On Wed Jul 8, 2026 at 10:15 AM CEST, Roland Kovács wrote: > On Wed, 2026-07-08 at 10:02 +0200, Yoann Congal wrote: >> On Wed Jul 8, 2026 at 9:18 AM CEST, Roland Kovács wrote: >> > On Tue, 2026-07-07 at 15:45 +0200, Yoann Congal wrote: >> > > Hello, >> > > >> > > On Tue Jun 30, 2026 at 10:25 AM CEST, Roland Kovács via >> > > lists.openembedded.org wrote: >> > > > CVE-2025-69649: >> > > > Null pointer dereference in readelf before 2.46 results in segfault >> > > > when >> > > > processing a crafted ELF binary with malformed header fields. >> > > > No evidence of memory corruption beyond the null pointer >> > > > dereference, nor >> > > > any possibility of code execution, was observed. >> > > > >> > > > CVE-2025-69652: >> > > > Null pointer dereference in readelf when processing a crafted ELF >> > > > binary >> > > > with malformed DWARF abbrev or debug information which leads to >> > > > SIGABORT. >> > > > No evidence of memory corruption or code execution was observed; the >> > > > impact >> > > > is limited to denial of service. >> > > > >> > > > Signed-off-by: Roland Kovacs <[email protected]> >> > > > --- >> > > > .../binutils/binutils-2.42.inc | 2 + >> > > > .../binutils/binutils/CVE-2025-69649.patch | 36 +++++++++++++++++ >> > > > .../binutils/binutils/CVE-2025-69652.patch | 39 +++++++++++++++++++ >> > > > 3 files changed, 77 insertions(+) >> > > > create mode 100644 >> > > > meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch >> > > > create mode 100644 >> > > > meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch >> > > > >> > > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc >> > > > b/meta/recipes- >> > > > devtools/binutils/binutils-2.42.inc >> > > > index 1a865c45f4..da954fc138 100644 >> > > > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc >> > > > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc >> > > > @@ -74,5 +74,7 @@ SRC_URI = "\ >> > > > file://0030-CVE-2025-11840.patch \ >> > > > file://CVE-2025-69647.patch \ >> > > > file://CVE-2025-69648.patch \ >> > > > + file://CVE-2025-69649.patch \ >> > > > + file://CVE-2025-69652.patch \ >> > > > " >> > > > S = "${WORKDIR}/git" >> > > > diff --git >> > > > a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch >> > > > b/meta/recipes- >> > > > devtools/binutils/binutils/CVE-2025-69649.patch >> > > > new file mode 100644 >> > > > index 0000000000..4865ad6535 >> > > > --- /dev/null >> > > > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch >> > > > @@ -0,0 +1,36 @@ >> > > > +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001 >> > > > +From: Alan Modra <[email protected]> >> > > > +Date: Mon, 8 Dec 2025 15:58:33 +1030 >> > > > +Subject: [PATCH] PR 33697, fuzzer segfault >> > > > + >> > > > + PR 33697 >> > > > + * readelf.c (process_relocs): Don't segfault on no sections. >> > > > + >> > > > +CVE: CVE-2025-69649 >> > > > +Upstream-Status: Backport >> > > > [ >> > > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea >> > > > 5d >> > > > 7f66] >> > > > + >> > > > +Signed-off-by: Roland Kovacs <[email protected]> >> > > > +--- >> > > > + binutils/readelf.c | 6 +++--- >> > > > + 1 file changed, 3 insertions(+), 3 deletions(-) >> > > > + >> > > > +diff --git a/binutils/readelf.c b/binutils/readelf.c >> > > > +index 5e4ad6ea6ad..8c1987ffaec 100644 >> > > > +--- a/binutils/readelf.c >> > > > ++++ b/binutils/readelf.c >> > > > +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata) >> > > > + size_t i; >> > > > + bool found = false; >> > > > + >> > > > +- for (i = 0, section = filedata->section_headers; >> > > > +- i < filedata->file_header.e_shnum; >> > > > +- i++, section++) >> > > > ++ section = filedata->section_headers; >> > > > ++ if (section != NULL) >> > > > ++ for (i = 0; i < filedata->file_header.e_shnum; i++, section++) >> > > > + { >> > > > + if ( section->sh_type != SHT_RELA >> > > > + && section->sh_type != SHT_REL >> > > >> > > This backport is sensibly different from the upstream commit. Upstream >> > > has a short for loop but your patch is at the start of a really long >> > > one! >> > > >> > > Can you justify why your backport is safe & correct? >> > > >> > > Thanks! >> > >> > Yes, on 2.42 the formatted printing of relocations is in-line, while on >> > 2.46 that code mostly >> > has >> > been moved into 'display_relocations()' as part of >> > 8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305. >> > See: >> > https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=binutils/readelf.c;h=fa0de3a7e0d9c2acc18fe047a7019e09f1ce3894;hp=c1006480b7bc3e83dd87fb20d215342375614af9;hb=8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305;hpb=31c21e2c13d85793b525f74aa911eb28700ed89c >> >> This is a good explanation, can you add it to the CVE-2025-69649 patch >> with the line you added (ie the "CVE: ", "Upstream-status:", ... lines)? >> >> Thanks! >> > > I see it already pulled in on -nut: > https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/scarthgap-nut&id=3c3635eed24731a99d0cc9a3570415cd4b096433 > > Do you want a v2 and fixup on nut, or just a patch on top of the pushed > commit to add the extra > info?
A v2 with the fixup integrated into it (ie. 1 patch only) please. Thanks! > >> > >> > Cheers, >> > Roland >> -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240445): https://lists.openembedded.org/g/openembedded-core/message/240445 Mute This Topic: https://lists.openembedded.org/mt/120043719/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
