[OE-core][PATCH 1/5] binutils: patch CVE-2025-11414

[OE-core][PATCH 1/5] binutils: patch CVE-2025-11414

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../binutils/binutils-2.45.inc                |  1 +
 .../binutils/binutils/CVE-2025-11414.patch    | 84 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 391b0157d3a..2adff3c4562 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -39,4 +39,5 @@ SRC_URI = "\
      file://0015-CVE-2025-11081.patch \
      file://0016-CVE-2025-11082.patch \
      file://0017-CVE-2025-11083.patch \
+     file://CVE-2025-11414.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
new file mode 100644
index 00000000000..21f98f075ed
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
@@ -0,0 +1,84 @@
+From aeaaa9af6359c8e394ce9cf24911fec4f4d23703 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 23 Sep 2025 08:52:26 +0800
+Subject: [PATCH] elf: Return error on unsorted symbol table if not allowed
+
+Normally ELF symbol table should be sorted, i.e., local symbols precede
+global symbols.  Irix 6 is an exception and its elf_bad_symtab is set
+to true.  Issue an error if elf_bad_symtab is false and symbol table is
+unsorted.
+
+	PR ld/33450
+	* elflink.c (set_symbol_value): Change return type to bool and
+	return false on error.  Issue an error on unsorted symbol table
+	if not allowed.
+	(elf_link_input_bfd): Return false if set_symbol_value reurns
+	false.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+
+CVE: CVE-2025-11414
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elflink.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 66982f82b94..54f0d6e957e 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -9127,7 +9127,7 @@ struct elf_outext_info
+    <binary-operator> := as in C
+    <unary-operator> := as in C, plus "0-" for unambiguous negation.  */
+ 
+-static void
++static bool
+ set_symbol_value (bfd *bfd_with_globals,
+ 		  Elf_Internal_Sym *isymbuf,
+ 		  size_t locsymcount,
+@@ -9148,9 +9148,15 @@ set_symbol_value (bfd *bfd_with_globals,
+ 	     "absolute" section and give it a value.  */
+ 	  sym->st_shndx = SHN_ABS;
+ 	  sym->st_value = val;
+-	  return;
++	  return true;
++	}
++      if (!elf_bad_symtab (bfd_with_globals))
++	{
++	  _bfd_error_handler (_("%pB: corrupt symbol table"),
++			      bfd_with_globals);
++	  bfd_set_error (bfd_error_bad_value);
++	  return false;
+ 	}
+-      BFD_ASSERT (elf_bad_symtab (bfd_with_globals));
+       extsymoff = 0;
+     }
+ 
+@@ -9160,11 +9166,12 @@ set_symbol_value (bfd *bfd_with_globals,
+   if (h == NULL)
+     {
+       /* FIXMEL What should we do ?  */
+-      return;
++      return false;
+     }
+   h->root.type = bfd_link_hash_defined;
+   h->root.u.def.value = val;
+   h->root.u.def.section = bfd_abs_section_ptr;
++  return true;
+ }
+ 
+ static bool
+@@ -11862,8 +11869,10 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd)
+ 		    return false;
+ 
+ 		  /* Symbol evaluated OK.  Update to absolute value.  */
+-		  set_symbol_value (input_bfd, isymbuf, locsymcount,
+-				    r_symndx, val);
++		  if (!set_symbol_value (input_bfd, isymbuf, locsymcount, r_symndx,
++					 val))
++		    return false;
++
+ 		  continue;
+ 		}
+ 

[OE-core][PATCH 2/5] binutils: patch CVE-2025-11412

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../binutils/binutils-2.45.inc                |  1 +
 .../binutils/binutils/CVE-2025-11412.patch    | 35 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 2adff3c4562..ffd6c3b2388 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -40,4 +40,5 @@ SRC_URI = "\
      file://0016-CVE-2025-11082.patch \
      file://0017-CVE-2025-11083.patch \
      file://CVE-2025-11414.patch \
+     file://CVE-2025-11412.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
new file mode 100644
index 00000000000..ab718f53542
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
@@ -0,0 +1,35 @@
+From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 25 Sep 2025 08:22:24 +0930
+Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry
+
+Limit addends on vtentry relocs, otherwise ld might attempt to
+allocate a stupidly large array.  This also fixes the expression
+overflow leading to pr33452.  A vtable of 33M entries on a 64-bit
+host is surely large enough, especially considering that VTINHERIT
+and VTENTRY relocations are to support -fvtable-gc that disappeared
+from gcc over 20 years ago.
+
+	PR ld/33452
+	* elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
+
+CVE: CVE-2025-11412
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 54f0d6e957e..0a0456177c2 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -14837,7 +14837,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec,
+   const struct elf_backend_data *bed = get_elf_backend_data (abfd);
+   unsigned int log_file_align = bed->s->log_file_align;
+ 
+-  if (!h)
++  if (!h || addend > 1u << 28)
+     {
+       /* xgettext:c-format */
+       _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"),

[OE-core][PATCH 3/5] binutils: patch CVE-2025-11413

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

Note that there were two patches for this, first [1] and then [2].
The second patch moved the original patch to different location.
Cherry-pick of second patch is successful leaving out the code removing
the code from first location, so the patch attached here is not
identical to the upstream commit but is identical to applying both and
merging them to a single patch.

[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=1108620d7a521f1c85d2f629031ce0fbae14e331
[2] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../binutils/binutils-2.45.inc                |  1 +
 .../binutils/binutils/CVE-2025-11413.patch    | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index ffd6c3b2388..62b5bf6c264 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -41,4 +41,5 @@ SRC_URI = "\
      file://0017-CVE-2025-11083.patch \
      file://CVE-2025-11414.patch \
      file://CVE-2025-11412.patch \
+     file://CVE-2025-11413.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
new file mode 100644
index 00000000000..1467d38049a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
@@ -0,0 +1,38 @@
+From 72efdf166aa0ed72ecc69fc2349af6591a7a19c0 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 25 Sep 2025 10:41:32 +0930
+Subject: [PATCH] Re: elf: Disallow the empty global symbol name
+
+sparc64-linux-gnu  +FAIL: selective2
+sparc64-linux-gnu  +FAIL: selective3
+
+	PR ld/33456
+	* elflink.c (elf_link_add_object_symbols): Move new check later
+	to give the backend add_symbol_hook a chance to remove symbols
+	with empty names.
+
+CVE: CVE-2025-11413
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elflink.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 0a0456177c2..5c8b822e36a 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -5118,6 +5118,13 @@ elf_link_add_object_symbols (bfd *abfd, struct bfd_link_info *info)
+ 	    continue;
+ 	}
+ 
++      if (name[0] == '\0')
++	{
++	  _bfd_error_handler (_("%pB: corrupt symbol table"), abfd);
++	  bfd_set_error (bfd_error_bad_value);
++	  goto error_free_vers;
++	}
++
+       /* Sanity check that all possibilities were handled.  */
+       if (sec == NULL)
+ 	abort ();

[OE-core][PATCH 4/5] binutils: patch CVE-2025-11495

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../binutils/binutils-2.45.inc                |   1 +
 .../binutils/binutils/CVE-2025-11495.patch    | 153 ++++++++++++++++++
 2 files changed, 154 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 62b5bf6c264..288475ac390 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -42,4 +42,5 @@ SRC_URI = "\
      file://CVE-2025-11414.patch \
      file://CVE-2025-11412.patch \
      file://CVE-2025-11413.patch \
+     file://CVE-2025-11495.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch
new file mode 100644
index 00000000000..6e5e68fe275
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch
@@ -0,0 +1,153 @@
+From 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 30 Sep 2025 08:18:29 +0800
+Subject: [PATCH] x86: Disallow TLS relocation in non executable section
+
+Since TLS relocations are applied to executable machine instructions,
+disallow TLS relocation in non-SHT_PROGBITS, non-SHF_EXECINSTR section.
+
+	PR ld/33451
+	PR ld/33502
+	* elf32-i386.c (elf_i386_tls_transition): Disallow TLS relocation
+	in non-SHT_PROGBITS, non-SHF_EXECINSTR section.
+	(elf_i386_scan_relocs): Likewise.
+	* elf64-x86-64.c (elf_x86_64_tls_transition): Likewise.
+	(elf_x86_64_scan_relocs): Likewise.
+	* elfxx-x86.c (_bfd_x86_elf_link_report_tls_invalid_section_error):
+	New.
+	* elfxx-x86.h (_bfd_x86_elf_link_report_tls_invalid_section_error):
+	Likewise.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+
+CVE: CVE-2025-11495
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elf32-i386.c   | 19 +++++++++++++++++++
+ bfd/elf64-x86-64.c | 20 ++++++++++++++++++++
+ bfd/elfxx-x86.c    | 20 ++++++++++++++++++++
+ bfd/elfxx-x86.h    |  4 ++++
+ 4 files changed, 63 insertions(+)
+
+diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
+index 507a0762aff..0d60eded701 100644
+--- a/bfd/elf32-i386.c
++++ b/bfd/elf32-i386.c
+@@ -1166,6 +1166,15 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd,
+       return true;
+     }
+ 
++  if ((elf_section_type (sec) != SHT_PROGBITS
++       || (sec->flags & SEC_CODE) == 0))
++    {
++      reloc_howto_type *howto = elf_i386_rtype_to_howto (from_type);
++      _bfd_x86_elf_link_report_tls_invalid_section_error
++	(abfd, sec, symtab_hdr, h, sym, howto);
++      return false;
++    }
++
+   /* Return TRUE if there is no transition.  */
+   if (from_type == to_type)
+     return true;
+@@ -1727,6 +1736,16 @@ elf_i386_scan_relocs (bfd *abfd,
+ 		tls_type = GOT_TLS_IE_POS; break;
+ 	      }
+ 
++	    if (tls_type >= GOT_TLS_GD
++		&& tls_type <= GOT_TLS_GDESC
++		&& (elf_section_type (sec) != SHT_PROGBITS
++		    || (sec->flags & SEC_CODE) == 0))
++	      {
++		_bfd_x86_elf_link_report_tls_invalid_section_error
++		  (abfd, sec, symtab_hdr, h, isym, howto);
++		goto error_return;
++	      }
++
+ 	    if (h != NULL)
+ 	      {
+ 		h->got.refcount = 1;
+diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
+index 620b6a380cd..59b43149897 100644
+--- a/bfd/elf64-x86-64.c
++++ b/bfd/elf64-x86-64.c
+@@ -1626,6 +1626,16 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd,
+       return true;
+     }
+ 
++  if ((elf_section_type (sec) != SHT_PROGBITS
++       || (sec->flags & SEC_CODE) == 0))
++    {
++      reloc_howto_type *howto = elf_x86_64_rtype_to_howto (abfd,
++							   from_type);
++      _bfd_x86_elf_link_report_tls_invalid_section_error
++	(abfd, sec, symtab_hdr, h, sym, howto);
++      return false;
++    }
++
+   /* Return TRUE if there is no transition.  */
+   if (from_type == to_type
+       || (from_type == R_X86_64_CODE_4_GOTTPOFF
+@@ -2748,6 +2758,16 @@ elf_x86_64_scan_relocs (bfd *abfd, struct bfd_link_info *info,
+ 		break;
+ 	      }
+ 
++	    if (tls_type >= GOT_TLS_GD
++		&& tls_type <= GOT_TLS_GDESC
++		&& (elf_section_type (sec) != SHT_PROGBITS
++		    || (sec->flags & SEC_CODE) == 0))
++	      {
++		_bfd_x86_elf_link_report_tls_invalid_section_error
++		  (abfd, sec, symtab_hdr, h, isym, howto);
++		goto error_return;
++	      }
++
+ 	    if (h != NULL)
+ 	      {
+ 		h->got.refcount = 1;
+diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
+index 0d389968c91..d8c653a9ad2 100644
+--- a/bfd/elfxx-x86.c
++++ b/bfd/elfxx-x86.c
+@@ -3348,6 +3348,26 @@ _bfd_x86_elf_link_report_tls_transition_error
+   bfd_set_error (bfd_error_bad_value);
+ }
+ 
++/* Report TLS invalid section error.  */
++
++void
++_bfd_x86_elf_link_report_tls_invalid_section_error
++  (bfd *abfd, asection *sec, Elf_Internal_Shdr *symtab_hdr,
++   struct elf_link_hash_entry *h, Elf_Internal_Sym *sym,
++   reloc_howto_type *howto)
++{
++  const char *name;
++  if (h)
++    name = h->root.root.string;
++  else
++    name = bfd_elf_sym_name (abfd, symtab_hdr, sym, NULL);
++  _bfd_error_handler
++    /* xgettext:c-format */
++    (_("%pB: relocation %s against thread local symbol `%s' in "
++       "invalid section `%pA'"), abfd, howto->name, name, sec);
++  bfd_set_error (bfd_error_bad_value);
++}
++
+ /* Return TRUE if symbol should be hashed in the `.gnu.hash' section.  */
+ 
+ bool
+diff --git a/bfd/elfxx-x86.h b/bfd/elfxx-x86.h
+index 1ebc9d2f2e5..f8a24a77577 100644
+--- a/bfd/elfxx-x86.h
++++ b/bfd/elfxx-x86.h
+@@ -939,6 +939,10 @@ extern void _bfd_x86_elf_link_report_tls_transition_error
+    const Elf_Internal_Rela *, const char *, const char *,
+    enum elf_x86_tls_error_type);
+ 
++extern void _bfd_x86_elf_link_report_tls_invalid_section_error
++  (bfd *, asection *, Elf_Internal_Shdr *, struct elf_link_hash_entry *,
++   Elf_Internal_Sym *, reloc_howto_type *);
++
+ #define bfd_elf64_mkobject \
+   _bfd_x86_elf_mkobject
+ #define bfd_elf32_mkobject \

[OE-core][PATCH 5/5] binutils: patch CVE-2025-11494

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../binutils/binutils-2.45.inc                |  1 +
 .../binutils/binutils/CVE-2025-11494.patch    | 49 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 288475ac390..72ed156a945 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -43,4 +43,5 @@ SRC_URI = "\
      file://CVE-2025-11412.patch \
      file://CVE-2025-11413.patch \
      file://CVE-2025-11495.patch \
+     file://CVE-2025-11494.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch
new file mode 100644
index 00000000000..91ca74fb485
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch
@@ -0,0 +1,49 @@
+From b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 30 Sep 2025 08:13:56 +0800
+Subject: [PATCH] x86: Keep _GLOBAL_OFFSET_TABLE_ for .eh_frame
+
+Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep
+_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output
+.eh_frame section is non-empty.
+
+	PR ld/33499
+	* elfxx-x86.c (_bfd_x86_elf_late_size_sections): Keep
+	_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the
+	output .eh_frame section is non-empty.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+
+CVE: CVE-2025-11494
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elfxx-x86.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
+index d8c653a9ad2..140e86888a6 100644
+--- a/bfd/elfxx-x86.c
++++ b/bfd/elfxx-x86.c
+@@ -2445,6 +2445,8 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
+ 
+   if (htab->elf.sgotplt)
+     {
++      asection *eh_frame;
++
+       /* Don't allocate .got.plt section if there are no GOT nor PLT
+ 	 entries and there is no reference to _GLOBAL_OFFSET_TABLE_.  */
+       if ((htab->elf.hgot == NULL
+@@ -2457,7 +2459,11 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
+ 	  && (htab->elf.iplt == NULL
+ 	      || htab->elf.iplt->size == 0)
+ 	  && (htab->elf.igotplt == NULL
+-	      || htab->elf.igotplt->size == 0))
++	      || htab->elf.igotplt->size == 0)
++	  && (!htab->elf.dynamic_sections_created
++	      || (eh_frame = bfd_get_section_by_name (output_bfd,
++						      ".eh_frame")) == NULL
++	      || eh_frame->rawsize == 0))
+ 	{
+ 	  htab->elf.sgotplt->size = 0;
+ 	  /* Solaris requires to keep _GLOBAL_OFFSET_TABLE_ even if it

Re: [OE-core][PATCH 1/5] binutils: patch CVE-2025-11414

[Khem Raj]

all 5 Patches are good, thanks.

On Mon, Oct 20, 2025 at 3:09 PM Peter Marko via lists.openembedded.org
<peter.marko=siemens.com@lists.openembedded.org> wrote:
>
> From: Peter Marko <peter.marko@siemens.com>
>
> Pick commit per NVD CVE report.
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  .../binutils/binutils-2.45.inc                |  1 +
>  .../binutils/binutils/CVE-2025-11414.patch    | 84 +++++++++++++++++++
>  2 files changed, 85 insertions(+)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
> index 391b0157d3a..2adff3c4562 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.45.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
> @@ -39,4 +39,5 @@ SRC_URI = "\
>       file://0015-CVE-2025-11081.patch \
>       file://0016-CVE-2025-11082.patch \
>       file://0017-CVE-2025-11083.patch \
> +     file://CVE-2025-11414.patch \
>  "
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
> new file mode 100644
> index 00000000000..21f98f075ed
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
> @@ -0,0 +1,84 @@
> +From aeaaa9af6359c8e394ce9cf24911fec4f4d23703 Mon Sep 17 00:00:00 2001
> +From: "H.J. Lu" <hjl.tools@gmail.com>
> +Date: Tue, 23 Sep 2025 08:52:26 +0800
> +Subject: [PATCH] elf: Return error on unsorted symbol table if not allowed
> +
> +Normally ELF symbol table should be sorted, i.e., local symbols precede
> +global symbols.  Irix 6 is an exception and its elf_bad_symtab is set
> +to true.  Issue an error if elf_bad_symtab is false and symbol table is
> +unsorted.
> +
> +       PR ld/33450
> +       * elflink.c (set_symbol_value): Change return type to bool and
> +       return false on error.  Issue an error on unsorted symbol table
> +       if not allowed.
> +       (elf_link_input_bfd): Return false if set_symbol_value reurns
> +       false.
> +
> +Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
> +
> +CVE: CVE-2025-11414
> +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + bfd/elflink.c | 21 +++++++++++++++------
> + 1 file changed, 15 insertions(+), 6 deletions(-)
> +
> +diff --git a/bfd/elflink.c b/bfd/elflink.c
> +index 66982f82b94..54f0d6e957e 100644
> +--- a/bfd/elflink.c
> ++++ b/bfd/elflink.c
> +@@ -9127,7 +9127,7 @@ struct elf_outext_info
> +    <binary-operator> := as in C
> +    <unary-operator> := as in C, plus "0-" for unambiguous negation.  */
> +
> +-static void
> ++static bool
> + set_symbol_value (bfd *bfd_with_globals,
> +                 Elf_Internal_Sym *isymbuf,
> +                 size_t locsymcount,
> +@@ -9148,9 +9148,15 @@ set_symbol_value (bfd *bfd_with_globals,
> +            "absolute" section and give it a value.  */
> +         sym->st_shndx = SHN_ABS;
> +         sym->st_value = val;
> +-        return;
> ++        return true;
> ++      }
> ++      if (!elf_bad_symtab (bfd_with_globals))
> ++      {
> ++        _bfd_error_handler (_("%pB: corrupt symbol table"),
> ++                            bfd_with_globals);
> ++        bfd_set_error (bfd_error_bad_value);
> ++        return false;
> +       }
> +-      BFD_ASSERT (elf_bad_symtab (bfd_with_globals));
> +       extsymoff = 0;
> +     }
> +
> +@@ -9160,11 +9166,12 @@ set_symbol_value (bfd *bfd_with_globals,
> +   if (h == NULL)
> +     {
> +       /* FIXMEL What should we do ?  */
> +-      return;
> ++      return false;
> +     }
> +   h->root.type = bfd_link_hash_defined;
> +   h->root.u.def.value = val;
> +   h->root.u.def.section = bfd_abs_section_ptr;
> ++  return true;
> + }
> +
> + static bool
> +@@ -11862,8 +11869,10 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd)
> +                   return false;
> +
> +                 /* Symbol evaluated OK.  Update to absolute value.  */
> +-                set_symbol_value (input_bfd, isymbuf, locsymcount,
> +-                                  r_symndx, val);
> ++                if (!set_symbol_value (input_bfd, isymbuf, locsymcount, r_symndx,
> ++                                       val))
> ++                  return false;
> ++
> +                 continue;
> +               }
> +
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#225135): https://lists.openembedded.org/g/openembedded-core/message/225135
> Mute This Topic: https://lists.openembedded.org/mt/115863664/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core][PATCH 5/5] binutils: patch CVE-2025-11494

[Mathieu Dubois-Briand]

On Tue Oct 21, 2025 at 12:09 AM CEST, Peter Marko via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> Pick commit per NVD CVE report.
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---

Hi Peter,

Thanks for your patch. I suspect the last one is responsible of a
reproducibility issue in gnu-efi:

AssertionError: The following deb packages are different and not in exclusion list:
/srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB-extended/tmp/deploy/deb/./x86-64-v3/gnu-efi_4.0.2-r0_amd64.deb
The following ipk packages are different and not in exclusion list:
/srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB-extended/tmp/deploy/ipk/./x86-64-v3/gnu-efi_4.0.2-r0_x86-64-v3.ipk
The following rpm packages are different and not in exclusion list:
/srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB-extended/tmp/deploy/rpm/./x86_64_v3/gnu-efi-4.0.2-r0.x86_64_v3.rpm

https://valkyrie.yocto.io/pub/repro-fail/oe-reproducible-20251021-u0jap9k2/

Can you have a look at these?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

RE: [OE-core][PATCH 5/5] binutils: patch CVE-2025-11494

[Marko, Peter]

> -----Original Message-----
> From: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> Sent: Wednesday, October 22, 2025 12:23
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH 5/5] binutils: patch CVE-2025-11494
> 
> On Tue Oct 21, 2025 at 12:09 AM CEST, Peter Marko via lists.openembedded.org
> wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Pick commit per NVD CVE report.
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> 
> Hi Peter,
> 
> Thanks for your patch. I suspect the last one is responsible of a
> reproducibility issue in gnu-efi:
> 
> AssertionError: The following deb packages are different and not in exclusion list:
> /srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB-
> extended/tmp/deploy/deb/./x86-64-v3/gnu-efi_4.0.2-r0_amd64.deb
> The following ipk packages are different and not in exclusion list:
> /srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB-
> extended/tmp/deploy/ipk/./x86-64-v3/gnu-efi_4.0.2-r0_x86-64-v3.ipk
> The following rpm packages are different and not in exclusion list:
> /srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB-
> extended/tmp/deploy/rpm/./x86_64_v3/gnu-efi-4.0.2-r0.x86_64_v3.rpm
> 
> https://valkyrie.yocto.io/pub/repro-fail/oe-reproducible-20251021-u0jap9k2/
> 
> Can you have a look at these?
> 

I have checked this but I don't really know how to fix it.
Maybe there are additional commits needed, but not sure how to find them.
Let's keep this out and want for tag to see...

Peter

> Thanks,
> Mathieu
> 
> --
> Mathieu Dubois-Briand, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com