > > > index 1a865c45f4..da954fc138 100644 > > > > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > > > > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > > > > @@ -74,5 +74,7 @@ SRC_URI = "\ > > > > file://0030-CVE-2025-11840.patch \ > > > > file://CVE-2025-69647.patch \ > > > > file://CVE-2025-69648.patch \ > > > > + file://CVE-2025-69649.patch \ > > > > + file://CVE-2025-69652.patch \ > > > > " > > > > S = "${WORKDIR}/git" > > > > diff --git > > > > a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch > > > > b/meta/recipes- > > > > devtools/binutils/binutils/CVE-2025-69649.patch > > > > new file mode 100644 > > > > index 0000000000..4865ad6535 > > > > --- /dev/null > > > > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch > > > > @@ -0,0 +1,36 @@ > > > > +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001 > > > > +From: Alan Modra <[email protected]> > > > > +Date: Mon, 8 Dec 2025 15:58:33 +1030 > > > > +Subject: [PATCH] PR 33697, fuzzer segfault > > > > + > > > > + PR 33697 > > > > + * readelf.c (process_relocs): Don't segfault on no sections. > > > > + > > > > +CVE: CVE-2025-69649 > > > > +Upstream-Status: Backport > > > > [ > > > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea > > > > 5d > > > > 7f66] > > > > + > > > > +Signed-off-by: Roland Kovacs <[email protected]> > > > > +--- > > > > + binutils/readelf.c | 6 +++--- > > > > + 1 file changed, 3 insertions(+), 3 deletions(-) > > > > + > > > > +diff --git a/binutils/readelf.c b/binutils/readelf.c > > > > +index 5e4ad6ea6ad..8c1987ffaec 100644 > > > > +--- a/binutils/readelf.c > > > > ++++ b/binutils/readelf.c > > > > +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata) > > > > + size_t i; > > > > + bool found = false; > > > > + > > > > +- for (i = 0, section = filedata->section_headers; > > > > +- i < filedata->file_header.e_shnum; > > > > +- i++, section++) > > > > ++ section = filedata->section_headers; > > > > ++ if (section != NULL) > > > > ++ for (i = 0; i < filedata->file_header.e_shnum; i++, section++) > > > > + { > > > > + if ( section->sh_type != SHT_RELA > > > > + && section->sh_type != SHT_REL > > > > > > This backport is sensibly different from the upstream commit. Upstream > > > has a short for loop but your patch is at the start of a really long > > > one! > > > > > > Can you justify why your backport is safe & correct? > > > > > > Thanks! > > > > Yes, on 2.42 the formatted printing of relocations is in-line, while on > > 2.46 that code mostly > > has > > been moved into 'display_relocations()' as part of > > 8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305. > > See: > > https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=binutils/readelf.c;h=fa0de3a7e0d9c2acc18fe047a7019e09f1ce3894;hp=c1006480b7bc3e83dd87fb20d215342375614af9;hb=8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305;hpb=31c21e2c13d85793b525f74aa911eb28700ed89c > > This is a good explanation, can you add it to the CVE-2025-69649 patch > with the line you added (ie the "CVE: ", "Upstream-status:", ... lines)? > > Thanks! >
I see it already pulled in on -nut: https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/scarthgap-nut&id=3c3635eed24731a99d0cc9a3570415cd4b096433 Do you want a v2 and fixup on nut, or just a patch on top of the pushed commit to add the extra info? > > > > Cheers, > > Roland >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240444): https://lists.openembedded.org/g/openembedded-core/message/240444 Mute This Topic: https://lists.openembedded.org/mt/120043719/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
