* [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649 @ 2026-04-06 7:05 Harish.Sadineni 2026-04-06 8:28 ` [OE-core] " Paul Barker 0 siblings, 1 reply; 4+ messages in thread From: Harish.Sadineni @ 2026-04-06 7:05 UTC (permalink / raw) To: openembedded-core; +Cc: Sundeep.Kokkonda From: Harish Sadineni <Harish.Sadineni@windriver.com> Set CVE_STATUS for CVE-2025-69646 and CVE-2025-69649, as both CVES are already resolved in the latest binutils 2.46 version upgrade. Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> --- meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc index ff10050dd9..dc8b6be03e 100644 --- a/meta/recipes-devtools/binutils/binutils-2.46.inc +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc @@ -34,3 +34,6 @@ SRC_URI = "\ file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ " + +CVE_STATUS[CVE-2025-69646] = "fixed-version: Fixed from version 2.46" +CVE_STATUS[CVE-2025-69649] = "fixed-version: Fixed from version 2.46" -- 2.49.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649 2026-04-06 7:05 [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649 Harish.Sadineni @ 2026-04-06 8:28 ` Paul Barker 2026-04-06 9:56 ` Harish Sadineni 0 siblings, 1 reply; 4+ messages in thread From: Paul Barker @ 2026-04-06 8:28 UTC (permalink / raw) To: Harish.Sadineni, openembedded-core; +Cc: Sundeep.Kokkonda [-- Attachment #1: Type: text/plain, Size: 1619 bytes --] On Mon, 2026-04-06 at 00:05 -0700, Sadineni, Harish via lists.openembedded.org wrote: > From: Harish Sadineni <Harish.Sadineni@windriver.com> > > Set CVE_STATUS for CVE-2025-69646 and CVE-2025-69649, as both CVES are already resolved > in the latest binutils 2.46 version upgrade. > > Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> > --- > meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc > index ff10050dd9..dc8b6be03e 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.46.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc > @@ -34,3 +34,6 @@ SRC_URI = "\ > file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ > file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ > " > + > +CVE_STATUS[CVE-2025-69646] = "fixed-version: Fixed from version 2.46" Hi Harish, According to https://nvd.nist.gov/vuln/detail/CVE-2025-69646, the CPE for CVE-2025-69646 is "cpe:2.3:a:gnu:binutils:2.44:*:*:*:*:*:*:*", so it should already be seen as fixed in 2.46. Which tool is reporting this as an unresolved CVE? > +CVE_STATUS[CVE-2025-69649] = "fixed-version: Fixed from version 2.46" According to https://nvd.nist.gov/vuln/detail/CVE-2025-69649, the CPE for this one is "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*". Please include some info/links in the commit message to confirm that this was fixed for v2.46. Best regards, -- Paul Barker [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 252 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649 2026-04-06 8:28 ` [OE-core] " Paul Barker @ 2026-04-06 9:56 ` Harish Sadineni 2026-04-08 9:30 ` Paul Barker 0 siblings, 1 reply; 4+ messages in thread From: Harish Sadineni @ 2026-04-06 9:56 UTC (permalink / raw) To: Paul Barker, openembedded-core; +Cc: Sundeep.Kokkonda On 4/6/2026 1:58 PM, Paul Barker wrote: > On Mon, 2026-04-06 at 00:05 -0700, Sadineni, Harish via > lists.openembedded.org wrote: >> From: Harish Sadineni <Harish.Sadineni@windriver.com> >> >> Set CVE_STATUS for CVE-2025-69646 and CVE-2025-69649, as both CVES are already resolved >> in the latest binutils 2.46 version upgrade. >> >> Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> >> --- >> meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc >> index ff10050dd9..dc8b6be03e 100644 >> --- a/meta/recipes-devtools/binutils/binutils-2.46.inc >> +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc >> @@ -34,3 +34,6 @@ SRC_URI = "\ >> file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ >> file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ >> " >> + >> +CVE_STATUS[CVE-2025-69646] = "fixed-version: Fixed from version 2.46" > Hi Harish, > > According to https://nvd.nist.gov/vuln/detail/CVE-2025-69646, the CPE > for CVE-2025-69646 is "cpe:2.3:a:gnu:binutils:2.44:*:*:*:*:*:*:*", so it > should already be seen as fixed in 2.46. Which tool is reporting this as > an unresolved CVE? git branch -a --contains 598704a00cbac5e85c2bedd363357b5bf6fcee33 * master remotes/origin/HEAD -> origin/master remotes/origin/binutils-2_46-branch remotes/origin/master The above git info (and bugzilla) shows that the commit id got merged/fixed in 2.46 branch. And so it documented as fixed from 2.46. And, it is not shown by any tool as unresolved but we see CVE's status is well documented and maintained in kernel-recipes https://git.openembedded.org/openembedded-core/tree/meta/recipes-kernel/linux/cve-exclusion.inc So, We thought of maintaining the CVE's status for toolchain components from now. >> +CVE_STATUS[CVE-2025-69649] = "fixed-version: Fixed from version 2.46" > According to https://nvd.nist.gov/vuln/detail/CVE-2025-69649, the CPE > for this one is "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*". Please include > some info/links in the commit message to confirm that this was fixed for > v2.46. Ok, I will add the commit reference in commit message while sending v2. Thanks, Harish > > Best regards, > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649 2026-04-06 9:56 ` Harish Sadineni @ 2026-04-08 9:30 ` Paul Barker 0 siblings, 0 replies; 4+ messages in thread From: Paul Barker @ 2026-04-08 9:30 UTC (permalink / raw) To: Harish.Sadineni, openembedded-core; +Cc: Sundeep.Kokkonda [-- Attachment #1: Type: text/plain, Size: 3194 bytes --] On Mon, 2026-04-06 at 15:26 +0530, Sadineni, Harish via lists.openembedded.org wrote: > On 4/6/2026 1:58 PM, Paul Barker wrote: > > On Mon, 2026-04-06 at 00:05 -0700, Sadineni, Harish via > > lists.openembedded.org wrote: > > > From: Harish Sadineni <Harish.Sadineni@windriver.com> > > > > > > Set CVE_STATUS for CVE-2025-69646 and CVE-2025-69649, as both CVES are already resolved > > > in the latest binutils 2.46 version upgrade. > > > > > > Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> > > > --- > > > meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc > > > index ff10050dd9..dc8b6be03e 100644 > > > --- a/meta/recipes-devtools/binutils/binutils-2.46.inc > > > +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc > > > @@ -34,3 +34,6 @@ SRC_URI = "\ > > > file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ > > > file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ > > > " > > > + > > > +CVE_STATUS[CVE-2025-69646] = "fixed-version: Fixed from version 2.46" > > Hi Harish, > > > > According to https://nvd.nist.gov/vuln/detail/CVE-2025-69646, the CPE > > for CVE-2025-69646 is "cpe:2.3:a:gnu:binutils:2.44:*:*:*:*:*:*:*", so it > > should already be seen as fixed in 2.46. Which tool is reporting this as > > an unresolved CVE? > git branch -a --contains 598704a00cbac5e85c2bedd363357b5bf6fcee33 > * master > remotes/origin/HEAD -> origin/master > remotes/origin/binutils-2_46-branch > remotes/origin/master > > > The above git info (and bugzilla) shows that the commit id got > merged/fixed in 2.46 branch. And so it documented as fixed from 2.46. > And, it is not shown by any tool as unresolved but we see CVE's status > is well documented and maintained in kernel-recipes > https://git.openembedded.org/openembedded-core/tree/meta/recipes-kernel/linux/cve-exclusion.inc > So, We thought of maintaining the CVE's status for toolchain components > from now. Hi Harish, The entries in cve-exclusion.inc cover cases where the CPE is not set correctly by NVD. For example, the last entry is for CVE-2023-6535 which was fixed in Linux 6.8 but NVD still have the CPE as "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", indicating that all versions of the kernel contain this issue. So we need to set CVE_STATUS ourselves for this one. If the data published by NVD is correct then we do not need our own CVE_STATUS entry. > > > +CVE_STATUS[CVE-2025-69649] = "fixed-version: Fixed from version 2.46" > > According to https://nvd.nist.gov/vuln/detail/CVE-2025-69649, the CPE > > for this one is "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*". Please include > > some info/links in the commit message to confirm that this was fixed for > > v2.46. > Ok, I will add the commit reference in commit message while sending v2. We do need this CVE_STATUS entry as the data published by NVD is incomplete. Please send a v2. Best regards, -- Paul Barker [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 252 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-08 9:30 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-04-06 7:05 [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649 Harish.Sadineni 2026-04-06 8:28 ` [OE-core] " Paul Barker 2026-04-06 9:56 ` Harish Sadineni 2026-04-08 9:30 ` Paul Barker
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox