* [scarthgap][PATCH] binutils: fix CVE-2025-69649, and CVE-2025-69652
@ 2026-06-30 8:25 Roland Kovacs
0 siblings, 0 replies; only message in thread
From: Roland Kovacs @ 2026-06-30 8:25 UTC (permalink / raw)
To: openembedded-core
CVE-2025-69649:
Null pointer dereference in readelf before 2.46 results in segfault when
processing a crafted ELF binary with malformed header fields.
No evidence of memory corruption beyond the null pointer dereference, nor
any possibility of code execution, was observed.
CVE-2025-69652:
Null pointer dereference in readelf when processing a crafted ELF binary
with malformed DWARF abbrev or debug information which leads to SIGABORT.
No evidence of memory corruption or code execution was observed; the impact
is limited to denial of service.
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
---
.../binutils/binutils-2.42.inc | 2 +
.../binutils/binutils/CVE-2025-69649.patch | 36 +++++++++++++++++
.../binutils/binutils/CVE-2025-69652.patch | 39 +++++++++++++++++++
3 files changed, 77 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 1a865c45f4..da954fc138 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -74,5 +74,7 @@ SRC_URI = "\
file://0030-CVE-2025-11840.patch \
file://CVE-2025-69647.patch \
file://CVE-2025-69648.patch \
+ file://CVE-2025-69649.patch \
+ file://CVE-2025-69652.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
new file mode 100644
index 0000000000..4865ad6535
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
@@ -0,0 +1,36 @@
+From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 8 Dec 2025 15:58:33 +1030
+Subject: [PATCH] PR 33697, fuzzer segfault
+
+ PR 33697
+ * readelf.c (process_relocs): Don't segfault on no sections.
+
+CVE: CVE-2025-69649
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66]
+
+Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
+---
+ binutils/readelf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 5e4ad6ea6ad..8c1987ffaec 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata)
+ size_t i;
+ bool found = false;
+
+- for (i = 0, section = filedata->section_headers;
+- i < filedata->file_header.e_shnum;
+- i++, section++)
++ section = filedata->section_headers;
++ if (section != NULL)
++ for (i = 0; i < filedata->file_header.e_shnum; i++, section++)
+ {
+ if ( section->sh_type != SHT_RELA
+ && section->sh_type != SHT_REL
+--
+2.34.1
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
new file mode 100644
index 0000000000..a085d20095
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
@@ -0,0 +1,39 @@
+From 034627143b85563fe4b4e416422d9dea8e66bd6f Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 8 Dec 2025 16:04:44 +1030
+Subject: [PATCH] PR 33701, abort in byte_get_little_endian
+
+ PR 33701
+ * dwarf.c (process_debug_info): Set debug_info_p NULL when
+ DEBUG_INFO_UNAVAILABLE.
+
+CVE: CVE-2025-69652
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01]
+
+Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
+---
+ binutils/dwarf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 615e051b2bf..13b11b46e41 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -4222,9 +4222,11 @@ process_debug_info (struct dwarf_section * section,
+ break;
+ }
+
+- debug_info *debug_info_p =
+- (debug_information && unit < alloc_num_debug_info_entries)
+- ? debug_information + unit : NULL;
++ debug_info *debug_info_p = NULL;
++ if (debug_information
++ && num_debug_info_entries != DEBUG_INFO_UNAVAILABLE
++ && unit < alloc_num_debug_info_entries)
++ debug_info_p = debug_information + unit;
+
+ assert (!debug_info_p
+ || (debug_info_p->num_loc_offsets
+--
+2.34.1
+
--
2.34.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-30 8:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 8:25 [scarthgap][PATCH] binutils: fix CVE-2025-69649, and CVE-2025-69652 Roland Kovacs
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox