* [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 @ 2026-05-02 14:23 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-02 14:23 ` [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 0 siblings, 2 replies; 10+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-02 14:23 UTC (permalink / raw) To: openembedded-core From: Sudhir Dumbhare <sudumbha@cisco.com> This patch applies the upstream fix [1], which addresses two out-of-bounds read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes shown in [2] are referenced by [3] and [4]. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3441 https://nvd.nist.gov/vuln/detail/CVE-2026-3442 https://www.suse.com/security/cve/CVE-2026-3441.html https://www.suse.com/security/cve/CVE-2026-3442.html Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- .../binutils/binutils-2.42.inc | 1 + .../CVE-2026-3441_CVE-2026-3442.patch | 50 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 839d31242e..5d91a41648 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -69,5 +69,6 @@ SRC_URI = "\ file://0028-CVE-2025-11494.patch \ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ + file://CVE-2026-3441_CVE-2026-3442.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch new file mode 100644 index 0000000000..28cface2c9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch @@ -0,0 +1,50 @@ +From 88a051b765a7684b24250907c2dad9fa8cd4124a Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 28 Feb 2026 13:16:40 +1030 +Subject: [PATCH] xcofflink buffer overflows + +This fixes two fuzzed object file out-of-bounds accesses. + + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check + XTY_LD x_scnlen index. Sanity check r_symndx before using it + to index sym hashes. + +CVE: CVE-2026-3441 CVE-2026-3442 +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] + +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + bfd/xcofflink.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c +index e0165d202a9..88c49755c64 100644 +--- a/bfd/xcofflink.c ++++ b/bfd/xcofflink.c +@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + follow its appropriate XTY_SD symbol. The .set pseudo op can + cause the XTY_LD to not follow the XTY_SD symbol. */ + { +- bool bad; +- +- bad = false; +- if (aux.x_csect.x_scnlen.u64 +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) +- bad = true; ++ bool bad = (aux.x_csect.x_scnlen.u64 ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) ++ / symesz)); + if (! bad) + { + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; +@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + functions imported from dynamic objects. */ + if (info->output_bfd->xvec == abfd->xvec + && *rel_csect != bfd_und_section_ptr ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) + { + struct xcoff_link_hash_entry *h; +-- +2.44.4 -- 2.44.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 2026-05-02 14:23 [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-02 14:23 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 1 sibling, 0 replies; 10+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-02 14:23 UTC (permalink / raw) To: openembedded-core From: Sudhir Dumbhare <sudumbha@cisco.com> This patch applies the upstream fix [1], which addresses an out-of-bounds read issue in XCOFF relocation processing, as described in [2]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 [2] https://sourceware.org/bugzilla/show_bug.cgi?id=33919 Reference: https://bugzilla.suse.com/show_bug.cgi?id=1260338 https://www.suse.com/security/cve/CVE-2026-4647.html https://nvd.nist.gov/vuln/detail/CVE-2026-4647 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2026-4647.patch | 228 ++++++++++++++++++ 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 5d91a41648..b1546de02c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -70,5 +70,6 @@ SRC_URI = "\ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ file://CVE-2026-3441_CVE-2026-3442.patch \ + file://CVE-2026-4647.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch new file mode 100644 index 0000000000..cece5afefe --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch @@ -0,0 +1,228 @@ +From 3e24faeffc0116c271d048137b340586d800e17c Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 13 Mar 2026 17:28:28 +1030 +Subject: [PATCH] PR33919 Out-of-bounds read in XCOFF relocation processing + + PR 33919 + * coff-rs6000.c (xcoff_calculate_relocation): Don't use explicit + array size. + (xcoff_complain_overflow): Likewise. + (xcoff_rtype2howto): Return a NULL howto rather than aborting. + (_bfd_xcoff_reloc_name_lookup): Use ARRAY_SIZE. + (xcoff_ppc_relocate_section): Sanity check reloc r_type before + accessing xcoff_howto_table. Print r_type using %#x. Remove + now redundant later reloc r_type sanity check. + * coff64-rs6000.c: Similarly. + * libxcoff.h (XCOFF_MAX_CALCULATE_RELOCATION): Don't define. + (XCOFF_MAX_COMPLAIN_OVERFLOW): Don't define. + +CVE: CVE-2026-4647 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2] + +(cherry picked from commit 9e99dbc1f19ffaf18d0250788951706066ebe7f2) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + bfd/coff-rs6000.c | 36 +++++++++++++++++++++--------------- + bfd/coff64-rs6000.c | 33 ++++++++++++++++++++------------- + bfd/libxcoff.h | 3 --- + 3 files changed, 41 insertions(+), 31 deletions(-) + +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c +index 87feb672bf1..0f2cc496b63 100644 +--- a/bfd/coff-rs6000.c ++++ b/bfd/coff-rs6000.c +@@ -155,8 +155,7 @@ static xcoff_complain_function xcoff_complain_overflow_bitfield_func; + static xcoff_complain_function xcoff_complain_overflow_signed_func; + static xcoff_complain_function xcoff_complain_overflow_unsigned_func; + +-xcoff_reloc_function *const +-xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -210,8 +209,7 @@ xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = + xcoff_reloc_type_toc, /* R_TOCL (0x31) */ + }; + +-xcoff_complain_function *const +-xcoff_complain_overflow[XCOFF_MAX_COMPLAIN_OVERFLOW] = ++xcoff_complain_function *const xcoff_complain_overflow[] = + { + xcoff_complain_overflow_dont_func, + xcoff_complain_overflow_bitfield_func, +@@ -1158,8 +1156,11 @@ reloc_howto_type xcoff_howto_table[] = + void + xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff_howto_table[internal->r_type]; +@@ -1183,7 +1184,7 @@ xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x1f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1236,9 +1237,7 @@ _bfd_xcoff_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff_howto_table) / sizeof (xcoff_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff_howto_table); i++) + if (xcoff_howto_table[i].name != NULL + && strcasecmp (xcoff_howto_table[i].name, r_name) == 0) + return &xcoff_howto_table[i]; +@@ -3776,6 +3775,14 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -3795,7 +3802,7 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), ++ (_("%pB: relocation (%#x) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), + input_bfd, rel->r_type, (uint64_t) rel->r_vaddr, rel->r_size); + return false; + } +@@ -3871,10 +3878,9 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/coff64-rs6000.c b/bfd/coff64-rs6000.c +index 0f8d9e08783..c74698070d5 100644 +--- a/bfd/coff64-rs6000.c ++++ b/bfd/coff64-rs6000.c +@@ -177,8 +177,7 @@ static bool xcoff64_bad_format_hook + /* Relocation functions */ + static xcoff_reloc_function xcoff64_reloc_type_br; + +-xcoff_reloc_function *const +-xcoff64_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff64_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -1439,8 +1438,11 @@ reloc_howto_type xcoff64_howto_table[] = + void + xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff64_howto_table[internal->r_type]; +@@ -1473,7 +1475,7 @@ xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x3f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1528,9 +1530,7 @@ xcoff64_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff64_howto_table) / sizeof (xcoff64_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff64_howto_table); i++) + if (xcoff64_howto_table[i].name != NULL + && strcasecmp (xcoff64_howto_table[i].name, r_name) == 0) + return &xcoff64_howto_table[i]; +@@ -1574,6 +1574,14 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -1595,7 +1603,7 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at (0x%" PRIx64 ") has wrong" ++ (_("%pB: relocation (%#x) at (0x%" PRIx64 ") has wrong" + " r_rsize (0x%x)\n"), + input_bfd, rel->r_type, rel->r_vaddr, rel->r_size); + return false; +@@ -1668,10 +1676,9 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff64_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff64_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/libxcoff.h b/bfd/libxcoff.h +index 81c4e205e06..ca716a9ef3a 100644 +--- a/bfd/libxcoff.h ++++ b/bfd/libxcoff.h +@@ -215,9 +215,6 @@ struct xcoff_backend_data_rec + #define bfd_xcoff_text_align_power(a) ((xcoff_data (a)->text_align_power)) + #define bfd_xcoff_data_align_power(a) ((xcoff_data (a)->data_align_power)) + +-/* xcoff*_ppc_relocate_section macros */ +-#define XCOFF_MAX_CALCULATE_RELOCATION (0x32) +-#define XCOFF_MAX_COMPLAIN_OVERFLOW (4) + /* N_ONES produces N one bits, without overflowing machine arithmetic. */ + #ifdef N_ONES + #undef N_ONES +-- +2.44.4 + -- 2.44.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 2026-05-02 14:23 [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-02 14:23 ` [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-07 22:03 ` Yoann Congal 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-13 17:39 ` [scarthgap][PATCH " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 2 replies; 10+ messages in thread From: Yoann Congal @ 2026-05-07 22:03 UTC (permalink / raw) To: sudumbha, openembedded-core On Sat May 2, 2026 at 4:23 PM CEST, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Sudhir Dumbhare <sudumbha@cisco.com> > > This patch applies the upstream fix [1], which addresses two out-of-bounds > read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes > shown in [2] are referenced by [3] and [4]. > > [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf > [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 > [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2026-3441 > https://nvd.nist.gov/vuln/detail/CVE-2026-3442 > https://www.suse.com/security/cve/CVE-2026-3441.html > https://www.suse.com/security/cve/CVE-2026-3442.html > > Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > --- > .../binutils/binutils-2.42.inc | 1 + > .../CVE-2026-3441_CVE-2026-3442.patch | 50 +++++++++++++++++++ > 2 files changed, 51 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc > index 839d31242e..5d91a41648 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > @@ -69,5 +69,6 @@ SRC_URI = "\ > file://0028-CVE-2025-11494.patch \ > file://0029-CVE-2025-11839.patch \ > file://0030-CVE-2025-11840.patch \ > + file://CVE-2026-3441_CVE-2026-3442.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > new file mode 100644 > index 0000000000..28cface2c9 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > @@ -0,0 +1,50 @@ > +From 88a051b765a7684b24250907c2dad9fa8cd4124a Mon Sep 17 00:00:00 2001 > +From: Alan Modra <amodra@gmail.com> > +Date: Sat, 28 Feb 2026 13:16:40 +1030 > +Subject: [PATCH] xcofflink buffer overflows > + > +This fixes two fuzzed object file out-of-bounds accesses. > + > + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check > + XTY_LD x_scnlen index. Sanity check r_symndx before using it > + to index sym hashes. > + > +CVE: CVE-2026-3441 CVE-2026-3442 > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] > + > +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) > +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > +--- > + bfd/xcofflink.c | 10 ++++------ > + 1 file changed, 4 insertions(+), 6 deletions(-) > + Hello, This patch has a weird format: > +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c > +index e0165d202a9..88c49755c64 100644 > +--- a/bfd/xcofflink.c > ++++ b/bfd/xcofflink.c > +@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) > + follow its appropriate XTY_SD symbol. The .set pseudo op can ^ here a context line starts with a TAB instead of the usual space. Can you check please? > + cause the XTY_LD to not follow the XTY_SD symbol. */ > + { > +- bool bad; > +- > +- bad = false; > +- if (aux.x_csect.x_scnlen.u64 > +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) > +- bad = true; > ++ bool bad = (aux.x_csect.x_scnlen.u64 > ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) > ++ / symesz)); > + if (! bad) > + { > + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; > +@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) > + functions imported from dynamic objects. */ > + if (info->output_bfd->xvec == abfd->xvec > + && *rel_csect != bfd_und_section_ptr > ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) > + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) > + { > + struct xcoff_link_hash_entry *h; > +-- ^ Also, this line usually has a ending space. Maybe some tool decided to rewrite spaces, unaware of the patch expected format? Thanks! > +2.44.4 -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 10+ messages in thread
* [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal @ 2026-05-13 17:27 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-06-03 21:02 ` [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 2026-05-13 17:39 ` [scarthgap][PATCH " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 2 replies; 10+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:27 UTC (permalink / raw) To: yoann.congal, openembedded-core From: Sudhir Dumbhare <sudumbha@cisco.com> This patch applies the upstream fix [1], which addresses two out-of-bounds read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes shown in [2] are referenced by [3] and [4]. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3441 https://nvd.nist.gov/vuln/detail/CVE-2026-3442 https://www.suse.com/security/cve/CVE-2026-3441.html https://www.suse.com/security/cve/CVE-2026-3442.html Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- Changes v1 -> v2: - fixed tab issue around context lines .../binutils/binutils-2.42.inc | 1 + .../CVE-2026-3441_CVE-2026-3442.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 1a865c45f4..1a91792b13 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -74,5 +74,6 @@ SRC_URI = "\ file://0030-CVE-2025-11840.patch \ file://CVE-2025-69647.patch \ file://CVE-2025-69648.patch \ + file://CVE-2026-3441_CVE-2026-3442.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch new file mode 100644 index 0000000000..ada80e5189 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch @@ -0,0 +1,51 @@ +From a28f517b1e3c3c22d5984e82046dcb844eef63fd Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 28 Feb 2026 13:16:40 +1030 +Subject: [PATCH] xcofflink buffer overflows + +This fixes two fuzzed object file out-of-bounds accesses. + + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check + XTY_LD x_scnlen index. Sanity check r_symndx before using it + to index sym hashes. + +CVE: CVE-2026-3441 CVE-2026-3442 +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] + +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + bfd/xcofflink.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c +index e0165d202a9..88c49755c64 100644 +--- a/bfd/xcofflink.c ++++ b/bfd/xcofflink.c +@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + follow its appropriate XTY_SD symbol. The .set pseudo op can + cause the XTY_LD to not follow the XTY_SD symbol. */ + { +- bool bad; +- +- bad = false; +- if (aux.x_csect.x_scnlen.u64 +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) +- bad = true; ++ bool bad = (aux.x_csect.x_scnlen.u64 ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) ++ / symesz)); + if (! bad) + { + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; +@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + functions imported from dynamic objects. */ + if (info->output_bfd->xvec == abfd->xvec + && *rel_csect != bfd_und_section_ptr ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) + { + struct xcoff_link_hash_entry *h; +-- +2.35.6 + -- 2.35.6 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:27 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-06-03 21:09 ` Yoann Congal 2026-06-03 21:02 ` [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 1 sibling, 1 reply; 10+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:27 UTC (permalink / raw) To: yoann.congal, openembedded-core From: Sudhir Dumbhare <sudumbha@cisco.com> This patch applies the upstream fix [1], which addresses an out-of-bounds read issue in XCOFF relocation processing, as described in [2]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 [2] https://sourceware.org/bugzilla/show_bug.cgi?id=33919 Reference: https://bugzilla.suse.com/show_bug.cgi?id=1260338 https://www.suse.com/security/cve/CVE-2026-4647.html https://nvd.nist.gov/vuln/detail/CVE-2026-4647 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- Changes v1 -> v2: - fixed tab issue around context lines .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2026-4647.patch | 228 ++++++++++++++++++ 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 1a91792b13..3296573baf 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -75,5 +75,6 @@ SRC_URI = "\ file://CVE-2025-69647.patch \ file://CVE-2025-69648.patch \ file://CVE-2026-3441_CVE-2026-3442.patch \ + file://CVE-2026-4647.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch new file mode 100644 index 0000000000..564c435692 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch @@ -0,0 +1,228 @@ +From a0df757a2ad6728da209fa7fcc9f3a598183999b Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 13 Mar 2026 17:28:28 +1030 +Subject: [PATCH] PR33919 Out-of-bounds read in XCOFF relocation processing + + PR 33919 + * coff-rs6000.c (xcoff_calculate_relocation): Don't use explicit + array size. + (xcoff_complain_overflow): Likewise. + (xcoff_rtype2howto): Return a NULL howto rather than aborting. + (_bfd_xcoff_reloc_name_lookup): Use ARRAY_SIZE. + (xcoff_ppc_relocate_section): Sanity check reloc r_type before + accessing xcoff_howto_table. Print r_type using %#x. Remove + now redundant later reloc r_type sanity check. + * coff64-rs6000.c: Similarly. + * libxcoff.h (XCOFF_MAX_CALCULATE_RELOCATION): Don't define. + (XCOFF_MAX_COMPLAIN_OVERFLOW): Don't define. + +CVE: CVE-2026-4647 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2] + +(cherry picked from commit 9e99dbc1f19ffaf18d0250788951706066ebe7f2) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + bfd/coff-rs6000.c | 36 +++++++++++++++++++++--------------- + bfd/coff64-rs6000.c | 33 ++++++++++++++++++++------------- + bfd/libxcoff.h | 3 --- + 3 files changed, 41 insertions(+), 31 deletions(-) + +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c +index 87feb672bf1..0f2cc496b63 100644 +--- a/bfd/coff-rs6000.c ++++ b/bfd/coff-rs6000.c +@@ -155,8 +155,7 @@ static xcoff_complain_function xcoff_complain_overflow_bitfield_func; + static xcoff_complain_function xcoff_complain_overflow_signed_func; + static xcoff_complain_function xcoff_complain_overflow_unsigned_func; + +-xcoff_reloc_function *const +-xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -210,8 +209,7 @@ xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = + xcoff_reloc_type_toc, /* R_TOCL (0x31) */ + }; + +-xcoff_complain_function *const +-xcoff_complain_overflow[XCOFF_MAX_COMPLAIN_OVERFLOW] = ++xcoff_complain_function *const xcoff_complain_overflow[] = + { + xcoff_complain_overflow_dont_func, + xcoff_complain_overflow_bitfield_func, +@@ -1158,8 +1156,11 @@ reloc_howto_type xcoff_howto_table[] = + void + xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff_howto_table[internal->r_type]; +@@ -1183,7 +1184,7 @@ xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x1f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1236,9 +1237,7 @@ _bfd_xcoff_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff_howto_table) / sizeof (xcoff_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff_howto_table); i++) + if (xcoff_howto_table[i].name != NULL + && strcasecmp (xcoff_howto_table[i].name, r_name) == 0) + return &xcoff_howto_table[i]; +@@ -3776,6 +3775,14 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -3795,7 +3802,7 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), ++ (_("%pB: relocation (%#x) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), + input_bfd, rel->r_type, (uint64_t) rel->r_vaddr, rel->r_size); + return false; + } +@@ -3871,10 +3878,9 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/coff64-rs6000.c b/bfd/coff64-rs6000.c +index 0f8d9e08783..c74698070d5 100644 +--- a/bfd/coff64-rs6000.c ++++ b/bfd/coff64-rs6000.c +@@ -177,8 +177,7 @@ static bool xcoff64_bad_format_hook + /* Relocation functions */ + static xcoff_reloc_function xcoff64_reloc_type_br; + +-xcoff_reloc_function *const +-xcoff64_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff64_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -1439,8 +1438,11 @@ reloc_howto_type xcoff64_howto_table[] = + void + xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff64_howto_table[internal->r_type]; +@@ -1473,7 +1475,7 @@ xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x3f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1528,9 +1530,7 @@ xcoff64_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff64_howto_table) / sizeof (xcoff64_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff64_howto_table); i++) + if (xcoff64_howto_table[i].name != NULL + && strcasecmp (xcoff64_howto_table[i].name, r_name) == 0) + return &xcoff64_howto_table[i]; +@@ -1574,6 +1574,14 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -1595,7 +1603,7 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at (0x%" PRIx64 ") has wrong" ++ (_("%pB: relocation (%#x) at (0x%" PRIx64 ") has wrong" + " r_rsize (0x%x)\n"), + input_bfd, rel->r_type, rel->r_vaddr, rel->r_size); + return false; +@@ -1668,10 +1676,9 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff64_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff64_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/libxcoff.h b/bfd/libxcoff.h +index 81c4e205e06..ca716a9ef3a 100644 +--- a/bfd/libxcoff.h ++++ b/bfd/libxcoff.h +@@ -215,9 +215,6 @@ struct xcoff_backend_data_rec + #define bfd_xcoff_text_align_power(a) ((xcoff_data (a)->text_align_power)) + #define bfd_xcoff_data_align_power(a) ((xcoff_data (a)->data_align_power)) + +-/* xcoff*_ppc_relocate_section macros */ +-#define XCOFF_MAX_CALCULATE_RELOCATION (0x32) +-#define XCOFF_MAX_COMPLAIN_OVERFLOW (4) + /* N_ONES produces N one bits, without overflowing machine arithmetic. */ + #ifdef N_ONES + #undef N_ONES +-- +2.35.6 + -- 2.35.6 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-03 21:09 ` Yoann Congal 2026-07-06 10:43 ` Yoann Congal 0 siblings, 1 reply; 10+ messages in thread From: Yoann Congal @ 2026-06-03 21:09 UTC (permalink / raw) To: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco), openembedded-core On Wed May 13, 2026 at 7:27 PM CEST, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: > From: Sudhir Dumbhare <sudumbha@cisco.com> > > This patch applies the upstream fix [1], which addresses an out-of-bounds > read issue in XCOFF relocation processing, as described in [2]. > > [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 > [2] https://sourceware.org/bugzilla/show_bug.cgi?id=33919 > > Reference: > https://bugzilla.suse.com/show_bug.cgi?id=1260338 > https://www.suse.com/security/cve/CVE-2026-4647.html > https://nvd.nist.gov/vuln/detail/CVE-2026-4647 > > Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > --- Hello, Same as 1/2, this look like it's needed on master/wrynose. Can you send the fix there and ping back here? Thanks! > Changes v1 -> v2: > - fixed tab issue around context lines > > .../binutils/binutils-2.42.inc | 1 + > .../binutils/binutils/CVE-2026-4647.patch | 228 ++++++++++++++++++ > 2 files changed, 229 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc > index 1a91792b13..3296573baf 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > @@ -75,5 +75,6 @@ SRC_URI = "\ > file://CVE-2025-69647.patch \ > file://CVE-2025-69648.patch \ > file://CVE-2026-3441_CVE-2026-3442.patch \ > + file://CVE-2026-4647.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch > new file mode 100644 > index 0000000000..564c435692 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch > @@ -0,0 +1,228 @@ > +From a0df757a2ad6728da209fa7fcc9f3a598183999b Mon Sep 17 00:00:00 2001 > +From: Alan Modra <amodra@gmail.com> > +Date: Fri, 13 Mar 2026 17:28:28 +1030 > +Subject: [PATCH] PR33919 Out-of-bounds read in XCOFF relocation processing > + > + PR 33919 > + * coff-rs6000.c (xcoff_calculate_relocation): Don't use explicit > + array size. > + (xcoff_complain_overflow): Likewise. > + (xcoff_rtype2howto): Return a NULL howto rather than aborting. > + (_bfd_xcoff_reloc_name_lookup): Use ARRAY_SIZE. > + (xcoff_ppc_relocate_section): Sanity check reloc r_type before > + accessing xcoff_howto_table. Print r_type using %#x. Remove > + now redundant later reloc r_type sanity check. > + * coff64-rs6000.c: Similarly. > + * libxcoff.h (XCOFF_MAX_CALCULATE_RELOCATION): Don't define. > + (XCOFF_MAX_COMPLAIN_OVERFLOW): Don't define. > + > +CVE: CVE-2026-4647 > +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2] > + > +(cherry picked from commit 9e99dbc1f19ffaf18d0250788951706066ebe7f2) > +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > +--- > + bfd/coff-rs6000.c | 36 +++++++++++++++++++++--------------- > + bfd/coff64-rs6000.c | 33 ++++++++++++++++++++------------- > + bfd/libxcoff.h | 3 --- > + 3 files changed, 41 insertions(+), 31 deletions(-) > + > +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c > +index 87feb672bf1..0f2cc496b63 100644 > +--- a/bfd/coff-rs6000.c > ++++ b/bfd/coff-rs6000.c > +@@ -155,8 +155,7 @@ static xcoff_complain_function xcoff_complain_overflow_bitfield_func; > + static xcoff_complain_function xcoff_complain_overflow_signed_func; > + static xcoff_complain_function xcoff_complain_overflow_unsigned_func; > + > +-xcoff_reloc_function *const > +-xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = > ++xcoff_reloc_function *const xcoff_calculate_relocation[] = > + { > + xcoff_reloc_type_pos, /* R_POS (0x00) */ > + xcoff_reloc_type_neg, /* R_NEG (0x01) */ > +@@ -210,8 +209,7 @@ xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = > + xcoff_reloc_type_toc, /* R_TOCL (0x31) */ > + }; > + > +-xcoff_complain_function *const > +-xcoff_complain_overflow[XCOFF_MAX_COMPLAIN_OVERFLOW] = > ++xcoff_complain_function *const xcoff_complain_overflow[] = > + { > + xcoff_complain_overflow_dont_func, > + xcoff_complain_overflow_bitfield_func, > +@@ -1158,8 +1156,11 @@ reloc_howto_type xcoff_howto_table[] = > + void > + xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) > + { > +- if (internal->r_type > R_TOCL) > +- abort (); > ++ if (internal->r_type >= ARRAY_SIZE (xcoff_howto_table)) > ++ { > ++ relent->howto = NULL; > ++ return; > ++ } > + > + /* Default howto layout works most of the time */ > + relent->howto = &xcoff_howto_table[internal->r_type]; > +@@ -1183,7 +1184,7 @@ xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) > + if (relent->howto->dst_mask != 0 > + && (relent->howto->bitsize > + != ((unsigned int) internal->r_size & 0x1f) + 1)) > +- abort (); > ++ relent->howto = NULL; > + } > + > + reloc_howto_type * > +@@ -1236,9 +1237,7 @@ _bfd_xcoff_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, > + { > + unsigned int i; > + > +- for (i = 0; > +- i < sizeof (xcoff_howto_table) / sizeof (xcoff_howto_table[0]); > +- i++) > ++ for (i = 0; i < ARRAY_SIZE (xcoff_howto_table); i++) > + if (xcoff_howto_table[i].name != NULL > + && strcasecmp (xcoff_howto_table[i].name, r_name) == 0) > + return &xcoff_howto_table[i]; > +@@ -3776,6 +3775,14 @@ xcoff_ppc_relocate_section (bfd *output_bfd, > + the csect including the symbol which it references. */ > + if (rel->r_type == R_REF) > + continue; > ++ if (rel->r_type >= ARRAY_SIZE (xcoff_howto_table)) > ++ { > ++ /* xgettext:c-format */ > ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), > ++ input_bfd, rel->r_type); > ++ bfd_set_error (bfd_error_bad_value); > ++ return false; > ++ } > + > + /* Retrieve default value in HOWTO table and fix up according > + to r_size field, if it can be different. > +@@ -3795,7 +3802,7 @@ xcoff_ppc_relocate_section (bfd *output_bfd, > + > + default: > + _bfd_error_handler > +- (_("%pB: relocation (%d) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), > ++ (_("%pB: relocation (%#x) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), > + input_bfd, rel->r_type, (uint64_t) rel->r_vaddr, rel->r_size); > + return false; > + } > +@@ -3871,10 +3878,9 @@ xcoff_ppc_relocate_section (bfd *output_bfd, > + } > + } > + > +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION > +- || !((*xcoff_calculate_relocation[rel->r_type]) > +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, > +- addend, &relocation, contents, info))) > ++ if (!((*xcoff_calculate_relocation[rel->r_type]) > ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, > ++ addend, &relocation, contents, info))) > + return false; > + > + /* address */ > +diff --git a/bfd/coff64-rs6000.c b/bfd/coff64-rs6000.c > +index 0f8d9e08783..c74698070d5 100644 > +--- a/bfd/coff64-rs6000.c > ++++ b/bfd/coff64-rs6000.c > +@@ -177,8 +177,7 @@ static bool xcoff64_bad_format_hook > + /* Relocation functions */ > + static xcoff_reloc_function xcoff64_reloc_type_br; > + > +-xcoff_reloc_function *const > +-xcoff64_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = > ++xcoff_reloc_function *const xcoff64_calculate_relocation[] = > + { > + xcoff_reloc_type_pos, /* R_POS (0x00) */ > + xcoff_reloc_type_neg, /* R_NEG (0x01) */ > +@@ -1439,8 +1438,11 @@ reloc_howto_type xcoff64_howto_table[] = > + void > + xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) > + { > +- if (internal->r_type > R_TOCL) > +- abort (); > ++ if (internal->r_type >= ARRAY_SIZE (xcoff64_howto_table)) > ++ { > ++ relent->howto = NULL; > ++ return; > ++ } > + > + /* Default howto layout works most of the time */ > + relent->howto = &xcoff64_howto_table[internal->r_type]; > +@@ -1473,7 +1475,7 @@ xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) > + if (relent->howto->dst_mask != 0 > + && (relent->howto->bitsize > + != ((unsigned int) internal->r_size & 0x3f) + 1)) > +- abort (); > ++ relent->howto = NULL; > + } > + > + reloc_howto_type * > +@@ -1528,9 +1530,7 @@ xcoff64_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, > + { > + unsigned int i; > + > +- for (i = 0; > +- i < sizeof (xcoff64_howto_table) / sizeof (xcoff64_howto_table[0]); > +- i++) > ++ for (i = 0; i < ARRAY_SIZE (xcoff64_howto_table); i++) > + if (xcoff64_howto_table[i].name != NULL > + && strcasecmp (xcoff64_howto_table[i].name, r_name) == 0) > + return &xcoff64_howto_table[i]; > +@@ -1574,6 +1574,14 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, > + the csect including the symbol which it references. */ > + if (rel->r_type == R_REF) > + continue; > ++ if (rel->r_type >= ARRAY_SIZE (xcoff64_howto_table)) > ++ { > ++ /* xgettext:c-format */ > ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), > ++ input_bfd, rel->r_type); > ++ bfd_set_error (bfd_error_bad_value); > ++ return false; > ++ } > + > + /* Retrieve default value in HOWTO table and fix up according > + to r_size field, if it can be different. > +@@ -1595,7 +1603,7 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, > + > + default: > + _bfd_error_handler > +- (_("%pB: relocation (%d) at (0x%" PRIx64 ") has wrong" > ++ (_("%pB: relocation (%#x) at (0x%" PRIx64 ") has wrong" > + " r_rsize (0x%x)\n"), > + input_bfd, rel->r_type, rel->r_vaddr, rel->r_size); > + return false; > +@@ -1668,10 +1676,9 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, > + } > + } > + > +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION > +- || !((*xcoff64_calculate_relocation[rel->r_type]) > +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, > +- addend, &relocation, contents, info))) > ++ if (!((*xcoff64_calculate_relocation[rel->r_type]) > ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, > ++ addend, &relocation, contents, info))) > + return false; > + > + /* address */ > +diff --git a/bfd/libxcoff.h b/bfd/libxcoff.h > +index 81c4e205e06..ca716a9ef3a 100644 > +--- a/bfd/libxcoff.h > ++++ b/bfd/libxcoff.h > +@@ -215,9 +215,6 @@ struct xcoff_backend_data_rec > + #define bfd_xcoff_text_align_power(a) ((xcoff_data (a)->text_align_power)) > + #define bfd_xcoff_data_align_power(a) ((xcoff_data (a)->data_align_power)) > + > +-/* xcoff*_ppc_relocate_section macros */ > +-#define XCOFF_MAX_CALCULATE_RELOCATION (0x32) > +-#define XCOFF_MAX_COMPLAIN_OVERFLOW (4) > + /* N_ONES produces N one bits, without overflowing machine arithmetic. */ > + #ifdef N_ONES > + #undef N_ONES > +-- > +2.35.6 > + -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 2026-06-03 21:09 ` Yoann Congal @ 2026-07-06 10:43 ` Yoann Congal 0 siblings, 0 replies; 10+ messages in thread From: Yoann Congal @ 2026-07-06 10:43 UTC (permalink / raw) To: Yoann Congal, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco), openembedded-core On Wed Jun 3, 2026 at 11:09 PM CEST, Yoann Congal wrote: > On Wed May 13, 2026 at 7:27 PM CEST, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: >> From: Sudhir Dumbhare <sudumbha@cisco.com> >> >> This patch applies the upstream fix [1], which addresses an out-of-bounds >> read issue in XCOFF relocation processing, as described in [2]. >> >> [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 >> [2] https://sourceware.org/bugzilla/show_bug.cgi?id=33919 >> >> Reference: >> https://bugzilla.suse.com/show_bug.cgi?id=1260338 >> https://www.suse.com/security/cve/CVE-2026-4647.html >> https://nvd.nist.gov/vuln/detail/CVE-2026-4647 >> >> Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> >> --- > > Hello, > > Same as 1/2, this look like it's needed on master/wrynose. Can you send > the fix there and ping back here? > > Thanks! Hello, I will now drop this patch. If the above situation changes, please send a new patch. Regards, -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-03 21:02 ` Yoann Congal 2026-07-08 12:15 ` [scarthgap][PATCH " Sudhir Dumbhare 1 sibling, 1 reply; 10+ messages in thread From: Yoann Congal @ 2026-06-03 21:02 UTC (permalink / raw) To: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco), openembedded-core On Wed May 13, 2026 at 7:27 PM CEST, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: > From: Sudhir Dumbhare <sudumbha@cisco.com> > > This patch applies the upstream fix [1], which addresses two out-of-bounds > read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes > shown in [2] are referenced by [3] and [4]. > > [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf > [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 > [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2026-3441 > https://nvd.nist.gov/vuln/detail/CVE-2026-3442 > https://www.suse.com/security/cve/CVE-2026-3441.html > https://www.suse.com/security/cve/CVE-2026-3442.html > > Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > --- Hello, Thanks for this new version but as far as I can tell, those CVEs also apply to master and wrynose, can you send the fix for those branches and ping back here? Thanks! > Changes v1 -> v2: > - fixed tab issue around context lines > > .../binutils/binutils-2.42.inc | 1 + > .../CVE-2026-3441_CVE-2026-3442.patch | 51 +++++++++++++++++++ > 2 files changed, 52 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc > index 1a865c45f4..1a91792b13 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > @@ -74,5 +74,6 @@ SRC_URI = "\ > file://0030-CVE-2025-11840.patch \ > file://CVE-2025-69647.patch \ > file://CVE-2025-69648.patch \ > + file://CVE-2026-3441_CVE-2026-3442.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > new file mode 100644 > index 0000000000..ada80e5189 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > @@ -0,0 +1,51 @@ > +From a28f517b1e3c3c22d5984e82046dcb844eef63fd Mon Sep 17 00:00:00 2001 > +From: Alan Modra <amodra@gmail.com> > +Date: Sat, 28 Feb 2026 13:16:40 +1030 > +Subject: [PATCH] xcofflink buffer overflows > + > +This fixes two fuzzed object file out-of-bounds accesses. > + > + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check > + XTY_LD x_scnlen index. Sanity check r_symndx before using it > + to index sym hashes. > + > +CVE: CVE-2026-3441 CVE-2026-3442 > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] > + > +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) > +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > +--- > + bfd/xcofflink.c | 10 ++++------ > + 1 file changed, 4 insertions(+), 6 deletions(-) > + > +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c > +index e0165d202a9..88c49755c64 100644 > +--- a/bfd/xcofflink.c > ++++ b/bfd/xcofflink.c > +@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) > + follow its appropriate XTY_SD symbol. The .set pseudo op can > + cause the XTY_LD to not follow the XTY_SD symbol. */ > + { > +- bool bad; > +- > +- bad = false; > +- if (aux.x_csect.x_scnlen.u64 > +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) > +- bad = true; > ++ bool bad = (aux.x_csect.x_scnlen.u64 > ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) > ++ / symesz)); > + if (! bad) > + { > + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; > +@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) > + functions imported from dynamic objects. */ > + if (info->output_bfd->xvec == abfd->xvec > + && *rel_csect != bfd_und_section_ptr > ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) > + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) > + { > + struct xcoff_link_hash_entry *h; > +-- > +2.35.6 > + -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 2026-06-03 21:02 ` [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal @ 2026-07-08 12:15 ` Sudhir Dumbhare 0 siblings, 0 replies; 10+ messages in thread From: Sudhir Dumbhare @ 2026-07-08 12:15 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 470 bytes --] Hello Yoann, Thank you for your review and for pointing this out. I have submitted the patch for the master branch here: [master][PATCH] binutils: fix CVE-2026-3441 and CVE-2026-3442 ( https://lists.openembedded.org/g/openembedded-core/message/240335 ) and the patch for the wrynose branch here: [wrynose][PATCH] binutils: fix CVE-2026-3441 and CVE-2026-3442 ( https://lists.openembedded.org/g/openembedded-core/message/240336 ) Thanks and Regards, Sudhir [-- Attachment #2: Type: text/html, Size: 751 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:39 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 0 replies; 10+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:39 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 447 bytes --] Hi Yoann, Thank you for your review. I have regenerated the patch and address the issue which you have highlighted. I have resent the v2 here: [scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 ( https://lists.openembedded.org/g/openembedded-core/message/236997 ) [scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 ( https://lists.openembedded.org/g/openembedded-core/message/236998 ) Thanks and Regards, Sudhir [-- Attachment #2: Type: text/html, Size: 742 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2026-07-08 12:15 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-05-02 14:23 [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-02 14:23 ` [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-06-03 21:09 ` Yoann Congal 2026-07-06 10:43 ` Yoann Congal 2026-06-03 21:02 ` [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 2026-07-08 12:15 ` [scarthgap][PATCH " Sudhir Dumbhare 2026-05-13 17:39 ` [scarthgap][PATCH " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.