Re: [OE-core][kirkstone 09/16] binutils: Fix CVE-2022-47007

Thu, 23 Nov 2023 06:50:08 -0800 

On Thu, Nov 23, 2023 at 2:41 AM Richard Purdie
<richard.pur...@linuxfoundation.org> wrote:
>
> On Tue, 2023-11-21 at 16:31 -1000, Steve Sakoman wrote:
> > From: Deepthi Hemraj <deepthi.hem...@windriver.com>
> >
> > Signed-off-by: Deepthi Hemraj <deepthi.hem...@windriver.com>
> > Signed-off-by: Steve Sakoman <st...@sakoman.com>
> > ---
> >  .../binutils/binutils-2.38.inc                |  1 +
> >  .../binutils/0033-CVE-2022-47007.patch        | 34 +++++++++++++++++++
> >  2 files changed, 35 insertions(+)
> >  create mode 100644 
> > meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch
> >
> > diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc 
> > b/meta/recipes-devtools/binutils/binutils-2.38.inc
> > index 43cc97f1ef..dc29141812 100644
> > --- a/meta/recipes-devtools/binutils/binutils-2.38.inc
> > +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
> > @@ -67,5 +67,6 @@ SRC_URI = "\
> >       file://0031-CVE-2022-47695.patch \
> >       file://CVE-2022-48063.patch \
> >       file://0032-CVE-2022-47010.patch \
> > +     file://0033-CVE-2022-47007.patch \
> >  "
> >  S  = "${WORKDIR}/git"
> > diff --git 
> > a/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch 
> > b/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch
> > new file mode 100644
> > index 0000000000..cc6dfe684b
> > --- /dev/null
> > +++ b/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch
> > @@ -0,0 +1,34 @@
> > +From: Alan Modra <amo...@gmail.com>
> > +Date: Thu, 16 Jun 2022 23:30:41 +0000 (+0930)
> > +Subject: PR29254, memory leak in stab_demangle_v3_arg
> > +X-Git-Tag: binutils-2_39~237
> > +X-Git-Url: 
> > https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb
> > +
> > +PR29254, memory leak in stab_demangle_v3_arg
> > +
> > +     PR 29254
> > +     * stabs.c (stab_demangle_v3_arg): Free dt on failure path.
> > +
> > +Upstream-Status: Backport 
> > [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb]
> > +
> > +CVE: CVE-2022-47007
> > +
> > +Signed-off-by: Deepthi Hemraj <deepthi.hem...@windriver.com>
> > +---
> > +
>
> This has not merged to master yet. It probably will but...

This CVE shouldn't affect master, it is for binutils versions 2.34
thru 2.38, while master is 2.41

See: https://nvd.nist.gov/vuln/detail/CVE-2022-47007

Steve

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191164): 
https://lists.openembedded.org/g/openembedded-core/message/191164
Mute This Topic: https://lists.openembedded.org/mt/102742404/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to