[OE-core][master][PATCH] binutils: mark CVE-2025-69650 and CVE-2025-69651 as disputed

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

* [OE-core][master][PATCH] binutils: mark CVE-2025-69650 and CVE-2025-69651 as disputed
@ 2026-04-02  9:16 Adarsh Jagadish Kamini
  2026-04-02  9:40 ` Hemanth Kumar M D
  0 siblings, 1 reply; 2+ messages in thread
From: Adarsh Jagadish Kamini @ 2026-04-02  9:16 UTC (permalink / raw)
  To: openembedded-core; +Cc: Adarsh Jagadish Kamini

From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>

Both CVEs are disputed by third parties. The observed behavior
(double free / invalid pointer free in readelf) only occurred in
pre-release code and did not affect any tagged version [1][2].

CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"

[1] https://www.cve.org/CVERecord?id=CVE-2025-69650
[2] https://www.cve.org/CVERecord?id=CVE-2025-69651

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
---
 meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc
index ff10050dd9..cd2867c421 100644
--- a/meta/recipes-devtools/binutils/binutils-2.46.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.46.inc
@@ -18,6 +18,9 @@ SRCBRANCH ?= "binutils-2_46-branch"
 
 UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
 
+CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
+CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
+
 SRCREV ?= "49d4d3fafa4ec4ff5a3460d91d5b1ed5286487db"
 BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https"
 SRC_URI = "\
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [OE-core][master][PATCH] binutils: mark CVE-2025-69650 and CVE-2025-69651 as disputed
  2026-04-02  9:16 [OE-core][master][PATCH] binutils: mark CVE-2025-69650 and CVE-2025-69651 as disputed Adarsh Jagadish Kamini
@ 2026-04-02  9:40 ` Hemanth Kumar M D
  0 siblings, 0 replies; 2+ messages in thread
From: Hemanth Kumar M D @ 2026-04-02  9:40 UTC (permalink / raw)
  To: openembedded-core

Hi Adarsh,

Could you please also send this for kirkstone? The same patch is 
required there as well.

On 02-04-2026 02:46 pm, Adarsh Jagadish Kamini via 
lists.openembedded.org wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>
> Both CVEs are disputed by third parties. The observed behavior
> (double free / invalid pointer free in readelf) only occurred in
> pre-release code and did not affect any tagged version [1][2].
>
> CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
> CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
>
> [1] https://www.cve.org/CVERecord?id=CVE-2025-69650
> [2] https://www.cve.org/CVERecord?id=CVE-2025-69651
>
> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> ---
>   meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc
> index ff10050dd9..cd2867c421 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.46.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc
> @@ -18,6 +18,9 @@ SRCBRANCH ?= "binutils-2_46-branch"
>
>   UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
>
> +CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
> +CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
> +
>   SRCREV ?= "49d4d3fafa4ec4ff5a3460d91d5b1ed5286487db"
>   BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https"
>   SRC_URI = "\
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#234509): https://lists.openembedded.org/g/openembedded-core/message/234509
> Mute This Topic: https://lists.openembedded.org/mt/118630447/10244482
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Hemanth.KumarMD@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
-- 
Regards,
Hemanth Kumar M D



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-02  9:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-02  9:16 [OE-core][master][PATCH] binutils: mark CVE-2025-69650 and CVE-2025-69651 as disputed Adarsh Jagadish Kamini
2026-04-02  9:40 ` Hemanth Kumar M D

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox