<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools/binutils, branch kirkstone</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=kirkstone</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=kirkstone'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2026-01-26T09:49:25+00:00</updated>
<entry>
<title>binutils: Fix CVE-2025-1181</title>
<updated>2026-01-26T09:49:25+00:00</updated>
<author>
<name>Vijay Anusuri</name>
<email>vanusuri@mvista.com</email>
</author>
<published>2026-01-14T13:22:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2c23fc4f0e9ec4759dcb5fb8a172d0f1ea9a1ed4'/>
<id>urn:sha1:2c23fc4f0e9ec4759dcb5fb8a172d0f1ea9a1ed4</id>
<content type='text'>
import patch from ubuntu to fix
 CVE-2025-1181

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/binutils/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24
&amp;
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=18cc11a2771d9e40180485da9a4fb660c03efac3]

(From OE-Core rev: 55d4b81b15b6eb2e221ff69dc791d2e319fad234)

Signed-off-by: Vijay Anusuri &lt;vanusuri@mvista.com&gt;

[Yoann Congal: Corrected the second patch SHA1 in URLs "18cc11a..."]
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>binutils: fix CVE-2025-11840</title>
<updated>2025-12-31T15:24:54+00:00</updated>
<author>
<name>Yash Shinde</name>
<email>Yash.Shinde@windriver.com</email>
</author>
<published>2025-12-19T11:08:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=df858d86edcc68d5380c3b4d4779f234fb2a03aa'/>
<id>urn:sha1:df858d86edcc68d5380c3b4d4779f234fb2a03aa</id>
<content type='text'>
CVE-2025-11840

PR 33455
[BUG] A SEGV in vfinfo at ldmisc.c:527
A reloc howto set up with EMPTY_HOWTO has a NULL name.  More than one
place emitting diagnostics assumes a reloc howto won't have a NULL
name.

https://sourceware.org/bugzilla/show_bug.cgi?id=33455

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f6b0f53a36820da91eadfa9f466c22f92e4256e0]

(From OE-Core rev: 85e62aad46eb096cf92907288a3eb1b6f76072c4)

Signed-off-by: Yash Shinde &lt;Yash.Shinde@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: fix CVE-2025-11839</title>
<updated>2025-12-31T15:24:54+00:00</updated>
<author>
<name>Yash Shinde</name>
<email>Yash.Shinde@windriver.com</email>
</author>
<published>2025-12-19T11:08:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c1f7fcc84f382a270d4838b002ed905a987b7db6'/>
<id>urn:sha1:c1f7fcc84f382a270d4838b002ed905a987b7db6</id>
<content type='text'>
CVE-2025-11839

PR 33448
[BUG] Aborted in tg_tag_type at prdbg.c:2452
Remove call to abort in the DGB debug format printing code, thus allowing
the display of a fuzzed input file to complete without triggering an abort.

https://sourceware.org/bugzilla/show_bug.cgi?id=33448

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe]

(From OE-Core rev: d99979ea5fa475a59d3c21859d3bbbd81e0cdba4)

Signed-off-by: Yash Shinde &lt;Yash.Shinde@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: Fix CVE-2025-11494</title>
<updated>2025-12-31T15:24:53+00:00</updated>
<author>
<name>Deepesh Varatharajan</name>
<email>Deepesh.Varatharajan@windriver.com</email>
</author>
<published>2025-12-16T10:02:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=0183740845d9142fda9769e3d8cbb3b4e0c3a079'/>
<id>urn:sha1:0183740845d9142fda9769e3d8cbb3b4e0c3a079</id>
<content type='text'>
Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep
_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output
.eh_frame section is non-empty.

Backport a patch from upstream to fix CVE-2025-11494
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]

(From OE-Core rev: aa67c21a07dc180a0582be46e239dafd40017ba0)

Signed-off-by: Deepesh Varatharajan &lt;Deepesh.Varatharajan@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: patch CVE-2025-11413</title>
<updated>2025-11-06T15:14:05+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-11-02T11:59:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=484d31c23d941f1bb9d084a21148ae17aeacea80'/>
<id>urn:sha1:484d31c23d941f1bb9d084a21148ae17aeacea80</id>
<content type='text'>
Pick commit per NVD CVE report.

Note that there were two patches for this, first [1] and then [2].
The second patch moved the original patch to different location.
Cherry-pick of second patch is successful leaving out the code removing
the code from first location, so the patch attached here is not
identical to the upstream commit but is identical to applying both and
merging them to a single patch.

[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=1108620d7a521f1c85d2f629031ce0fbae14e331
[2] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0

(From OE-Core rev: 98df728e6136d04af0f4922b7ffbeffb704de395)

(From OE-Core rev: 8d1a830c713a299f67fc512ed8bc0be21be4b9f0)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: patch CVE-2025-11412</title>
<updated>2025-11-06T15:14:05+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-11-02T11:59:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=aaf9219788efde4547b63f231b82acdd491ad69f'/>
<id>urn:sha1:aaf9219788efde4547b63f231b82acdd491ad69f</id>
<content type='text'>
Pick commit per NVD CVE report.

(From OE-Core rev: 6b94ff6c584a31d2b1e06d1e1dc19392d759b4b7)

(From OE-Core rev: 9130f3471f4814979cfdfa66ca118929f240cb30)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: fix CVE-2025-8225</title>
<updated>2025-10-31T13:23:13+00:00</updated>
<author>
<name>Yash Shinde</name>
<email>Yash.Shinde@windriver.com</email>
</author>
<published>2025-10-28T11:10:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d0f445a1e2ba46644c8643de60d96fe31150cd8d'/>
<id>urn:sha1:d0f445a1e2ba46644c8643de60d96fe31150cd8d</id>
<content type='text'>
CVE: CVE-2025-8225

It is possible with fuzzed files to have num_debug_info_entries zero
after allocating space for debug_information, leading to multiple
allocations.

* dwarf.c (process_debug_info): Don't test num_debug_info_entries
to determine whether debug_information has been allocated,
test alloc_num_debug_info_entries.

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]

(From OE-Core rev: 9b5bb098b542a43a7aa97cc376c358f0a38778e3)

Signed-off-by: Yash Shinde &lt;Yash.Shinde@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: fix CVE-2025-11081</title>
<updated>2025-10-31T13:23:13+00:00</updated>
<author>
<name>Yash Shinde</name>
<email>Yash.Shinde@windriver.com</email>
</author>
<published>2025-10-28T11:10:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=0118bd1e10c6accd20a581e8f6c3811532ce042b'/>
<id>urn:sha1:0118bd1e10c6accd20a581e8f6c3811532ce042b</id>
<content type='text'>
CVE: CVE-2025-11081

Trying to dump .sframe in a PE file results in a segfault accessing
elf_section_data.

	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
	elf_section_type without first checking the file is ELF.

PR 33406 SEGV in dump_dwarf_section
[https://sourceware.org/bugzilla/show_bug.cgi?id=33406]

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]

(From OE-Core rev: a7d39d40ec867bbcc36d71cf98858a34c619c9fe)

Signed-off-by: Yash Shinde &lt;Yash.Shinde@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: patch CVE-2025-11083</title>
<updated>2025-10-17T14:27:24+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-10-13T19:07:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f245c680a88701659cb32ca2eac78f31c5301594'/>
<id>urn:sha1:f245c680a88701659cb32ca2eac78f31c5301594</id>
<content type='text'>
Pick patch per link in NVD report.

(From OE-Core rev: 99879f41af7272e597c9a8c4c0260d1b690f9051)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: patch CVE-2025-11082</title>
<updated>2025-10-17T14:27:24+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-10-13T19:07:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2325a1dbc53f7a3efe66cfacd01b3d18e45045ac'/>
<id>urn:sha1:2325a1dbc53f7a3efe66cfacd01b3d18e45045ac</id>
<content type='text'>
Pick patch per link in NVD report.

(From OE-Core rev: cdc458b5dd21614058aac56de68a272201283141)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
