Re: [OE-core] [PATCH] binutils: Set status for CVE-2025-69646 & CVE-2025-69649

[Paul Barker <paul@pbarker.dev>]

[-- Attachment #1: Type: text/plain, Size: 3194 bytes --]

On Mon, 2026-04-06 at 15:26 +0530, Sadineni, Harish via
lists.openembedded.org wrote:
> On 4/6/2026 1:58 PM, Paul Barker wrote:
> > On Mon, 2026-04-06 at 00:05 -0700, Sadineni, Harish via
> > lists.openembedded.org wrote:
> > > From: Harish Sadineni <Harish.Sadineni@windriver.com>
> > > 
> > > Set CVE_STATUS for CVE-2025-69646 and CVE-2025-69649, as both CVES are already resolved
> > > in the latest binutils 2.46 version upgrade.
> > > 
> > > Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
> > > ---
> > >   meta/recipes-devtools/binutils/binutils-2.46.inc | 3 +++
> > >   1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc
> > > index ff10050dd9..dc8b6be03e 100644
> > > --- a/meta/recipes-devtools/binutils/binutils-2.46.inc
> > > +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc
> > > @@ -34,3 +34,6 @@ SRC_URI = "\
> > >        file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
> > >        file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
> > >   "
> > > +
> > > +CVE_STATUS[CVE-2025-69646] = "fixed-version: Fixed from version 2.46"
> > Hi Harish,
> > 
> > According to https://nvd.nist.gov/vuln/detail/CVE-2025-69646, the CPE
> > for CVE-2025-69646 is "cpe:2.3:a:gnu:binutils:2.44:*:*:*:*:*:*:*", so it
> > should already be seen as fixed in 2.46. Which tool is reporting this as
> > an unresolved CVE?
> git branch -a --contains 598704a00cbac5e85c2bedd363357b5bf6fcee33
> * master
>    remotes/origin/HEAD -> origin/master
>    remotes/origin/binutils-2_46-branch
>    remotes/origin/master
> 
> 
> The above git info (and bugzilla) shows that the commit id got 
> merged/fixed in 2.46 branch. And so it documented as fixed from 2.46.
> And, it is not shown by any tool as unresolved but we see CVE's status 
> is well documented and maintained in kernel-recipes
> https://git.openembedded.org/openembedded-core/tree/meta/recipes-kernel/linux/cve-exclusion.inc
> So, We thought of maintaining the CVE's status for toolchain components 
> from now.

Hi Harish,

The entries in cve-exclusion.inc cover cases where the CPE is not set
correctly by NVD. For example, the last entry is for CVE-2023-6535 which
was fixed in Linux 6.8 but NVD still have the CPE as
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", indicating that all
versions of the kernel contain this issue. So we need to set CVE_STATUS
ourselves for this one.

If the data published by NVD is correct then we do not need our own
CVE_STATUS entry.

> > > +CVE_STATUS[CVE-2025-69649] = "fixed-version: Fixed from version 2.46"
> > According to https://nvd.nist.gov/vuln/detail/CVE-2025-69649, the CPE
> > for this one is "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*". Please include
> > some info/links in the commit message to confirm that this was fixed for
> > v2.46.
> Ok,  I will add the commit reference in commit message while sending v2.

We do need this CVE_STATUS entry as the data published by NVD is
incomplete. Please send a v2.

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]