diff mbox series

[scarthgap] binutils: set CVE_STATUS for CVE-2025-69649

Message ID 20260427064951.2603944-1-Harish.Sadineni@windriver.com
State Under Review
Delegated to: Yoann Congal
Headers show
Series [scarthgap] binutils: set CVE_STATUS for CVE-2025-69649 | expand

Commit Message

Sadineni, Harish April 27, 2026, 6:49 a.m. UTC 
From: Harish Sadineni <Harish.Sadineni@windriver.com>

Set CVE_STATUS for CVE-2025-69649, as this CVE only affects binutils 2.46.
binutils 2.42 is not vulnerable.

Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
---
 meta/recipes-devtools/binutils/binutils-2.42.inc | 1 +
 1 file changed, 1 insertion(+)

Comments

Fabien Thomas April 30, 2026, 10:08 a.m. UTC | #1 
On Mon Apr 27, 2026 at 8:49 AM CEST, Harish via lists.openembedded.org Sadineni wrote:
> From: Harish Sadineni <Harish.Sadineni@windriver.com>
>
> Set CVE_STATUS for CVE-2025-69649, as this CVE only affects binutils 2.46.
> binutils 2.42 is not vulnerable.
>
> Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
> ---
>  meta/recipes-devtools/binutils/binutils-2.42.inc | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
> index 839d31242e..ed079c0349 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
> @@ -20,6 +20,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
>  
>  CVE_STATUS[CVE-2023-25584] = "cpe-incorrect: Applies only for version 2.40 and earlier"
>  CVE_STATUS[CVE-2025-1180] = "patched: fixed by patch for CVE-2025-1176" 
> +CVE_STATUS[CVE-2025-69649] = "cpe-incorrect: Applies only for version 2.46"
>  
>  SRCREV ?= "f9488b0d92b591bdf3ff8cce485cb0e1b3727cc0"
>  BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https"

Hi Harish,

I'm filling in for Yoann while he's on leave.

From what I've read on [1], the CPE of this CVE indicates 
"up to and including version 2.46". So it's seems to me that
this CVE applies to our version 2.42.

I can't find any information that contradicts the NIST CPE.
Can you give me more information? 

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69649
diff mbox series

Patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 839d31242e..ed079c0349 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -20,6 +20,7 @@  UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
 
 CVE_STATUS[CVE-2023-25584] = "cpe-incorrect: Applies only for version 2.40 and earlier"
 CVE_STATUS[CVE-2025-1180] = "patched: fixed by patch for CVE-2025-1176" 
+CVE_STATUS[CVE-2025-69649] = "cpe-incorrect: Applies only for version 2.46"
 
 SRCREV ?= "f9488b0d92b591bdf3ff8cce485cb0e1b3727cc0"
 BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https"