Hi, Just submitted the patch for master too. Thanks! /Adarsh ________________________________ From: Yoann Congal <[email protected]> Sent: Thursday, April 2, 2026 00:07 To: Adarsh Jagadish Kamini <[email protected]>; [email protected] <[email protected]> Subject: Re: [OE-core][whinlatter][PATCH] binutils: mark CVE-2025-69650 and CVE-2025-69651 as disputed
On Tue Mar 31, 2026 at 1:33 PM CEST, Adarsh Jagadish Kamini via lists.openembedded.org wrote: > From: Adarsh Jagadish Kamini <[email protected]> > > Both CVEs are disputed by third parties. The observed behavior > (double free / invalid pointer free in readelf) only occurred in > pre-release code and did not affect any tagged version [1][2]. > > CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release > code, does not affect any tagged version" > CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release > code, does not affect any tagged version" > > [1] https://www.cve.org/CVERecord?id=CVE-2025-69650 > [2] https://www.cve.org/CVERecord?id=CVE-2025-69651 > > Signed-off-by: Adarsh Jagadish Kamini <[email protected]> > --- Hello, As far as I can tell this patch is also needed for master where those 2 CVEs apply. Can you send this to master please? Otherwise, the patch looks good. Regards, > meta/recipes-devtools/binutils/binutils-2.45.inc | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc > b/meta/recipes-devtools/binutils/binutils-2.45.inc > index 16a63cabc5..5cd4d185ac 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.45.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc > @@ -20,6 +20,8 @@ UPSTREAM_CHECK_GITTAGREGEX = > "binutils-(?P<pver>\d+_(\d_?)*)" > > CVE_STATUS[CVE-2025-7545] = "cpe-stable-backport: fix available in used git > hash" > CVE_STATUS[CVE-2025-7546] = "cpe-stable-backport: fix available in used git > hash" > +CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in > pre-release code, does not affect any tagged version" > +CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in > pre-release code, does not affect any tagged version" > > SRCREV ?= "2f028c6bb163a045db95439fb92e1dcbc919413c" > BINUTILS_GIT_URI ?= > "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#234508): https://lists.openembedded.org/g/openembedded-core/message/234508 Mute This Topic: https://lists.openembedded.org/mt/118594603/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
