On Wed Jul 8, 2026 at 10:15 AM CEST, Roland Kovács wrote:
> On Wed, 2026-07-08 at 10:02 +0200, Yoann Congal wrote:
>> On Wed Jul 8, 2026 at 9:18 AM CEST, Roland Kovács wrote:
>> > On Tue, 2026-07-07 at 15:45 +0200, Yoann Congal wrote:
>> > > Hello,
>> > > 
>> > > On Tue Jun 30, 2026 at 10:25 AM CEST, Roland Kovács via 
>> > > lists.openembedded.org wrote:
>> > > > CVE-2025-69649:
>> > > >   Null pointer dereference in readelf before 2.46 results in segfault 
>> > > > when
>> > > >   processing a crafted ELF binary with malformed header fields.
>> > > >   No evidence of memory corruption beyond the null pointer 
>> > > > dereference, nor
>> > > >   any possibility of code execution, was observed.
>> > > > 
>> > > > CVE-2025-69652:
>> > > >   Null pointer dereference in readelf when processing a crafted ELF 
>> > > > binary
>> > > >   with malformed DWARF abbrev or debug information which leads to 
>> > > > SIGABORT.
>> > > >   No evidence of memory corruption or code execution was observed; the 
>> > > > impact
>> > > >   is limited to denial of service.
>> > > > 
>> > > > Signed-off-by: Roland Kovacs <[email protected]>
>> > > > ---
>> > > >  .../binutils/binutils-2.42.inc                |  2 +
>> > > >  .../binutils/binutils/CVE-2025-69649.patch    | 36 +++++++++++++++++
>> > > >  .../binutils/binutils/CVE-2025-69652.patch    | 39 +++++++++++++++++++
>> > > >  3 files changed, 77 insertions(+)
>> > > >  create mode 100644 
>> > > > meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
>> > > >  create mode 100644 
>> > > > meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
>> > > > 
>> > > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc 
>> > > > b/meta/recipes-
>> > > > devtools/binutils/binutils-2.42.inc
>> > > > index 1a865c45f4..da954fc138 100644
>> > > > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
>> > > > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
>> > > > @@ -74,5 +74,7 @@ SRC_URI = "\
>> > > >       file://0030-CVE-2025-11840.patch \
>> > > >       file://CVE-2025-69647.patch \
>> > > >       file://CVE-2025-69648.patch \
>> > > > +     file://CVE-2025-69649.patch \
>> > > > +     file://CVE-2025-69652.patch \
>> > > >  "
>> > > >  S  = "${WORKDIR}/git"
>> > > > diff --git 
>> > > > a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch 
>> > > > b/meta/recipes-
>> > > > devtools/binutils/binutils/CVE-2025-69649.patch
>> > > > new file mode 100644
>> > > > index 0000000000..4865ad6535
>> > > > --- /dev/null
>> > > > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
>> > > > @@ -0,0 +1,36 @@
>> > > > +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001
>> > > > +From: Alan Modra <[email protected]>
>> > > > +Date: Mon, 8 Dec 2025 15:58:33 +1030
>> > > > +Subject: [PATCH] PR 33697, fuzzer segfault
>> > > > +
>> > > > +      PR 33697
>> > > > +      * readelf.c (process_relocs): Don't segfault on no sections.
>> > > > +
>> > > > +CVE: CVE-2025-69649
>> > > > +Upstream-Status: Backport
>> > > > [
>> > > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea
>> > > > 5d
>> > > > 7f66]
>> > > > +
>> > > > +Signed-off-by: Roland Kovacs <[email protected]>
>> > > > +---
>> > > > + binutils/readelf.c | 6 +++---
>> > > > + 1 file changed, 3 insertions(+), 3 deletions(-)
>> > > > +
>> > > > +diff --git a/binutils/readelf.c b/binutils/readelf.c
>> > > > +index 5e4ad6ea6ad..8c1987ffaec 100644
>> > > > +--- a/binutils/readelf.c
>> > > > ++++ b/binutils/readelf.c
>> > > > +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata)
>> > > > +       size_t i;
>> > > > +       bool found = false;
>> > > > + 
>> > > > +-      for (i = 0, section = filedata->section_headers;
>> > > > +-        i < filedata->file_header.e_shnum;
>> > > > +-        i++, section++)
>> > > > ++      section = filedata->section_headers;
>> > > > ++      if (section != NULL)
>> > > > ++     for (i = 0; i < filedata->file_header.e_shnum; i++, section++)
>> > > > +      {
>> > > > +        if (   section->sh_type != SHT_RELA
>> > > > +            && section->sh_type != SHT_REL
>> > > 
>> > > This backport is sensibly different from the upstream commit. Upstream
>> > > has a short for loop but your patch is at the start of a really long
>> > > one!
>> > > 
>> > > Can you justify why your backport is safe & correct?
>> > > 
>> > > Thanks!
>> > 
>> > Yes, on 2.42 the formatted printing of relocations is in-line, while on 
>> > 2.46 that code mostly
>> > has
>> > been moved into 'display_relocations()' as part of 
>> > 8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305.
>> > See:
>> > https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=binutils/readelf.c;h=fa0de3a7e0d9c2acc18fe047a7019e09f1ce3894;hp=c1006480b7bc3e83dd87fb20d215342375614af9;hb=8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305;hpb=31c21e2c13d85793b525f74aa911eb28700ed89c
>> 
>> This is a good explanation, can you add it to the CVE-2025-69649 patch
>> with the line you added (ie the "CVE: ", "Upstream-status:", ... lines)?
>> 
>> Thanks!
>> 
>
> I see it already pulled in on -nut:
> https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/scarthgap-nut&id=3c3635eed24731a99d0cc9a3570415cd4b096433
>
> Do you want a v2 and fixup on nut, or just a patch on top of the pushed 
> commit to add the extra
> info?

A v2 with the fixup integrated into it (ie. 1 patch only) please.

Thanks!

>
>> > 
>> > Cheers,
>> >    Roland
>> 


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240445): 
https://lists.openembedded.org/g/openembedded-core/message/240445
Mute This Topic: https://lists.openembedded.org/mt/120043719/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to