[whinlatter][PATCH 1/2] binutils: fix CVE-2025-11839

[whinlatter][PATCH 1/2] binutils: fix CVE-2025-11839

[Yash.Shinde]

From: Yash Shinde <Yash.Shinde@windriver.com>

CVE-2025-11839

PR 33448
[BUG] Aborted in tg_tag_type at prdbg.c:2452
Remove call to abort in the DGB debug format printing code, thus allowing
the display of a fuzzed input file to complete without triggering an abort.

https://sourceware.org/bugzilla/show_bug.cgi?id=33448

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe]

Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
---
 .../binutils/binutils-2.45.inc                |  1 +
 .../binutils/0019-CVE-2025-11839.patch        | 32 +++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 680ba82e86..2f61c9377b 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -44,4 +44,5 @@ SRC_URI = "\
      file://CVE-2025-11413.patch \
      file://CVE-2025-11495.patch \
      file://0018-CVE-2025-11494.patch \     
+     file://0019-CVE-2025-11839.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch b/meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch
new file mode 100644
index 0000000000..7f2f6d553d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch
@@ -0,0 +1,32 @@
+From 12ef7d5b7b02d0023db645d86eb9d0797bc747fe Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 3 Nov 2025 11:49:02 +0000
+Subject: [PATCH] Remove call to abort in the DGB debug format printing code,
+ thus allowing the display of a fuzzed input file to complete without
+ triggering an abort.
+
+PR 33448
+---
+ binutils/prdbg.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe]
+CVE: CVE-2025-11839
+
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/prdbg.c b/binutils/prdbg.c
+index c239aeb1a79..5d405c48e3d 100644
+--- a/binutils/prdbg.c
++++ b/binutils/prdbg.c
+@@ -2449,7 +2449,6 @@ tg_tag_type (void *p, const char *name, unsigned int id,
+       t = "union class ";
+       break;
+     default:
+-      abort ();
+       return false;
+     }
+ 
+-- 
+2.43.7
+
-- 
2.49.0

[whinlatter][PATCH 2/2] binutils: fix CVE-2025-11840

[Yash.Shinde]

From: Yash Shinde <Yash.Shinde@windriver.com>

CVE-2025-11840

PR 33455
[BUG] A SEGV in vfinfo at ldmisc.c:527
A reloc howto set up with EMPTY_HOWTO has a NULL name.  More than one
place emitting diagnostics assumes a reloc howto won't have a NULL
name.

https://sourceware.org/bugzilla/show_bug.cgi?id=33455

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f6b0f53a36820da91eadfa9f466c22f92e4256e0]

Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
---
 .../binutils/binutils-2.45.inc                |  1 +
 .../binutils/0020-CVE-2025-11840.patch        | 37 +++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0020-CVE-2025-11840.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 2f61c9377b..e707f3f5fe 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -45,4 +45,5 @@ SRC_URI = "\
      file://CVE-2025-11495.patch \
      file://0018-CVE-2025-11494.patch \     
      file://0019-CVE-2025-11839.patch \
+     file://0020-CVE-2025-11840.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-11840.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-11840.patch
new file mode 100644
index 0000000000..3fb4db880e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-11840.patch
@@ -0,0 +1,37 @@
+From f6b0f53a36820da91eadfa9f466c22f92e4256e0 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 3 Nov 2025 09:03:37 +1030
+Subject: [PATCH] PR 33455 SEGV in vfinfo at ldmisc.c:527
+
+A reloc howto set up with EMPTY_HOWTO has a NULL name.  More than one
+place emitting diagnostics assumes a reloc howto won't have a NULL
+name.
+
+	PR 33455
+	* coffcode.h (coff_slurp_reloc_table): Don't allow a howto with
+	a NULL name.
+---
+ bfd/coffcode.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f6b0f53a36820da91eadfa9f466c22f92e4256e0]
+CVE: CVE-2025-11840
+
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/bfd/coffcode.h b/bfd/coffcode.h
+index 1e5acc0032c..ce1e39131b4 100644
+--- a/bfd/coffcode.h
++++ b/bfd/coffcode.h
+@@ -5345,7 +5345,7 @@ coff_slurp_reloc_table (bfd * abfd, sec_ptr asect, asymbol ** symbols)
+       RTYPE2HOWTO (cache_ptr, &dst);
+ #endif	/* RELOC_PROCESSING */
+ 
+-      if (cache_ptr->howto == NULL)
++      if (cache_ptr->howto == NULL || cache_ptr->howto->name == NULL)
+ 	{
+ 	  _bfd_error_handler
+ 	    /* xgettext:c-format */
+-- 
+2.43.7
+
-- 
2.49.0

Re: [whinlatter][PATCH 1/2] binutils: fix CVE-2025-11839

[Steve Sakoman]

This series doesn't apply to the current stable/whinlatter-nut branch:

~/Repos/openembedded-core (stable/whinlatter-nut) $ git am -3
~/Downloads/whinlatter-1-2-binutils-fix-CVE-2025-11839.patch
Applying: binutils: fix CVE-2025-11839
error: sha1 information is lacking or useless
(meta/recipes-devtools/binutils/binutils-2.45.inc).
error: could not build fake ancestor
Patch failed at 0001 binutils: fix CVE-2025-11839
hint: Use 'git am --show-current-patch=diff' to see the failed patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Steve

On Sun, Dec 21, 2025 at 8:34 PM <Yash.Shinde@windriver.com> wrote:
>
> From: Yash Shinde <Yash.Shinde@windriver.com>
>
> CVE-2025-11839
>
> PR 33448
> [BUG] Aborted in tg_tag_type at prdbg.c:2452
> Remove call to abort in the DGB debug format printing code, thus allowing
> the display of a fuzzed input file to complete without triggering an abort.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=33448
>
> Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe]
>
> Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
> ---
>  .../binutils/binutils-2.45.inc                |  1 +
>  .../binutils/0019-CVE-2025-11839.patch        | 32 +++++++++++++++++++
>  2 files changed, 33 insertions(+)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
> index 680ba82e86..2f61c9377b 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.45.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
> @@ -44,4 +44,5 @@ SRC_URI = "\
>       file://CVE-2025-11413.patch \
>       file://CVE-2025-11495.patch \
>       file://0018-CVE-2025-11494.patch \
> +     file://0019-CVE-2025-11839.patch \
>  "
> diff --git a/meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch b/meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch
> new file mode 100644
> index 0000000000..7f2f6d553d
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch
> @@ -0,0 +1,32 @@
> +From 12ef7d5b7b02d0023db645d86eb9d0797bc747fe Mon Sep 17 00:00:00 2001
> +From: Nick Clifton <nickc@redhat.com>
> +Date: Mon, 3 Nov 2025 11:49:02 +0000
> +Subject: [PATCH] Remove call to abort in the DGB debug format printing code,
> + thus allowing the display of a fuzzed input file to complete without
> + triggering an abort.
> +
> +PR 33448
> +---
> + binutils/prdbg.c | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe]
> +CVE: CVE-2025-11839
> +
> +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
> +
> +diff --git a/binutils/prdbg.c b/binutils/prdbg.c
> +index c239aeb1a79..5d405c48e3d 100644
> +--- a/binutils/prdbg.c
> ++++ b/binutils/prdbg.c
> +@@ -2449,7 +2449,6 @@ tg_tag_type (void *p, const char *name, unsigned int id,
> +       t = "union class ";
> +       break;
> +     default:
> +-      abort ();
> +       return false;
> +     }
> +
> +--
> +2.43.7
> +
> --
> 2.49.0
>

Re: [whinlatter][PATCH 1/2] binutils: fix CVE-2025-11839

[Yash Shinde]

On 22-12-2025 22:29, Steve Sakoman wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> This series doesn't apply to the current stable/whinlatter-nut branch:
There was a white-space issue.
I resolved it and sent a v2.
https://lists.openembedded.org/g/openembedded-core/message/228450


Regards,
Yash
>
> ~/Repos/openembedded-core (stable/whinlatter-nut) $ git am -3
> ~/Downloads/whinlatter-1-2-binutils-fix-CVE-2025-11839.patch
> Applying: binutils: fix CVE-2025-11839
> error: sha1 information is lacking or useless
> (meta/recipes-devtools/binutils/binutils-2.45.inc).
> error: could not build fake ancestor
> Patch failed at 0001 binutils: fix CVE-2025-11839
> hint: Use 'git am --show-current-patch=diff' to see the failed patch
> When you have resolved this problem, run "git am --continue".
> If you prefer to skip this patch, run "git am --skip" instead.
> To restore the original branch and stop patching, run "git am --abort".
>
> Steve
>
> On Sun, Dec 21, 2025 at 8:34 PM <Yash.Shinde@windriver.com> wrote:
>> From: Yash Shinde <Yash.Shinde@windriver.com>
>>
>> CVE-2025-11839
>>
>> PR 33448
>> [BUG] Aborted in tg_tag_type at prdbg.c:2452
>> Remove call to abort in the DGB debug format printing code, thus allowing
>> the display of a fuzzed input file to complete without triggering an abort.
>>
>> https://sourceware.org/bugzilla/show_bug.cgi?id=33448
>>
>> Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe]
>>
>> Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
>> ---
>>   .../binutils/binutils-2.45.inc                |  1 +
>>   .../binutils/0019-CVE-2025-11839.patch        | 32 +++++++++++++++++++
>>   2 files changed, 33 insertions(+)
>>   create mode 100644 meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch
>>
>> diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
>> index 680ba82e86..2f61c9377b 100644
>> --- a/meta/recipes-devtools/binutils/binutils-2.45.inc
>> +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
>> @@ -44,4 +44,5 @@ SRC_URI = "\
>>        file://CVE-2025-11413.patch \
>>        file://CVE-2025-11495.patch \
>>        file://0018-CVE-2025-11494.patch \
>> +     file://0019-CVE-2025-11839.patch \
>>   "
>> diff --git a/meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch b/meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch
>> new file mode 100644
>> index 0000000000..7f2f6d553d
>> --- /dev/null
>> +++ b/meta/recipes-devtools/binutils/binutils/0019-CVE-2025-11839.patch
>> @@ -0,0 +1,32 @@
>> +From 12ef7d5b7b02d0023db645d86eb9d0797bc747fe Mon Sep 17 00:00:00 2001
>> +From: Nick Clifton <nickc@redhat.com>
>> +Date: Mon, 3 Nov 2025 11:49:02 +0000
>> +Subject: [PATCH] Remove call to abort in the DGB debug format printing code,
>> + thus allowing the display of a fuzzed input file to complete without
>> + triggering an abort.
>> +
>> +PR 33448
>> +---
>> + binutils/prdbg.c | 1 -
>> + 1 file changed, 1 deletion(-)
>> +
>> +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe]
>> +CVE: CVE-2025-11839
>> +
>> +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
>> +
>> +diff --git a/binutils/prdbg.c b/binutils/prdbg.c
>> +index c239aeb1a79..5d405c48e3d 100644
>> +--- a/binutils/prdbg.c
>> ++++ b/binutils/prdbg.c
>> +@@ -2449,7 +2449,6 @@ tg_tag_type (void *p, const char *name, unsigned int id,
>> +       t = "union class ";
>> +       break;
>> +     default:
>> +-      abort ();
>> +       return false;
>> +     }
>> +
>> +--
>> +2.43.7
>> +
>> --
>> 2.49.0
>>
-- 
Regards,
Yash Shinde