From: Roland Kovacs <roland.kovacs@est.tech>
To: openembedded-core@lists.openembedded.org
Subject: [scarthgap][PATCH] binutils: fix CVE-2025-69649, and CVE-2025-69652
Date: Tue, 30 Jun 2026 10:25:09 +0200 [thread overview]
Message-ID: <20260630082509.34865-1-roland.kovacs@est.tech> (raw)
CVE-2025-69649:
Null pointer dereference in readelf before 2.46 results in segfault when
processing a crafted ELF binary with malformed header fields.
No evidence of memory corruption beyond the null pointer dereference, nor
any possibility of code execution, was observed.
CVE-2025-69652:
Null pointer dereference in readelf when processing a crafted ELF binary
with malformed DWARF abbrev or debug information which leads to SIGABORT.
No evidence of memory corruption or code execution was observed; the impact
is limited to denial of service.
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
---
.../binutils/binutils-2.42.inc | 2 +
.../binutils/binutils/CVE-2025-69649.patch | 36 +++++++++++++++++
.../binutils/binutils/CVE-2025-69652.patch | 39 +++++++++++++++++++
3 files changed, 77 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 1a865c45f4..da954fc138 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -74,5 +74,7 @@ SRC_URI = "\
file://0030-CVE-2025-11840.patch \
file://CVE-2025-69647.patch \
file://CVE-2025-69648.patch \
+ file://CVE-2025-69649.patch \
+ file://CVE-2025-69652.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
new file mode 100644
index 0000000000..4865ad6535
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
@@ -0,0 +1,36 @@
+From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 8 Dec 2025 15:58:33 +1030
+Subject: [PATCH] PR 33697, fuzzer segfault
+
+ PR 33697
+ * readelf.c (process_relocs): Don't segfault on no sections.
+
+CVE: CVE-2025-69649
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66]
+
+Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
+---
+ binutils/readelf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 5e4ad6ea6ad..8c1987ffaec 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata)
+ size_t i;
+ bool found = false;
+
+- for (i = 0, section = filedata->section_headers;
+- i < filedata->file_header.e_shnum;
+- i++, section++)
++ section = filedata->section_headers;
++ if (section != NULL)
++ for (i = 0; i < filedata->file_header.e_shnum; i++, section++)
+ {
+ if ( section->sh_type != SHT_RELA
+ && section->sh_type != SHT_REL
+--
+2.34.1
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
new file mode 100644
index 0000000000..a085d20095
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
@@ -0,0 +1,39 @@
+From 034627143b85563fe4b4e416422d9dea8e66bd6f Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 8 Dec 2025 16:04:44 +1030
+Subject: [PATCH] PR 33701, abort in byte_get_little_endian
+
+ PR 33701
+ * dwarf.c (process_debug_info): Set debug_info_p NULL when
+ DEBUG_INFO_UNAVAILABLE.
+
+CVE: CVE-2025-69652
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01]
+
+Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
+---
+ binutils/dwarf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 615e051b2bf..13b11b46e41 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -4222,9 +4222,11 @@ process_debug_info (struct dwarf_section * section,
+ break;
+ }
+
+- debug_info *debug_info_p =
+- (debug_information && unit < alloc_num_debug_info_entries)
+- ? debug_information + unit : NULL;
++ debug_info *debug_info_p = NULL;
++ if (debug_information
++ && num_debug_info_entries != DEBUG_INFO_UNAVAILABLE
++ && unit < alloc_num_debug_info_entries)
++ debug_info_p = debug_information + unit;
+
+ assert (!debug_info_p
+ || (debug_info_p->num_loc_offsets
+--
+2.34.1
+
--
2.34.1
reply other threads:[~2026-06-30 8:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630082509.34865-1-roland.kovacs@est.tech \
--to=roland.kovacs@est.tech \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox