diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch deleted file mode 100644 index 9ded174095..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch +++ /dev/null @@ -1,84 +0,0 @@ -From bfa786a260bfd4660e8186ebad8778718e85e8cd Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sat, 4 Apr 2026 14:56:01 -0700 -Subject: [PATCH] libgphoto2: fix const-correctness for c23 builds - -C23 treats the return values of strrchr() and strchr() as const char * -when the input string is const-qualified. Update local variables to use -const char * where appropriate to avoid discarded-qualifier warnings and -build failures with -std=gnu23. - -No functional change intended. - -Upstream-Status: Submitted [https://github.com/gphoto/libgphoto2/pull/1235] -Signed-off-by: Khem Raj ---- - camlibs/directory/directory.c | 2 +- - libgphoto2/gphoto2-file.c | 6 +++--- - libgphoto2/gphoto2-filesys.c | 2 +- - packaging/generic/print-camera-list.c | 2 +- - 4 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/camlibs/directory/directory.c b/camlibs/directory/directory.c -index 790405d54..cc63c6684 100644 ---- a/camlibs/directory/directory.c -+++ b/camlibs/directory/directory.c -@@ -125,7 +125,7 @@ static const char * - get_mime_type (const char *filename) - { - -- char *dot; -+ const char *dot; - int x=0; - - dot = strrchr(filename, '.'); -diff --git a/libgphoto2/gphoto2-file.c b/libgphoto2/gphoto2-file.c -index 04d4d5e3e..1a9dbc193 100644 ---- a/libgphoto2/gphoto2-file.c -+++ b/libgphoto2/gphoto2-file.c -@@ -610,7 +610,7 @@ int - gp_file_open (CameraFile *file, const char *filename) - { - FILE *fp; -- char *name, *dot; -+ const char *name, *dot; - long size, size_read; - int i; - struct stat s; -@@ -906,8 +906,8 @@ gp_file_get_name (CameraFile *file, const char **name) - int - gp_file_get_name_by_type (CameraFile *file, const char *basename, CameraFileType type, char **newname) - { -- char *prefix = NULL, *s, *new, *slash = NULL; -- const char *suffix = NULL; -+ char *prefix = NULL, *new; -+ const char *suffix = NULL, *s, *slash = NULL; - int i; - - C_PARAMS (file && basename && newname); -diff --git a/libgphoto2/gphoto2-filesys.c b/libgphoto2/gphoto2-filesys.c -index 45f957292..07decff24 100644 ---- a/libgphoto2/gphoto2-filesys.c -+++ b/libgphoto2/gphoto2-filesys.c -@@ -521,7 +521,7 @@ append_to_folder (CameraFilesystemFolder *folder, - CameraFilesystemFolder **newfolder - ) { - CameraFilesystemFolder *f; -- char *s; -+ const char *s; - - GP_LOG_D ("Append to folder %p/%s - %s", folder, folder->name, foldername); - /* Handle multiple slashes, and slashes at the end */ -diff --git a/packaging/generic/print-camera-list.c b/packaging/generic/print-camera-list.c -index 1707b4e87..44530b4ae 100644 ---- a/packaging/generic/print-camera-list.c -+++ b/packaging/generic/print-camera-list.c -@@ -1138,7 +1138,7 @@ escape_html(const char *str) { - newstr = malloc(strlen(str)+1+inc); - s = str; ns = newstr; - do { -- char *x; -+ const char *x; - x = strchr(s,'&'); - if (x) { - memcpy (ns, s, x-s); diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch deleted file mode 100644 index 77c307e88d..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 8fefd2da7b9e2c7c448086cd251b108c0ebf1262 Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Wed, 8 Apr 2026 15:18:42 +0200 -Subject: [PATCH] Fixed EOS ImageFormat/CustomFuncEx Parsers Lack Length - Parameter -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() accept -const unsigned char** data but no length/size parameter. They perform -unbounded reads via dtoh32o calls (up to 36 bytes for ImageFormat, -up to 1024 bytes for CustomFuncEx). Callers in ptp_unpack_EOS_events() -have xsize available but never pass it. - - CVE-2026-40333 - -Reported-By: Sebastián Alba - -CVE: CVE-2026-40333 -Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53] -Signed-off-by: Gyorgy Sarvari ---- - camlibs/ptp2/ptp-pack.c | 53 ++++++++++++++++++++++++++++++++++------- - 1 file changed, 44 insertions(+), 9 deletions(-) - -diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c -index 09421b7..09dcc24 100644 ---- a/camlibs/ptp2/ptp-pack.c -+++ b/camlibs/ptp2/ptp-pack.c -@@ -1448,7 +1448,7 @@ ptp_unpack_Canon_EOS_FE (PTPParams *params, const unsigned char* data, unsigned - - - static inline uint16_t --ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data ) -+ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data, unsigned int *size ) - { - /* - EOS ImageFormat entries look are a sequence of u32 values: -@@ -1492,30 +1492,57 @@ ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data ) - - const uint8_t* d = *data; - uint32_t offset = 0; -- uint32_t n = dtoh32o (d, offset); -+ uint32_t n; - uint32_t l, t1, s1, c1, t2 = 0, s2 = 0, c2 = 0; - -+ if (*size < sizeof(uint32_t)) { -+ ptp_debug (params, "parsing EOS ImageFormat property failed 1 (size %d)", *size); -+ return 0; -+ } -+ n = dtoh32o (d, offset); -+ *size -= sizeof(uint32_t); -+ - if (n != 1 && n !=2) { - ptp_debug (params, "parsing EOS ImageFormat property failed (n != 1 && n != 2: %d)", n); - return 0; - } -- -+ if (*size < sizeof(uint32_t)) { -+ ptp_debug (params, "parsing EOS ImageFormat property failed 2 (size %d)", *size); -+ return 0; -+ } - l = dtoh32o (d, offset); -+ *size -= sizeof(uint32_t); -+ - if (l != 0x10) { - ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l); - return 0; - } - -+ if (*size < 3*sizeof(uint32_t)) { -+ ptp_debug (params, "parsing EOS ImageFormat property failed 3 (size %d)", *size); -+ return 0; -+ } - t1 = dtoh32o (d, offset); - s1 = dtoh32o (d, offset); - c1 = dtoh32o (d, offset); -+ *size -= 3*sizeof(uint32_t); - - if (n == 2) { -+ if (*size < sizeof(uint32_t)) { -+ ptp_debug (params, "parsing EOS ImageFormat property failed 4 (size %d)", *size); -+ return 0; -+ } - l = dtoh32o (d, offset); -+ *size -= sizeof(uint32_t); -+ - if (l != 0x10) { - ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l); - return 0; - } -+ if (*size < 3*sizeof(uint32_t)) { -+ ptp_debug (params, "parsing EOS ImageFormat property failed 5 (size %d)", *size); -+ return 0; -+ } - t2 = dtoh32o (d, offset); - s2 = dtoh32o (d, offset); - c2 = dtoh32o (d, offset); -@@ -1668,12 +1695,20 @@ ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint3 - - - static inline char* --ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data ) -+ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data, unsigned int *size ) - { -- uint32_t s = dtoh32a( *data ); -- uint32_t n = s/4, i; -+ uint32_t s, n, i; - char *str, *p; - -+ if (*size < sizeof(uint32_t)) -+ return strdup("bad length"); -+ -+ s = dtoh32a( *data ); -+ n = s/4; -+ -+ if (*size < 4+s) -+ return strdup("bad length"); -+ - if (s > 1024) { - ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s); - return strdup("bad length"); -@@ -1962,7 +1997,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in - case PTP_DPC_CANON_EOS_ImageFormatExtHD: - /* special handling of ImageFormat properties */ - for (j=0;jFORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata ); -+ dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize ); - ptp_debug (params, INDENT "prop %x option[%2d] == 0x%04x", dpc, j, dpd->FORM.Enum.SupportedValue[j].u16); - } - break; -@@ -2267,7 +2302,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in - case PTP_DPC_CANON_EOS_ImageFormatSD: - case PTP_DPC_CANON_EOS_ImageFormatExtHD: - dpd->DataType = PTP_DTC_UINT16; -- dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata ); -+ dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize ); - dpd->CurrentValue.u16 = dpd->DefaultValue.u16; - ptp_debug (params, INDENT "prop %x value == 0x%04x (u16)", dpc, dpd->CurrentValue.u16); - break; -@@ -2275,7 +2310,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in - dpd->DataType = PTP_DTC_STR; - free (dpd->DefaultValue.str); - free (dpd->CurrentValue.str); -- dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata ); -+ dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata, &xsize ); - dpd->CurrentValue.str = strdup( (char*)dpd->DefaultValue.str ); - ptp_debug (params, INDENT "prop %x value == %s", dpc, dpd->CurrentValue.str); - break; diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch deleted file mode 100644 index 883582dff0..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 20b33a26b2efdbf2c35c5cacc54a041855ec764b Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Wed, 8 Apr 2026 15:15:54 +0200 -Subject: [PATCH] Fixed Canon FolderEntry Missing Null Termination -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -ptp_unpack_Canon_FE() copies filename with strncpy into a 13-byte -buffer without explicit null termination. The EOS variant at line -1451–1452 correctly adds fe->Filename[PTP_CANON_FilenameBufferLen-1] -= 0; confirming this was recognized as necessary but not applied to the -original Canon path. - - CVE-2026-40334 - -Reported-By: Sebastián Alba - -CVE: CVE-2026-40334 -Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873] -Signed-off-by: Gyorgy Sarvari ---- - camlibs/ptp2/ptp-pack.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c -index 09dcc24..982b4f4 100644 ---- a/camlibs/ptp2/ptp-pack.c -+++ b/camlibs/ptp2/ptp-pack.c -@@ -1369,6 +1369,7 @@ ptp_unpack_Canon_FE (PTPParams *params, const unsigned char* data, PTPCANONFolde - fe->ObjectSize = dtoh32a(data + PTP_cfe_ObjectSize); - fe->Time = (time_t)dtoh32a(data + PTP_cfe_Time); - strncpy(fe->Filename, (char*)data + PTP_cfe_Filename, PTP_CANON_FilenameBufferLen); -+ fe->Filename[PTP_CANON_FilenameBufferLen-1] = '\0'; - } - - /* diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch deleted file mode 100644 index dfe832e6c8..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch +++ /dev/null @@ -1,43 +0,0 @@ -From edcdf804662eb4340fdc371af4853d6579e969ab Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Wed, 8 Apr 2026 15:07:38 +0200 -Subject: [PATCH] =?UTF-8?q?Fixed=20UINT128/INT128=20Unchecked=20Offset=20A?= - =?UTF-8?q?dvance=20(CWE-125)=20=E2=80=94=20MEDIUM?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Finding 5: UINT128/INT128 Unchecked Offset Advance (CWE-125) — MEDIUM - -In ptp_unpack_DPV(), the PTP_DTC_UINT128 and PTP_DTC_INT128 cases advance *offset += 16 without verifying 16 bytes remain. The entry check at line 609 only guarantees *offset < total (at least 1 byte available). After the unchecked advance, *offset can exceed total, and the CTVAL macro's bounds check (total - *offset < sizeof(target)) wraps due to unsigned arithmetic. - -CVE-2026-40335 - -Reported-By: Sebastián Alba - -CVE: CVE-2026-40335 -Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/433bde9888d70aa726e32744cd751d7dbe94379a] -Signed-off-by: Gyorgy Sarvari ---- - camlibs/ptp2/ptp-pack.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c -index 982b4f4..7fc120d 100644 ---- a/camlibs/ptp2/ptp-pack.c -+++ b/camlibs/ptp2/ptp-pack.c -@@ -614,10 +614,14 @@ ptp_unpack_DPV ( - case PTP_DTC_UINT64: CTVAL(value->u64,dtoh64a); break; - - case PTP_DTC_UINT128: -+ if (total - *offset < 16) -+ return 0; - *offset += 16; - /*fprintf(stderr,"unhandled unpack of uint128n");*/ - break; - case PTP_DTC_INT128: -+ if (total - *offset < 16) -+ return 0; - *offset += 16; - /*fprintf(stderr,"unhandled unpack of int128n");*/ - break; diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch deleted file mode 100644 index 1a809b4f25..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch +++ /dev/null @@ -1,44 +0,0 @@ -From e19c45d3530f1585805711e14aa4ea788e499f46 Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Wed, 8 Apr 2026 15:13:51 +0200 -Subject: [PATCH] Fixed Sony DPD Secondary Enum List Memory Leak -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Finding 4: Sony DPD Secondary Enum List Memory Leak (CWE-401) — LOW - -File: ptp-pack.c:884-885 - -When processing a secondary enumeration list (2024+ Sony cameras), line -884–885 overwrites dpd->FORM.Enum.SupportedValue with a new calloc() -without freeing the previous allocation from line 857. The original -array and any string values it contains are leaked. - -CVE-2026-40336 - -Reported-By: Sebastián Alba - -CVE: CVE-2026-40336 -Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/404ff02c75f3cb280196fc260a63c4d26cf1a8f6] -Signed-off-by: Gyorgy Sarvari ---- - camlibs/ptp2/ptp-pack.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c -index 7fc120d..fc51d77 100644 ---- a/camlibs/ptp2/ptp-pack.c -+++ b/camlibs/ptp2/ptp-pack.c -@@ -879,6 +879,11 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp - /* check if we have a secondary list of items, this is for newer Sonys (2024) */ - if (val < 0x200) { /* if a secondary list is not provided, this will be the next property code - 0x5XXX or 0xDxxx */ - if (dpd->FormFlag == PTP_DPFF_Enumeration) { -+ /* free old enum variables */ -+ for (i=0;iFORM.Enum.NumberOfValues;i++) -+ ptp_free_propvalue (dpd->DataType, dpd->FORM.Enum.SupportedValue+i); -+ free (dpd->FORM.Enum.SupportedValue); -+ - N = dtoh16o(data, *poffset); - dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0])); - if (!dpd->FORM.Enum.SupportedValue) diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch deleted file mode 100644 index 9f233f2ec9..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 43cc20e807cd2935869617a7d8b9488070712c0e Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Sat, 11 Apr 2026 10:47:52 +0200 -Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20Enum=20Count=20OOB=20Read?= - =?UTF-8?q?=20(CWE-125)=20=E2=80=94=20MEDIUM?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In the PTP_DPFF_Enumeration case of ptp_unpack_Sony_DPD(), dtoh16o(data, *poffset) reads 2 bytes for enumeration count N without verifying 2 bytes remain. The standard parser at line 704 has this check. - -CVE-2026-40338 - -Reported-By: Sebastián Alba - -CVE: CVE-2026-40338 -Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845] -Signed-off-by: Gyorgy Sarvari ---- - camlibs/ptp2/ptp-pack.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c -index fc51d77..f90d2a5 100644 ---- a/camlibs/ptp2/ptp-pack.c -+++ b/camlibs/ptp2/ptp-pack.c -@@ -851,6 +851,7 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp - break; - case PTP_DPFF_Enumeration: { - #define N dpd->FORM.Enum.NumberOfValues -+ if (*poffset + sizeof(uint16_t) > dpdlen) goto outofmemory; - N = dtoh16o(data, *poffset); - dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0])); - if (!dpd->FORM.Enum.SupportedValue) diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch deleted file mode 100644 index b00ac72772..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 585e8113b541469347d09c341c2e8b468b431adb Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Sat, 11 Apr 2026 10:50:47 +0200 -Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20FormFlag=20OOB=20Read=20(C?= - =?UTF-8?q?WE-125)=20=E2=80=94=20MEDIUM?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -ptp_unpack_Sony_DPD() reads the FormFlag byte via dtoh8o(data, *poffset) -without a prior bounds check. The standard ptp_unpack_DPD() at line -686–687 correctly validates *offset + sizeof(uint8_t) > dpdlen before -this same read, but the Sony variant omits this check. - -CVE-2026-40339 - -Reported-By: Sebastián Alba - -CVE: CVE-2026-40339 -Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d] -Signed-off-by: Gyorgy Sarvari ---- - camlibs/ptp2/ptp-pack.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c -index f90d2a5..28648a5 100644 ---- a/camlibs/ptp2/ptp-pack.c -+++ b/camlibs/ptp2/ptp-pack.c -@@ -833,9 +833,10 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp - code or the Data Type is a string (with two empty strings as - values). In both cases Form Flag should be set to 0x00 and FORM is - not present. */ -- - if (*poffset==PTP_dpd_Sony_DefaultValue) - return 1; -+ if (*poffset + sizeof(uint8_t) > dpdlen) -+ return 1; - - dpd->FormFlag = dtoh8o(data, *poffset); - ptp_debug (params, "formflag 0x%04x", dpd->FormFlag); diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch deleted file mode 100644 index a0852692b0..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch +++ /dev/null @@ -1,40 +0,0 @@ -From fd9f234df894caec6c65144b5a4f0264aadf0989 Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Wed, 8 Apr 2026 16:01:48 +0200 -Subject: [PATCH] Fixed ObjectInfo Parser OOB Read -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -ptp_unpack_OI() validates len < PTP_oi_SequenceNumber (i.e., len < 48) but then accesses: - - Offsets 48–51: dtoh32a(data + PTP_oi_SequenceNumber) at line 563 (4 bytes OOB) - Offset 52: data[PTP_oi_filenamelen] at line 547 (5 bytes OOB) - Offset 56: data[PTP_oi_filenamelen+4] at line 547 (9 bytes OOB) - -The Samsung Galaxy 64-bit objectsize detection heuristic reads up to 9 bytes beyond the validated boundary. - - CVE-2026-40340 - -Reported-By: Sebastián Alba - -CVE: CVE-2026-40340 -Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33] -Signed-off-by: Gyorgy Sarvari ---- - camlibs/ptp2/ptp-pack.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c -index 28648a5..9eba06f 100644 ---- a/camlibs/ptp2/ptp-pack.c -+++ b/camlibs/ptp2/ptp-pack.c -@@ -526,7 +526,7 @@ ptp_unpack_OI (PTPParams *params, const unsigned char* data, PTPObjectInfo *oi, - { - char *capture_date; - -- if (!data || len < PTP_oi_SequenceNumber) -+ if (!data || len < PTP_oi_filenamelen + 5) - return; - - oi->Filename = oi->Keywords = NULL; diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch deleted file mode 100644 index b71792c185..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 3674dbeafa5157a264ca5e562ffdbef159a2185f Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Wed, 8 Apr 2026 15:28:52 +0200 -Subject: [PATCH] Fixed OOB read in ptp_unpack_EOS_FocusInfoEx - -Do not read out values before checking there is sufficient size - -CVE-2026-40341 - -CVE: CVE-2026-40341 -Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/c385b34af260595dfbb5f9329526be5158985987] -Signed-off-by: Gyorgy Sarvari ---- - camlibs/ptp2/ptp-pack.c | 34 +++++++++++++++++++++++++--------- - 1 file changed, 25 insertions(+), 9 deletions(-) - -diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c -index 9eba06f..11428ab 100644 ---- a/camlibs/ptp2/ptp-pack.c -+++ b/camlibs/ptp2/ptp-pack.c -@@ -1629,23 +1629,39 @@ ptp_pack_EOS_ImageFormat (PTPParams* params, unsigned char* data, uint16_t value - static inline char* - ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint32_t datasize) - { -- uint32_t size = dtoh32a( *data ); -- uint32_t halfsize = dtoh16a( (*data) + 4); -- uint32_t version = dtoh16a( (*data) + 6); -- uint32_t focus_points_in_struct = dtoh16a( (*data) + 8); -- uint32_t focus_points_in_use = dtoh16a( (*data) + 10); -- uint32_t sizeX = dtoh16a( (*data) + 12); -- uint32_t sizeY = dtoh16a( (*data) + 14); -- uint32_t size2X = dtoh16a( (*data) + 16); -- uint32_t size2Y = dtoh16a( (*data) + 18); -+ uint32_t size; -+ uint32_t halfsize; -+ uint32_t version; -+ uint32_t focus_points_in_struct; -+ uint32_t focus_points_in_use; -+ uint32_t sizeX; -+ uint32_t sizeY; -+ uint32_t size2X; -+ uint32_t size2Y; - uint32_t i; - uint32_t maxlen; - char *str, *p; - -+ if (datasize<4) { -+ ptp_error(params, "FocusInfoEx has invalid size (%d)", datasize); -+ return strdup("bad size 0"); -+ } -+ -+ size = dtoh32a( *data ); - if ((size > datasize) || (size < 20)) { - ptp_error(params, "FocusInfoEx has invalid size (%d) vs datasize (%d)", size, datasize); - return strdup("bad size 1"); - } -+ -+ halfsize = dtoh16a( (*data) + 4); -+ version = dtoh16a( (*data) + 6); -+ focus_points_in_struct = dtoh16a( (*data) + 8); -+ focus_points_in_use = dtoh16a( (*data) + 10); -+ sizeX = dtoh16a( (*data) + 12); -+ sizeY = dtoh16a( (*data) + 14); -+ size2X = dtoh16a( (*data) + 16); -+ size2Y = dtoh16a( (*data) + 18); -+ - /* If data is zero-filled, then it is just a placeholder, so nothing - useful, but also not an error */ - if (!focus_points_in_struct || !focus_points_in_use) { diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb similarity index 75% rename from meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb rename to meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb index 04c4786f84..fca158fe11 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb @@ -12,17 +12,8 @@ DEPENDS = "libtool jpeg virtual/libusb0 libexif zlib libxml2" SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://40-libgphoto2.rules \ file://0001-configure-Filter-out-buildpaths-from-CC.patch \ - file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \ - file://CVE-2026-40333.patch \ - file://CVE-2026-40334.patch \ - file://CVE-2026-40335.patch \ - file://CVE-2026-40336.patch \ - file://CVE-2026-40338.patch \ - file://CVE-2026-40339.patch \ - file://CVE-2026-40340.patch \ - file://CVE-2026-40341.patch \ " -SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" +SRC_URI[libgphoto2.sha256sum] = "51993f5d9bfb6b4e5925cbbe5883085791bff6f81bcacb8ffe1b783ce76d586a" UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/"