From 48269c1e3f598255ddcce6d24f53c14a8928e625 Mon Sep 17 00:00:00 2001 From: Adarsh Jagadish Kamini Date: Tue, 31 Mar 2026 14:12:24 +0200 Subject: [PATCH] binutils: mark CVE-2025-69650 and CVE-2025-69651 as disputed Both CVEs are disputed by third parties. The observed behavior (double free / invalid pointer free in readelf) only occurred in pre-release code and did not affect any tagged version [1][2]. CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version" CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version" [1] https://www.cve.org/CVERecord?id=CVE-2025-69650 [2] https://www.cve.org/CVERecord?id=CVE-2025-69651 (From OE-Core rev: 55a0d8abad8a81f7d900557c2eb2d9327ee115df) Signed-off-by: Adarsh Jagadish Kamini (cherry picked from commit 9c6df56fe18237880c391798c2083dca595566f4) Signed-off-by: Yoann Congal Signed-off-by: Paul Barker --- meta/recipes-devtools/binutils/binutils-2.42.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 839d31242e..e27502af72 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -20,6 +20,8 @@ UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P\d+_(\d_?)*)" CVE_STATUS[CVE-2023-25584] = "cpe-incorrect: Applies only for version 2.40 and earlier" CVE_STATUS[CVE-2025-1180] = "patched: fixed by patch for CVE-2025-1176" +CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version" +CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version" SRCREV ?= "f9488b0d92b591bdf3ff8cce485cb0e1b3727cc0" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https"