diff mbox series

[meta-oe,kirkstone,3/5] exiv2: patch CVE-2021-37619

Message ID 20260228202429.2424513-3-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,kirkstone,1/5] exiv2: patch CVE-2021-37615 and CVE-2021-37616 | expand

Commit Message

Gyorgy Sarvari Feb. 28, 2026, 8:24 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37619

Pick the patch from the PR referenced by the NVD advisory.

Note that the regression test is not part of this patch,
as no patchtool could apply it in do_patch task.

The test patch was however manually applied during preparing
this patch, and all tests were executed successfully.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../exiv2/exiv2/CVE-2021-37619.patch          | 37 +++++++++++++++++++
 meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch
new file mode 100644
index 0000000000..9faf778743
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch
@@ -0,0 +1,37 @@ 
+From 0b74e631713d328a5f2bd1d9d26baf2e12b9da56 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 30 Jun 2021 18:02:43 +0100
+Subject: [PATCH] fix: fix incorrect loop condition (#1752)
+
+* Regression test for https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v
+
+* Fix incorrect loop condition.
+
+CVE: CVE-2021-37619
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/86d0a1d5d9f6dc41013a6690408add974e59167c]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/jp2image.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 2da69f1..482ef63 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -658,12 +658,14 @@ static void boxes_check(size_t b,size_t m)
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+ 
+-        while ( count < length || !bWroteColor ) {
++        while ( count < length && !bWroteColor ) {
+             enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+ 
+             // copy data.  pointer could be into a memory mapped file which we will decode!
+-            Jp2BoxHeader   subBox = *pSubBox ;
++            // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
++            Jp2BoxHeader   subBox;
++            memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
+             Jp2BoxHeader   newBox =  subBox;
+ 
+             if ( count < length ) {
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 3d41bc93b2..e7eac337dc 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -25,6 +25,7 @@  SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source
            file://CVE-2021-37615-1.patch \
            file://CVE-2021-37615-2.patch \
            file://CVE-2021-37618.patch \
+           file://CVE-2021-37619.patch \
            "
 SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"