[meta-oe,06/17] lcms: patch CVE-2026-41254

Message ID	20260420062750.3795917-6-skandigraun@gmail.com
State	Accepted
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.128.46, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 06/17] lcms: patch CVE-2026-41254 Date: Mon, 20 Apr 2026 08:27:38 +0200 Message-ID: <20260420062750.3795917-6-skandigraun@gmail.com> In-Reply-To: <20260420062750.3795917-1-skandigraun@gmail.com> References: <20260420062750.3795917-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,01/17] fio: upgrade 3.41 -> 3.42 \| expand [meta-oe,01/17] fio: upgrade 3.41 -> 3.42 [meta-oe,02/17] jq: patch CVE-2026-32316 [meta-oe,03/17] jq: patch CVE-2026-33947 [meta-oe,04/17] jq: patch CVE-2026-33948 [meta-oe,05/17] jq: patch CVE-2026-39979 [meta-oe,06/17] lcms: patch CVE-2026-41254 [meta-networking,07/17] libcoap: upgrade 4.3.5a -> 4.3.5b [meta-oe,08/17] gphoto2: upgrade 2.5.28 -> 2.5.32 [meta-oe,09/17] libgphoto2: patch CVE-2026-40333 [meta-oe,10/17] libgphoto2: patch CVE-2026-40334 [meta-oe,11/17] libgphoto2: patch CVE-2026-40335 [meta-oe,12/17] libgphoto2: patch CVE-2026-40336 [meta-oe,13/17] libgphoto2: patch CVE-2026-40338 [meta-oe,14/17] libgphoto2: patch CVE-2026-40339 [meta-oe,15/17] libgphoto2: patch CVE-2026-40340 [meta-oe,16/17] libgphoto2: patch CVE-2026-40341 [meta-oe,17/17] libraw: mark CVE-2026-20911 and CVE-2026-21413 patched

Message ID

20260420062750.3795917-6-skandigraun@gmail.com

State

Accepted

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][PATCH 06/17] lcms: patch CVE-2026-41254
Date: Mon, 20 Apr 2026 08:27:38 +0200
Message-ID: <20260420062750.3795917-6-skandigraun@gmail.com>
In-Reply-To: <20260420062750.3795917-1-skandigraun@gmail.com>
References: <20260420062750.3795917-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,01/17] fio: upgrade 3.41 -> 3.42 | expand

Commit Message

Gyorgy Sarvari April 20, 2026, 6:27 a.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254

Backport the patches referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../lcms/lcms/CVE-2026-41254_1.patch          | 28 +++++++++++++++
 .../lcms/lcms/CVE-2026-41254_2.patch          | 34 +++++++++++++++++++
 meta-oe/recipes-support/lcms/lcms_2.18.bb     |  5 ++-
 3 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch
 create mode 100644 meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch

diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch
new file mode 100644
index 0000000000..2ed8e9f587
--- /dev/null
+++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch
@@ -0,0 +1,28 @@ 
+From c83cfcd249d06950a307cee8d1e22b7f6a78a8a7 Mon Sep 17 00:00:00 2001
+From: Marti Maria <marti.maria@littlecms.com>
+Date: Thu, 19 Feb 2026 09:07:20 +0100
+Subject: [PATCH] Fix integer overflow in CubeSize()
+
+Thanks to @zerojackyi for reporting
+
+CVE: CVE-2026-41254
+Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/cmslut.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/cmslut.c b/src/cmslut.c
+index 1089148..b245209 100644
+--- a/src/cmslut.c
++++ b/src/cmslut.c
+@@ -460,7 +460,8 @@ void EvaluateCLUTfloatIn16(const cmsFloat32Number In[], cmsFloat32Number Out[],
+ static
+ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
+ {
+-    cmsUInt32Number rv, dim;
++    cmsUInt32Number dim;
++    cmsUInt64Number rv;
+ 
+     _cmsAssert(Dims != NULL);
+ 
diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch
new file mode 100644
index 0000000000..be8c759a6f
--- /dev/null
+++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch
@@ -0,0 +1,34 @@ 
+From f5994aea02d5620f3182cafdcf116ffe9d6c9fd2 Mon Sep 17 00:00:00 2001
+From: Marti Maria <marti.maria@littlecms.com>
+Date: Thu, 12 Mar 2026 22:57:35 +0100
+Subject: [PATCH] check for overflow
+
+Thanks to Guanni Qu for detecting & reporting the issue
+
+CVE: CVE-2026-41254
+Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/cmslut.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/cmslut.c b/src/cmslut.c
+index b245209..c1dbb32 100644
+--- a/src/cmslut.c
++++ b/src/cmslut.c
+@@ -468,12 +468,12 @@ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b)
+     for (rv = 1; b > 0; b--) {
+ 
+         dim = Dims[b-1];
+-        if (dim <= 1) return 0;  // Error
+-
+-        rv *= dim;
++        if (dim <= 1) return 0;  
+ 
+         // Check for overflow
+         if (rv > UINT_MAX / dim) return 0;
++
++        rv *= dim;
+     }
+ 
+     // Again, prevent overflow
diff --git a/meta-oe/recipes-support/lcms/lcms_2.18.bb b/meta-oe/recipes-support/lcms/lcms_2.18.bb
index 79e4a6f694..1ff3b3908f 100644
--- a/meta-oe/recipes-support/lcms/lcms_2.18.bb
+++ b/meta-oe/recipes-support/lcms/lcms_2.18.bb
@@ -3,7 +3,10 @@  SECTION = "libs"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \
+           file://CVE-2026-41254_1.patch \
+           file://CVE-2026-41254_2.patch \
+           "
 SRC_URI[sha256sum] = "ee67be3566f459362c1ee094fde2c159d33fa0390aa4ed5f5af676f9e5004347"
 
 DEPENDS = "tiff"

[meta-oe,06/17] lcms: patch CVE-2026-41254

Commit Message

Patch