On Thu, 2023-11-23 at 04:49 -1000, Steve Sakoman wrote: > On Thu, Nov 23, 2023 at 2:41 AM Richard Purdie > <[email protected]> wrote: > > > > On Tue, 2023-11-21 at 16:31 -1000, Steve Sakoman wrote: > > > From: Deepthi Hemraj <[email protected]> > > > > > > Signed-off-by: Deepthi Hemraj <[email protected]> > > > Signed-off-by: Steve Sakoman <[email protected]> > > > --- > > > .../binutils/binutils-2.38.inc | 1 + > > > .../binutils/0033-CVE-2022-47007.patch | 34 +++++++++++++++++++ > > > 2 files changed, 35 insertions(+) > > > create mode 100644 > > > meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch > > > > > > diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc > > > b/meta/recipes-devtools/binutils/binutils-2.38.inc > > > index 43cc97f1ef..dc29141812 100644 > > > --- a/meta/recipes-devtools/binutils/binutils-2.38.inc > > > +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc > > > @@ -67,5 +67,6 @@ SRC_URI = "\ > > > file://0031-CVE-2022-47695.patch \ > > > file://CVE-2022-48063.patch \ > > > file://0032-CVE-2022-47010.patch \ > > > + file://0033-CVE-2022-47007.patch \ > > > " > > > S = "${WORKDIR}/git" > > > diff --git > > > a/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch > > > b/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch > > > new file mode 100644 > > > index 0000000000..cc6dfe684b > > > --- /dev/null > > > +++ b/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch > > > @@ -0,0 +1,34 @@ > > > +From: Alan Modra <[email protected]> > > > +Date: Thu, 16 Jun 2022 23:30:41 +0000 (+0930) > > > +Subject: PR29254, memory leak in stab_demangle_v3_arg > > > +X-Git-Tag: binutils-2_39~237 > > > +X-Git-Url: > > > https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb > > > + > > > +PR29254, memory leak in stab_demangle_v3_arg > > > + > > > + PR 29254 > > > + * stabs.c (stab_demangle_v3_arg): Free dt on failure path. > > > + > > > +Upstream-Status: Backport > > > [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb] > > > + > > > +CVE: CVE-2022-47007 > > > + > > > +Signed-off-by: Deepthi Hemraj <[email protected]> > > > +--- > > > + > > > > This has not merged to master yet. It probably will but... > > This CVE shouldn't affect master, it is for binutils versions 2.34 > thru 2.38, while master is 2.41 > > See: https://nvd.nist.gov/vuln/detail/CVE-2022-47007
This was merged to master but clearly shouldn't be as it was reverted upstream as part of: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=19cacf672930cee20feaf1f3468e3d5ac3099ffd Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#191166): https://lists.openembedded.org/g/openembedded-core/message/191166 Mute This Topic: https://lists.openembedded.org/mt/102742404/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
