On Wed, 2026-07-08 at 10:02 +0200, Yoann Congal wrote:
> On Wed Jul 8, 2026 at 9:18 AM CEST, Roland Kovács wrote:
> > On Tue, 2026-07-07 at 15:45 +0200, Yoann Congal wrote:
> > > Hello,
> > > 
> > > On Tue Jun 30, 2026 at 10:25 AM CEST, Roland Kovács via 
> > > lists.openembedded.org wrote:
> > > > CVE-2025-69649:
> > > >   Null pointer dereference in readelf before 2.46 results in segfault 
> > > > when
> > > >   processing a crafted ELF binary with malformed header fields.
> > > >   No evidence of memory corruption beyond the null pointer dereference, 
> > > > nor
> > > >   any possibility of code execution, was observed.
> > > > 
> > > > CVE-2025-69652:
> > > >   Null pointer dereference in readelf when processing a crafted ELF 
> > > > binary
> > > >   with malformed DWARF abbrev or debug information which leads to 
> > > > SIGABORT.
> > > >   No evidence of memory corruption or code execution was observed; the 
> > > > impact
> > > >   is limited to denial of service.
> > > > 
> > > > Signed-off-by: Roland Kovacs <[email protected]>
> > > > ---
> > > >  .../binutils/binutils-2.42.inc                |  2 +
> > > >  .../binutils/binutils/CVE-2025-69649.patch    | 36 +++++++++++++++++
> > > >  .../binutils/binutils/CVE-2025-69652.patch    | 39 +++++++++++++++++++
> > > >  3 files changed, 77 insertions(+)
> > > >  create mode 100644 
> > > > meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
> > > >  create mode 100644 
> > > > meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
> > > > 
> > > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc 
> > > > b/meta/recipes-
> > > > devtools/binutils/binutils-2.42.inc
> > > > index 1a865c45f4..da954fc138 100644
> > > > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
> > > > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
> > > > @@ -74,5 +74,7 @@ SRC_URI = "\
> > > >       file://0030-CVE-2025-11840.patch \
> > > >       file://CVE-2025-69647.patch \
> > > >       file://CVE-2025-69648.patch \
> > > > +     file://CVE-2025-69649.patch \
> > > > +     file://CVE-2025-69652.patch \
> > > >  "
> > > >  S  = "${WORKDIR}/git"
> > > > diff --git 
> > > > a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch 
> > > > b/meta/recipes-
> > > > devtools/binutils/binutils/CVE-2025-69649.patch
> > > > new file mode 100644
> > > > index 0000000000..4865ad6535
> > > > --- /dev/null
> > > > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
> > > > @@ -0,0 +1,36 @@
> > > > +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001
> > > > +From: Alan Modra <[email protected]>
> > > > +Date: Mon, 8 Dec 2025 15:58:33 +1030
> > > > +Subject: [PATCH] PR 33697, fuzzer segfault
> > > > +
> > > > +       PR 33697
> > > > +       * readelf.c (process_relocs): Don't segfault on no sections.
> > > > +
> > > > +CVE: CVE-2025-69649
> > > > +Upstream-Status: Backport
> > > > [
> > > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea
> > > > 5d
> > > > 7f66]
> > > > +
> > > > +Signed-off-by: Roland Kovacs <[email protected]>
> > > > +---
> > > > + binutils/readelf.c | 6 +++---
> > > > + 1 file changed, 3 insertions(+), 3 deletions(-)
> > > > +
> > > > +diff --git a/binutils/readelf.c b/binutils/readelf.c
> > > > +index 5e4ad6ea6ad..8c1987ffaec 100644
> > > > +--- a/binutils/readelf.c
> > > > ++++ b/binutils/readelf.c
> > > > +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata)
> > > > +       size_t i;
> > > > +       bool found = false;
> > > > + 
> > > > +-      for (i = 0, section = filedata->section_headers;
> > > > +-         i < filedata->file_header.e_shnum;
> > > > +-         i++, section++)
> > > > ++      section = filedata->section_headers;
> > > > ++      if (section != NULL)
> > > > ++      for (i = 0; i < filedata->file_header.e_shnum; i++, section++)
> > > > +       {
> > > > +         if (   section->sh_type != SHT_RELA
> > > > +             && section->sh_type != SHT_REL
> > > 
> > > This backport is sensibly different from the upstream commit. Upstream
> > > has a short for loop but your patch is at the start of a really long
> > > one!
> > > 
> > > Can you justify why your backport is safe & correct?
> > > 
> > > Thanks!
> > 
> > Yes, on 2.42 the formatted printing of relocations is in-line, while on 
> > 2.46 that code mostly
> > has
> > been moved into 'display_relocations()' as part of 
> > 8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305.
> > See:
> > https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=binutils/readelf.c;h=fa0de3a7e0d9c2acc18fe047a7019e09f1ce3894;hp=c1006480b7bc3e83dd87fb20d215342375614af9;hb=8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305;hpb=31c21e2c13d85793b525f74aa911eb28700ed89c
> 
> This is a good explanation, can you add it to the CVE-2025-69649 patch
> with the line you added (ie the "CVE: ", "Upstream-status:", ... lines)?
> 
> Thanks!
> 

I see it already pulled in on -nut:
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/scarthgap-nut&id=3c3635eed24731a99d0cc9a3570415cd4b096433

Do you want a v2 and fixup on nut, or just a patch on top of the pushed commit 
to add the extra
info?

> > 
> > Cheers,
> >     Roland
> 
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240444): 
https://lists.openembedded.org/g/openembedded-core/message/240444
Mute This Topic: https://lists.openembedded.org/mt/120043719/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to