new file mode 100644
@@ -0,0 +1,25 @@
+From f7a1082a65b444d606d82ae71e1279789601f78d Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 14 Jan 2023 18:32:59 +0300
+Subject: [PATCH] do not set shrink flag for 3/4 component images
+
+CVE: CVE-2023-1729
+Upstream-Status: Backport [https://github.com/LibRaw/LibRaw/commit/9ab70f6dca19229cb5caad7cc31af4e7501bac93]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/preprocessing/raw2image.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp
+index 18f897eb..64722efd 100644
+--- a/src/preprocessing/raw2image.cpp
++++ b/src/preprocessing/raw2image.cpp
+@@ -43,6 +43,8 @@ void LibRaw::raw2image_start()
+
+ // adjust for half mode!
+ IO.shrink =
++ !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image &&
++ !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image &&
+ P1.filters &&
+ (O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1)));
+
@@ -2,7 +2,9 @@ SUMMARY = "raw image decoder"
LICENSE = "LGPL-2.1-only | CDDL-1.0"
LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=74c9dffdc42805f9c0de2f97df6031fc"
-SRC_URI = "git://github.com/LibRaw/LibRaw.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/LibRaw/LibRaw.git;branch=master;protocol=https \
+ file://CVE-2023-1729.patch \
+ "
SRCREV = "0209b6a2caec189e6d1a9b21c10e9e49f46e5a92"
S = "${WORKDIR}/git"
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1729 Pick the patch that is mentioned to solve the issue in the issue linked from the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../libraw/libraw/CVE-2023-1729.patch | 25 +++++++++++++++++++ .../recipes-support/libraw/libraw_0.20.2.bb | 4 ++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/libraw/libraw/CVE-2023-1729.patch