[PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649

[PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649

[Harish.Sadineni]

From: Harish Sadineni <Harish.Sadineni@windriver.com>

Set CVE_STATUS for CVE-2025-69646 and CVE-2025-69649, as both CVES are already resolved
in the latest binutils 2.46 version upgrade.

Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
---
 meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc
index ff10050dd9..dc8b6be03e 100644
--- a/meta/recipes-devtools/binutils/binutils-2.46.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.46.inc
@@ -34,3 +34,6 @@ SRC_URI = "\
      file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
      file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
 "
+
+CVE_STATUS[CVE-2025-69646] = "fixed-version: Fixed from version 2.46"
+CVE_STATUS[CVE-2025-69649] = "fixed-version: Fixed from version 2.46"
-- 
2.49.0

Re: [OE-core] [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 1619 bytes --]

On Mon, 2026-04-06 at 00:05 -0700, Sadineni, Harish via
lists.openembedded.org wrote:
> From: Harish Sadineni <Harish.Sadineni@windriver.com>
> 
> Set CVE_STATUS for CVE-2025-69646 and CVE-2025-69649, as both CVES are already resolved
> in the latest binutils 2.46 version upgrade.
> 
> Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
> ---
>  meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc
> index ff10050dd9..dc8b6be03e 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.46.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc
> @@ -34,3 +34,6 @@ SRC_URI = "\
>       file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
>       file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
>  "
> +
> +CVE_STATUS[CVE-2025-69646] = "fixed-version: Fixed from version 2.46"

Hi Harish,

According to https://nvd.nist.gov/vuln/detail/CVE-2025-69646, the CPE
for CVE-2025-69646 is "cpe:2.3:a:gnu:binutils:2.44:*:*:*:*:*:*:*", so it
should already be seen as fixed in 2.46. Which tool is reporting this as
an unresolved CVE?

> +CVE_STATUS[CVE-2025-69649] = "fixed-version: Fixed from version 2.46"

According to https://nvd.nist.gov/vuln/detail/CVE-2025-69649, the CPE
for this one is "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*". Please include
some info/links in the commit message to confirm that this was fixed for
v2.46.

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [OE-core] [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649

[Harish Sadineni]

On 4/6/2026 1:58 PM, Paul Barker wrote:
> On Mon, 2026-04-06 at 00:05 -0700, Sadineni, Harish via
> lists.openembedded.org wrote:
>> From: Harish Sadineni <Harish.Sadineni@windriver.com>
>>
>> Set CVE_STATUS for CVE-2025-69646 and CVE-2025-69649, as both CVES are already resolved
>> in the latest binutils 2.46 version upgrade.
>>
>> Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
>> ---
>>   meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc
>> index ff10050dd9..dc8b6be03e 100644
>> --- a/meta/recipes-devtools/binutils/binutils-2.46.inc
>> +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc
>> @@ -34,3 +34,6 @@ SRC_URI = "\
>>        file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
>>        file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
>>   "
>> +
>> +CVE_STATUS[CVE-2025-69646] = "fixed-version: Fixed from version 2.46"
> Hi Harish,
>
> According to https://nvd.nist.gov/vuln/detail/CVE-2025-69646, the CPE
> for CVE-2025-69646 is "cpe:2.3:a:gnu:binutils:2.44:*:*:*:*:*:*:*", so it
> should already be seen as fixed in 2.46. Which tool is reporting this as
> an unresolved CVE?
git branch -a --contains 598704a00cbac5e85c2bedd363357b5bf6fcee33
* master
   remotes/origin/HEAD -> origin/master
   remotes/origin/binutils-2_46-branch
   remotes/origin/master


The above git info (and bugzilla) shows that the commit id got 
merged/fixed in 2.46 branch. And so it documented as fixed from 2.46.
And, it is not shown by any tool as unresolved but we see CVE's status 
is well documented and maintained in kernel-recipes
https://git.openembedded.org/openembedded-core/tree/meta/recipes-kernel/linux/cve-exclusion.inc
So, We thought of maintaining the CVE's status for toolchain components 
from now.
>> +CVE_STATUS[CVE-2025-69649] = "fixed-version: Fixed from version 2.46"
> According to https://nvd.nist.gov/vuln/detail/CVE-2025-69649, the CPE
> for this one is "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*". Please include
> some info/links in the commit message to confirm that this was fixed for
> v2.46.
Ok,  I will add the commit reference in commit message while sending v2.

Thanks,
Harish
>
> Best regards,
>

Re: [OE-core] [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 3194 bytes --]

On Mon, 2026-04-06 at 15:26 +0530, Sadineni, Harish via
lists.openembedded.org wrote:
> On 4/6/2026 1:58 PM, Paul Barker wrote:
> > On Mon, 2026-04-06 at 00:05 -0700, Sadineni, Harish via
> > lists.openembedded.org wrote:
> > > From: Harish Sadineni <Harish.Sadineni@windriver.com>
> > > 
> > > Set CVE_STATUS for CVE-2025-69646 and CVE-2025-69649, as both CVES are already resolved
> > > in the latest binutils 2.46 version upgrade.
> > > 
> > > Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
> > > ---
> > >   meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++
> > >   1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc
> > > index ff10050dd9..dc8b6be03e 100644
> > > --- a/meta/recipes-devtools/binutils/binutils-2.46.inc
> > > +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc
> > > @@ -34,3 +34,6 @@ SRC_URI = "\
> > >        file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
> > >        file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
> > >   "
> > > +
> > > +CVE_STATUS[CVE-2025-69646] = "fixed-version: Fixed from version 2.46"
> > Hi Harish,
> > 
> > According to https://nvd.nist.gov/vuln/detail/CVE-2025-69646, the CPE
> > for CVE-2025-69646 is "cpe:2.3:a:gnu:binutils:2.44:*:*:*:*:*:*:*", so it
> > should already be seen as fixed in 2.46. Which tool is reporting this as
> > an unresolved CVE?
> git branch -a --contains 598704a00cbac5e85c2bedd363357b5bf6fcee33
> * master
>    remotes/origin/HEAD -> origin/master
>    remotes/origin/binutils-2_46-branch
>    remotes/origin/master
> 
> 
> The above git info (and bugzilla) shows that the commit id got 
> merged/fixed in 2.46 branch. And so it documented as fixed from 2.46.
> And, it is not shown by any tool as unresolved but we see CVE's status 
> is well documented and maintained in kernel-recipes
> https://git.openembedded.org/openembedded-core/tree/meta/recipes-kernel/linux/cve-exclusion.inc
> So, We thought of maintaining the CVE's status for toolchain components 
> from now.

Hi Harish,

The entries in cve-exclusion.inc cover cases where the CPE is not set
correctly by NVD. For example, the last entry is for CVE-2023-6535 which
was fixed in Linux 6.8 but NVD still have the CPE as
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", indicating that all
versions of the kernel contain this issue. So we need to set CVE_STATUS
ourselves for this one.

If the data published by NVD is correct then we do not need our own
CVE_STATUS entry.

> > > +CVE_STATUS[CVE-2025-69649] = "fixed-version: Fixed from version 2.46"
> > According to https://nvd.nist.gov/vuln/detail/CVE-2025-69649, the CPE
> > for this one is "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*". Please include
> > some info/links in the commit message to confirm that this was fixed for
> > v2.46.
> Ok,  I will add the commit reference in commit message while sending v2.

We do need this CVE_STATUS entry as the data published by NVD is
incomplete. Please send a v2.

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]