[meta-oe,scarthgap,12/18] exiv2: patch CVE-2025-26623

Message ID	20251014205402.1487867-12-ankur.tyagi85@gmail.com
State	New
Headers	show Return-Path: <ankur.tyagi85@gmail.com> ip: 209.85.214.181, mailfrom: ankur.tyagi85@gmail.com) From: Ankur Tyagi <ankur.tyagi85@gmail.com> To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari <skandigraun@gmail.com>, Ankur Tyagi <ankur.tyagi85@gmail.com> Subject: [oe][meta-oe][scarthgap][PATCH 12/18] exiv2: patch CVE-2025-26623 Date: Wed, 15 Oct 2025 09:53:55 +1300 Message-ID: <20251014205402.1487867-12-ankur.tyagi85@gmail.com> In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,scarthgap,01/18] dash: set CVE_PRODUCT \| expand [meta-oe,scarthgap,01/18] dash: set CVE_PRODUCT [meta-oe,scarthgap,02/18] libppd: patch CVE-2024-47175 [meta-oe,scarthgap,03/18] hdf5: patch CVE-2025-2923 [meta-oe,scarthgap,04/18] hdf5: patch CVE-2025-2924 [meta-oe,scarthgap,05/18] hdf5: patch CVE-2025-2925 [meta-oe,scarthgap,06/18] hdf5: patch CVE-2025-6269 [meta-oe,scarthgap,07/18] libcupsfilters: patch CVE-2024-47076 [meta-oe,scarthgap,08/18] libraw: patch CVE-2025-43961 CVE-2025-43962 [meta-oe,scarthgap,09/18] libraw: patch CVE-2025-43963 [meta-oe,scarthgap,10/18] libraw: patch CVE-2025-43964 [meta-oe,scarthgap,11/18] zlog: fix CVE-2024-22857 [meta-oe,scarthgap,12/18] exiv2: patch CVE-2025-26623 [meta-oe,scarthgap,13/18] exiv2: patch CVE-2025-54080 [meta-oe,scarthgap,14/18] exiv2: patch CVE-2025-55304 [meta-oe,scarthgap,15/18] gattlib: mark CVE-2019-6498 as fixed [meta-oe,scarthgap,16/18] influxdb: Do not remove non-existing files [meta-oe,scarthgap,17/18] influxdb: Update CVE status for CVE-2019-10329 [meta-oe,scarthgap,18/18] jasper: upgrade to 4.1.2 release

Message ID

20251014205402.1487867-12-ankur.tyagi85@gmail.com

State

New

Headers

From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Gyorgy Sarvari <skandigraun@gmail.com>,
	Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 12/18] exiv2: patch CVE-2025-26623
Date: Wed, 15 Oct 2025 09:53:55 +1300
Message-ID: <20251014205402.1487867-12-ankur.tyagi85@gmail.com>
In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com>
References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,scarthgap,01/18] dash: set CVE_PRODUCT | expand

Commit Message

Ankur Tyagi Oct. 14, 2025, 8:53 p.m. UTC

From: Gyorgy Sarvari <skandigraun@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26623

Apply the first to PRs from the relevant issue.

(The second PR adds a test, and the 3rd PR tries to reimplement
correctly the feature that introduced the vulnerability:
it is switching some raw pointers to smart pointers. It was not picked
because the
1. In the original issue it is stated that the first PR itself
   fixes the vulnerability
2. The patch doesn't apply clean due to the time gap between our
   and their version
3. The behavior of the application does not change
)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 7907a3e206fb049e609996df8d09141bfb291fcd)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../0001-Revert-fix-copy-constructors.patch   | 82 +++++++++++++++++++
 meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb |  4 +-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch

diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch
new file mode 100644
index 0000000000..b3074e2823
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch
@@ -0,0 +1,82 @@ 
+From f338465efb49166c543dcc2fc52810370ea90475 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Mon, 17 Feb 2025 16:34:40 -0800
+Subject: [PATCH] Revert "fix copy constructors"
+
+This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5.
+
+This commit is wrong and ends up resulting in use after frees because of
+C pointers. The proper solution is shared_ptr instead of C pointers but
+that's a lot more involved than reverting this.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+
+CVE: CVE-2025-26623
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/3174/commits/638ff11ce7480000974b5c619eafcb8618e3b586]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/tiffcomposite_int.cpp | 19 +++++++++++++++++++
+ src/tiffcomposite_int.hpp |  6 +++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
+index 95ce450c7..3e6e93d5c 100644
+--- a/src/tiffcomposite_int.cpp
++++ b/src/tiffcomposite_int.cpp
+@@ -127,6 +127,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) :
+     storage_(rhs.storage_) {
+ }
+ 
++TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) {
++}
++
++TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) {
++}
++
++TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) :
++    TiffEntryBase(rhs),
++    cfgSelFct_(rhs.cfgSelFct_),
++    arraySet_(rhs.arraySet_),
++    arrayCfg_(rhs.arrayCfg_),
++    arrayDef_(rhs.arrayDef_),
++    defSize_(rhs.defSize_),
++    setSize_(rhs.setSize_),
++    origData_(rhs.origData_),
++    origSize_(rhs.origSize_),
++    pRoot_(rhs.pRoot_) {
++}
++
+ TiffComponent::UniquePtr TiffComponent::clone() const {
+   return UniquePtr(doClone());
+ }
+diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp
+index 4506a4dca..307e0bd9e 100644
+--- a/src/tiffcomposite_int.hpp
++++ b/src/tiffcomposite_int.hpp
+@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffDirectory(const TiffDirectory&) = default;
++  TiffDirectory(const TiffDirectory& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
+@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffSubIfd(const TiffSubIfd&) = default;
++  TiffSubIfd(const TiffSubIfd& rhs);
+   TiffSubIfd& operator=(const TiffSubIfd&) = delete;
+   //@}
+ 
+@@ -1346,7 +1346,7 @@ class TiffBinaryArray : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffBinaryArray(const TiffBinaryArray&) = default;
++  TiffBinaryArray(const TiffBinaryArray& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
index 3e33ab7953..81e9954c1d 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
@@ -4,7 +4,9 @@  LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2"
 
 DEPENDS = "zlib expat brotli libinih"
 
-SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x"
+SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \
+           file://0001-Revert-fix-copy-constructors.patch \
+           "
 SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e"
 S = "${WORKDIR}/git"

[meta-oe,scarthgap,12/18] exiv2: patch CVE-2025-26623

Commit Message

Patch