| Message ID | 20251020220912.483748-5-peter.marko@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | [1/5] binutils: patch CVE-2025-11414 | expand |
On Tue Oct 21, 2025 at 12:09 AM CEST, Peter Marko via lists.openembedded.org wrote: > From: Peter Marko <peter.marko@siemens.com> > > Pick commit per NVD CVE report. > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- Hi Peter, Thanks for your patch. I suspect the last one is responsible of a reproducibility issue in gnu-efi: AssertionError: The following deb packages are different and not in exclusion list: /srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB-extended/tmp/deploy/deb/./x86-64-v3/gnu-efi_4.0.2-r0_amd64.deb The following ipk packages are different and not in exclusion list: /srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB-extended/tmp/deploy/ipk/./x86-64-v3/gnu-efi_4.0.2-r0_x86-64-v3.ipk The following rpm packages are different and not in exclusion list: /srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB-extended/tmp/deploy/rpm/./x86_64_v3/gnu-efi-4.0.2-r0.x86_64_v3.rpm https://valkyrie.yocto.io/pub/repro-fail/oe-reproducible-20251021-u0jap9k2/ Can you have a look at these? Thanks, Mathieu
> -----Original Message----- > From: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> > Sent: Wednesday, October 22, 2025 12:23 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; > openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][PATCH 5/5] binutils: patch CVE-2025-11494 > > On Tue Oct 21, 2025 at 12:09 AM CEST, Peter Marko via lists.openembedded.org > wrote: > > From: Peter Marko <peter.marko@siemens.com> > > > > Pick commit per NVD CVE report. > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > Hi Peter, > > Thanks for your patch. I suspect the last one is responsible of a > reproducibility issue in gnu-efi: > > AssertionError: The following deb packages are different and not in exclusion list: > /srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB- > extended/tmp/deploy/deb/./x86-64-v3/gnu-efi_4.0.2-r0_amd64.deb > The following ipk packages are different and not in exclusion list: > /srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB- > extended/tmp/deploy/ipk/./x86-64-v3/gnu-efi_4.0.2-r0_x86-64-v3.ipk > The following rpm packages are different and not in exclusion list: > /srv/pokybuild/yocto-worker/reproducible/build/build-st/reproducibleB- > extended/tmp/deploy/rpm/./x86_64_v3/gnu-efi-4.0.2-r0.x86_64_v3.rpm > > https://valkyrie.yocto.io/pub/repro-fail/oe-reproducible-20251021-u0jap9k2/ > > Can you have a look at these? > I have checked this but I don't really know how to fix it. Maybe there are additional commits needed, but not sure how to find them. Let's keep this out and want for tag to see... Peter > Thanks, > Mathieu > > -- > Mathieu Dubois-Briand, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com
diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index 288475ac390..72ed156a945 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc @@ -43,4 +43,5 @@ SRC_URI = "\ file://CVE-2025-11412.patch \ file://CVE-2025-11413.patch \ file://CVE-2025-11495.patch \ + file://CVE-2025-11494.patch \ " diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch new file mode 100644 index 00000000000..91ca74fb485 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch @@ -0,0 +1,49 @@ +From b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Tue, 30 Sep 2025 08:13:56 +0800 +Subject: [PATCH] x86: Keep _GLOBAL_OFFSET_TABLE_ for .eh_frame + +Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep +_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output +.eh_frame section is non-empty. + + PR ld/33499 + * elfxx-x86.c (_bfd_x86_elf_late_size_sections): Keep + _GLOBAL_OFFSET_TABLE_ if there is dynamic section and the + output .eh_frame section is non-empty. + +Signed-off-by: H.J. Lu <hjl.tools@gmail.com> + +CVE: CVE-2025-11494 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + bfd/elfxx-x86.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c +index d8c653a9ad2..140e86888a6 100644 +--- a/bfd/elfxx-x86.c ++++ b/bfd/elfxx-x86.c +@@ -2445,6 +2445,8 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd, + + if (htab->elf.sgotplt) + { ++ asection *eh_frame; ++ + /* Don't allocate .got.plt section if there are no GOT nor PLT + entries and there is no reference to _GLOBAL_OFFSET_TABLE_. */ + if ((htab->elf.hgot == NULL +@@ -2457,7 +2459,11 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd, + && (htab->elf.iplt == NULL + || htab->elf.iplt->size == 0) + && (htab->elf.igotplt == NULL +- || htab->elf.igotplt->size == 0)) ++ || htab->elf.igotplt->size == 0) ++ && (!htab->elf.dynamic_sections_created ++ || (eh_frame = bfd_get_section_by_name (output_bfd, ++ ".eh_frame")) == NULL ++ || eh_frame->rawsize == 0)) + { + htab->elf.sgotplt->size = 0; + /* Solaris requires to keep _GLOBAL_OFFSET_TABLE_ even if it