From patchwork Sat Feb 28 20:24:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82186 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF441FEE4EE for ; Sat, 28 Feb 2026 20:24:41 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.126389.1772310272400770759 for ; Sat, 28 Feb 2026 12:24:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=X1R7mQkn; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4806ce0f97bso26548845e9.0 for ; Sat, 28 Feb 2026 12:24:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772310271; x=1772915071; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=WzBHHcYmS3yvDT9pjiofg5qOgm+8C5Kpul0Ful7C/ac=; b=X1R7mQknuZKmo2Y8CaSsbw2aBw2ol+AxkCXb/3EWTUMvShJmhSO+VMSMitTbXPLgsH ejqY74MsQu2nAIp2k8b6uQlpN1kNG0NOE/Ge8DwEymh+GiBCngRZlvTfFreDZFxx/X/I NbVpFrL/BiOMz+2GaVg0Qq9p6b/aqh5QQi18pV+xHjRXVtQiYZNa0RINlAhoEHWbvgHl OYlicv4YNAQRNmaK2MWHX4Kat9immTQgurOBx/cakzZLh7WT/SpSkWv2wmEeCEUMJJEb g+qdb/CZUqn20cvXEyOt4x3JUF/WnZ45mCFCPrn8fJmu9ahwA6LwMCkeeKKimvvx99MQ 8aCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772310271; x=1772915071; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WzBHHcYmS3yvDT9pjiofg5qOgm+8C5Kpul0Ful7C/ac=; b=HscGTkeNROd2KTh0MEVgx4PGHUWZQteh28liMbt+pp+DqWO2kYiJ04fW0ZecyKnZ9o +YhHptltwkym42mc7n3l0Dq4G+kq/usio1PbU1rbNnRxCpDp5kdKx61wq7N2Z5LftmpU B7P3av4VqOAfwvmny+9F6vxxqKABKN/pARNI+JCQRbkUZI9klecgPcrIIYnpYoDlwcNK pDGcI0pBP4Ky/P91+ls5K/qSq500tlwCaf5tPjjACi3ihcfGxtjRnj0jLSA1OMvMK2dU lXYeirDF6Z2wk6ytDBuJ5YNyl9e66SOwKdbSrPG0wQ97tqSwggkEHjYon/elfU0oIySd 1A+Q== X-Gm-Message-State: AOJu0YyMYanLcxGS4LOZtDYnlwxpp0TsoCtINsW/MxQHkjBneiiiF3Cd Ywt4j+QE3eDJkSd2QUQ0sAabtjGPKvSDK+fBpVOXVXdwUcDRhHN7dZP3GI31RA== X-Gm-Gg: ATEYQzwbZku+sbZGRyn7fzAu1zb1zf9bMie/tR6QoxOTMkQWG150swdvZVURQoVkGzM UM3YFZ5bVcIv1QFtXoytpBJrEcZq238CE8H4duMul+23WW898Ovg57qKQV2/iwwXpUsnmVCb4rV Z5tZPttgSHJ9XTnkAIIQ4OB/Ldnodv7rNhY3L1fkmkPvFMe35964hhBwBcGfRH7vot7t07SThV0 jQMsbnjYMPKa+xYVRnL7OQ8r+e/SkMMuwqHQZyFXVJPawTtfLDKpoItzej1Vb87nhUjJpmhULl+ 2zdapbUIj9UeepR7bNO4LL25+z/H0OvtqKcMlUT7UW2G7dwKCU9StX9l3peVuUC+617xijSxuEh KlaWrrUj7quEFjAxiPpSm7/1BA4yGr3y03q6Wrz2v2GTevLIqgdYvH559kCR0sP4qLkUTvsT9p1 p/qRq4NnGz3g+SnMWou0bS X-Received: by 2002:a05:600c:4e05:b0:483:b505:9db7 with SMTP id 5b1f17b1804b1-483c9c0b940mr106962775e9.32.1772310270268; Sat, 28 Feb 2026 12:24:30 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfb776b0sm94889995e9.1.2026.02.28.12.24.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Feb 2026 12:24:29 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/5] exiv2: patch CVE-2021-37615 and CVE-2021-37616 Date: Sat, 28 Feb 2026 21:24:25 +0100 Message-ID: <20260228202429.2424513-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 28 Feb 2026 20:24:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124784 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37615 https://nvd.nist.gov/vuln/detail/CVE-2021-37616 Backport the patches from the PR that is referenced by the NVD advisory. Both CVEs are fixed by the same PR. Note that the patch that added a regression test is not included. This is because it contains a binary patch, which seems to be impossible to apply with all patchtools during do_patch. Though it is not included in this patch, it was applied manually during prepration, and all ptests (including the new regression test) passed successfully. Signed-off-by: Gyorgy Sarvari --- .../exiv2/exiv2/CVE-2021-37615-1.patch | 80 ++++++++++ .../exiv2/exiv2/CVE-2021-37615-2.patch | 142 ++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 4 + 3 files changed, 226 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37615-1.patch create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37615-2.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37615-1.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37615-1.patch new file mode 100644 index 0000000000..ce5b4543e1 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37615-1.patch @@ -0,0 +1,80 @@ +From 8e7363ed17e9c3377e7cec1b3d05841e339fc555 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Fri, 2 Jul 2021 17:19:58 +0100 +Subject: [PATCH] Throw exception if lens info wasn't found. + +CVE: CVE-2021-37615 CVE-2021-37616 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/98fb218475948cbaef9549f7de3e9bbe9cc80e16] +Signed-off-by: Gyorgy Sarvari +--- + src/pentaxmn_int.cpp | 36 ++++++++++++++++++++++-------------- + 1 file changed, 22 insertions(+), 14 deletions(-) + +diff --git a/src/pentaxmn_int.cpp b/src/pentaxmn_int.cpp +index de1ba75..3dac885 100644 +--- a/src/pentaxmn_int.cpp ++++ b/src/pentaxmn_int.cpp +@@ -1216,6 +1216,25 @@ namespace Exiv2 { + return result; + } + ++ // Exception thrown by findLensInfo when the lens info can't be found. ++ class LensInfoNotFound : public std::exception { ++ public: ++ LensInfoNotFound() {} ++ }; ++ ++ // Throws std::exception if the LensInfo can't be found. ++ static ExifData::const_iterator findLensInfo(const ExifData* metadata) { ++ const ExifData::const_iterator dngLensInfo = metadata->findKey(ExifKey("Exif.PentaxDng.LensInfo")); ++ if (dngLensInfo != metadata->end()) { ++ return dngLensInfo; ++ } ++ const ExifData::const_iterator lensInfo = metadata->findKey(ExifKey("Exif.Pentax.LensInfo")); ++ if (lensInfo != metadata->end()) { ++ return lensInfo; ++ } ++ throw LensInfoNotFound(); ++ } ++ + //! resolveLens0x32c print lens in human format + std::ostream& resolveLens0x32c(std::ostream& os, const Value& value, + const ExifData* metadata) +@@ -1251,12 +1270,7 @@ namespace Exiv2 { + try { + unsigned long index = 0; + +- // http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Pentax.html#LensData +- const ExifData::const_iterator lensInfo = metadata->findKey(ExifKey("Exif.PentaxDng.LensInfo")) != metadata->end() +- ? metadata->findKey(ExifKey("Exif.PentaxDng.LensInfo")) +- : metadata->findKey(ExifKey("Exif.Pentax.LensInfo")) +- ; +- if ( lensInfo == metadata->end() ) return EXV_PRINT_COMBITAG_MULTI(pentaxLensType, 2, 1, 2)(os, value, metadata); ++ const ExifData::const_iterator lensInfo = findLensInfo(metadata); + if ( lensInfo->count() < 5 ) return EXV_PRINT_COMBITAG_MULTI(pentaxLensType, 2, 1, 2)(os, value, metadata); + + if ( value.count() == 2 ) { +@@ -1310,10 +1324,7 @@ namespace Exiv2 { + try { + unsigned long index = 0; + +- const ExifData::const_iterator lensInfo = metadata->findKey(ExifKey("Exif.PentaxDng.LensInfo")) != metadata->end() +- ? metadata->findKey(ExifKey("Exif.PentaxDng.LensInfo")) +- : metadata->findKey(ExifKey("Exif.Pentax.LensInfo")) +- ; ++ const ExifData::const_iterator lensInfo = findLensInfo(metadata); + if ( value.count() == 4 ) { + std::string model = getKeyString("Exif.Image.Model" ,metadata); + if ( model.find("PENTAX K-3")==0 && lensInfo->count() == 128 && lensInfo->toLong(1) == 168 && lensInfo->toLong(2) == 144 ) index = 7; +@@ -1338,10 +1349,7 @@ namespace Exiv2 { + try { + unsigned long index = 0; + +- const ExifData::const_iterator lensInfo = metadata->findKey(ExifKey("Exif.PentaxDng.LensInfo")) != metadata->end() +- ? metadata->findKey(ExifKey("Exif.PentaxDng.LensInfo")) +- : metadata->findKey(ExifKey("Exif.Pentax.LensInfo")) +- ; ++ const ExifData::const_iterator lensInfo = findLensInfo(metadata); + if ( value.count() == 4 ) { + std::string model = getKeyString("Exif.Image.Model" ,metadata); + if ( model.find("PENTAX K-3")==0 && lensInfo->count() == 128 && lensInfo->toLong(1) == 131 && lensInfo->toLong(2) == 128 ) diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37615-2.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37615-2.patch new file mode 100644 index 0000000000..6432252b29 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37615-2.patch @@ -0,0 +1,142 @@ +From 93f866b969b4e998b43839119ae6c912ddc6e901 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Sat, 3 Jul 2021 22:36:53 +0100 +Subject: [PATCH] Check that findKey didn't return end(). + +CVE: CVE-2021-37615 CVE-2021-37616 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/c2b52119d4f8d9ecb02056698fc8f6afd793db5e] +Signed-off-by: Gyorgy Sarvari +--- + src/convert.cpp | 33 ++++++++++++++++++--------------- + src/crwimage_int.cpp | 12 ++++++++++-- + src/exif.cpp | 4 ++-- + src/iptc.cpp | 4 ++-- + src/xmp.cpp | 4 ++-- + 5 files changed, 34 insertions(+), 23 deletions(-) + +diff --git a/src/convert.cpp b/src/convert.cpp +index 25fb587..63fa4ea 100644 +--- a/src/convert.cpp ++++ b/src/convert.cpp +@@ -665,16 +665,17 @@ namespace Exiv2 { + + if (subsecTag) { + ExifData::iterator subsec_pos = exifData_->findKey(ExifKey(subsecTag)); +- if ( subsec_pos != exifData_->end() +- && subsec_pos->typeId() == asciiString) { +- std::string ss = subsec_pos->toString(); +- if (!ss.empty()) { +- bool ok = false; +- stringTo(ss, ok); +- if (ok) subsec = std::string(".") + ss; ++ if (subsec_pos != exifData_->end()) { ++ if (subsec_pos->typeId() == asciiString) { ++ std::string ss = subsec_pos->toString(); ++ if (!ss.empty()) { ++ bool ok = false; ++ stringTo(ss, ok); ++ if (ok) subsec = std::string(".") + ss; ++ } + } ++ if (erase_) exifData_->erase(subsec_pos); + } +- if (erase_) exifData_->erase(subsec_pos); + } + + if (subsec.size() > 10) subsec = subsec.substr(0, 10); +@@ -1027,18 +1028,20 @@ namespace Exiv2 { + #endif + } + pos = xmpData_->findKey(XmpKey(std::string(from) + "/exif:RedEyeMode")); +- if (pos != xmpData_->end() && pos->count() > 0) { +- int red = pos->toLong(); +- if (pos->value().ok()) +- value |= (red & 1) << 6; ++ if (pos != xmpData_->end()) { ++ if (pos->count() > 0) { ++ int red = pos->toLong(); ++ if (pos->value().ok()) ++ value |= (red & 1) << 6; + #ifndef SUPPRESS_WARNINGS +- else +- EXV_WARNING << "Failed to convert " << std::string(from) + "/exif:RedEyeMode" << " to " << to << "\n"; ++ else ++ EXV_WARNING << "Failed to convert " << std::string(from) + "/exif:RedEyeMode" << " to " << to << "\n"; + #endif ++ } ++ if (erase_) xmpData_->erase(pos); + } + + (*exifData_)[to] = value; +- if (erase_) xmpData_->erase(pos); + } + + void Converter::cnvXmpGPSCoord(const char* from, const char* to) +diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp +index 4ccea63..570de75 100644 +--- a/src/crwimage_int.cpp ++++ b/src/crwimage_int.cpp +@@ -1084,8 +1084,16 @@ namespace Exiv2 { + if (ed2 != edEnd) size += ed2->size(); + if (size != 0) { + DataBuf buf(size); +- if (ed1 != edEnd) ed1->copy(buf.pData_, pHead->byteOrder()); +- if (ed2 != edEnd) ed2->copy(buf.pData_ + ed1->size(), pHead->byteOrder()); ++ long pos = 0; ++ if (ed1 != edEnd) { ++ ed1->copy(buf.pData_, pHead->byteOrder()); ++ pos += ed1->size(); ++ } ++ if (ed2 != edEnd) { ++ ed2->copy(buf.pData_ + pos, pHead->byteOrder()); ++ pos += ed2->size(); ++ } ++ assert(pos == size); + pHead->add(pCrwMapping->crwTagId_, pCrwMapping->crwDir_, buf); + } + else { +diff --git a/src/exif.cpp b/src/exif.cpp +index de93980..d312292 100644 +--- a/src/exif.cpp ++++ b/src/exif.cpp +@@ -564,8 +564,8 @@ namespace Exiv2 { + ExifKey exifKey(key); + iterator pos = findKey(exifKey); + if (pos == end()) { +- add(Exifdatum(exifKey)); +- pos = findKey(exifKey); ++ exifMetadata_.push_back(Exifdatum(exifKey)); ++ return exifMetadata_.back(); + } + return *pos; + } +diff --git a/src/iptc.cpp b/src/iptc.cpp +index 8e54b9c..c710f0f 100644 +--- a/src/iptc.cpp ++++ b/src/iptc.cpp +@@ -269,8 +269,8 @@ namespace Exiv2 { + IptcKey iptcKey(key); + iterator pos = findKey(iptcKey); + if (pos == end()) { +- add(Iptcdatum(iptcKey)); +- pos = findKey(iptcKey); ++ iptcMetadata_.push_back(Iptcdatum(iptcKey)); ++ return iptcMetadata_.back(); + } + return *pos; + } +diff --git a/src/xmp.cpp b/src/xmp.cpp +index 0b7ade0..03ce7e0 100644 +--- a/src/xmp.cpp ++++ b/src/xmp.cpp +@@ -313,8 +313,8 @@ namespace Exiv2 { + XmpKey xmpKey(key); + iterator pos = findKey(xmpKey); + if (pos == end()) { +- add(Xmpdatum(xmpKey)); +- pos = findKey(xmpKey); ++ xmpMetadata_.push_back(Xmpdatum(xmpKey)); ++ return xmpMetadata_.back(); + } + return *pos; + } diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 1c1c05dfaa..83110b1e0e 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -22,6 +22,8 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source file://CVE-2021-34334-4.patch \ file://CVE-2021-34335-1.patch \ file://CVE-2021-34335-2.patch \ + file://CVE-2021-37615-1.patch \ + file://CVE-2021-37615-2.patch \ " SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778" From patchwork Sat Feb 28 20:24:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82187 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE8E3FEE4FE for ; Sat, 28 Feb 2026 20:24:41 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.126390.1772310273664200079 for ; Sat, 28 Feb 2026 12:24:33 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=g4W4dQCb; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4806bf39419so30486005e9.1 for ; Sat, 28 Feb 2026 12:24:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772310272; x=1772915072; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ADcRQsqOCwCbCZLFPN2Sai7OeRw2whI59Lc/LhVmzB0=; b=g4W4dQCbQ1N6TKvJGYnubP98S/AJiZgyjxZ80P2sRrHubcItcBNilBA5z1r7CDATCg 1bZ9eu6PBrhbEBOSiPxfuEdUeFprS82kS6yoaG/cjAw1qX5qqAOBkHZYFsB+vI60WHIk CTnKKR/Ad2jInzEFAmrrHxZp01B0D3MvoOJPzqNN4JxDfM0fJVeNsLIO4nhJovi9WbzR 5//c51DRBHCAapQ4JPHiLEFdDjD4WjM+6sFxU4ko3FtfYgq2LkfhNOsT5d/B3fFN82IV S5uX0cG1ph/Z0wvI7ad56UzibYHHSLrs5sYXvw4ErbzxfkMay/kC4XdP3O7+3NxDr2xR DJxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772310272; x=1772915072; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ADcRQsqOCwCbCZLFPN2Sai7OeRw2whI59Lc/LhVmzB0=; b=acHxjkgWu6S8SaP5jaZwMUk8kj4vmHSUdRgirMOnSetj5UrEst5zx2pREE3UpRaY9E DxX4O+irRgiSg+QTxwG8np+3WI87YGzFZ1S0CDjg6wrwprnGJU13lcIpdGhI6L/QB2LG euZOO/vqpvqSIEgjXtlWXXXcDwHkUxOpPQ4HGq5cgUyQ7c5e8ef+YUo1WtILo12lg9/4 KARmgAis6eiw5LvtE25LXaShQEbwt2JwlDzjPDaG8x8xbaQaM/MZAdgxMWMCPmeTdr6q 0zmiDeUs1q08b1sUTPTU02bHQHyMth2vYvBvXtL6qDuMOFB4naWEMBTpOJ6M2SVYz/Ht IUmw== X-Gm-Message-State: AOJu0Yx2gL+7eiuHQlScbXjREPgLsbQM2QsX9YmenrKQhJa4CHETlEsA o9FC4/ozaaicNl/fTQkofulh0RFOvEml6OhOtveGX3mwwpHs2c0jPn6AfUyE1w== X-Gm-Gg: ATEYQzxeC5kHGxWk+keYxciMB+BRciQqL9Vr65Z3v7lPzviulhdBucW0SaUq9VRMgr4 QEA59jeJAcGkDGcJWSMoP1ZJ3fZ7AT2ngdR0ydjX07a/IYLPtRBWTDAg/V4iUtDOdNYQS8fbQcd DXCBKNL/dff/Gry1dQFANg+D/sMR4Oqo5x1FFp013eiezVWKMOKG3jraKFCMgIwEnNxyLg5twOW 5VO//QRbwznD8Yyi1uWCYMYoDHUeDsHOGOo4dtJJrbccLOJO4lv542hRK2cg3K1hfQjppRFFmc6 GMCu1Aky8xNAF7BxSUA9347qnu5b26SRvgujN+Pvo/S/PJo/EiCVlE6hn9+weYZQQRH+CJRzEBJ y0vcGXqlCygqNz1LgajZfIprFRMOdF4hnU1JahxzjMMKmlhLvDTW5n06rLh3tBNnxQ2iRy5+1fe 1Cj+zGBN9cyxCybCT8nA0yOQVOjv+PKDA= X-Received: by 2002:a05:600c:4e15:b0:483:29f4:26b3 with SMTP id 5b1f17b1804b1-483c9906a11mr132134745e9.1.1772310271898; Sat, 28 Feb 2026 12:24:31 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfb776b0sm94889995e9.1.2026.02.28.12.24.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Feb 2026 12:24:30 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/5] exiv2: patch CVE-2021-37618 Date: Sat, 28 Feb 2026 21:24:26 +0100 Message-ID: <20260228202429.2424513-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260228202429.2424513-1-skandigraun@gmail.com> References: <20260228202429.2424513-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 28 Feb 2026 20:24:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124785 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37618 Pick the patch from the PR that is referenced by the NVD advisory. Note that the regression test was not backported, because it contains a binary patch, that I couldn't apply with any of the patchtools in the do_patch step. Before submission however I have applied the patches, and ran all the tests successfully. Signed-off-by: Gyorgy Sarvari --- .../exiv2/exiv2/CVE-2021-37618.patch | 32 +++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37618.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37618.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37618.patch new file mode 100644 index 0000000000..8799876232 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37618.patch @@ -0,0 +1,32 @@ +From 37e0d4dac7c8b1a9e01448c359bf013ead53904a Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Mon, 5 Jul 2021 10:40:03 +0100 +Subject: [PATCH] Better bounds checking in Jp2Image::printStructure + +CVE: CVE-2021-37618 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/0fcdde80997913dde284ea98f06f9305d06cb160] +Signed-off-by: Gyorgy Sarvari +--- + src/jp2image.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index e14919c..2da69f1 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m) + + if (subBox.type == kJp2BoxTypeColorHeader) { + long pad = 3; // don't know why there are 3 padding bytes ++ enforce(data.size_ >= pad, kerCorruptedMetadata); + if (bPrint) { + out << " | pad:"; + for (int i = 0; i < 3; i++) +@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m) + if (bPrint) { + out << " | iccLength:" << iccLength; + } ++ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata); + if (bICC) { + out.write((const char*)data.pData_ + pad, iccLength); + } diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 83110b1e0e..3d41bc93b2 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -24,6 +24,7 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source file://CVE-2021-34335-2.patch \ file://CVE-2021-37615-1.patch \ file://CVE-2021-37615-2.patch \ + file://CVE-2021-37618.patch \ " SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778" From patchwork Sat Feb 28 20:24:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82188 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE914FEE4FF for ; Sat, 28 Feb 2026 20:24:41 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.126232.1772310275336662264 for ; Sat, 28 Feb 2026 12:24:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=C0P5JneL; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-48371bb515eso46624665e9.1 for ; Sat, 28 Feb 2026 12:24:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772310274; x=1772915074; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Pbp41OXKy/l8ITGQoNUSNDuPnoUsyqIXVlK0t99yqgI=; b=C0P5JneL1/cHZ/FXv3qaDPGo3mYxZ2VKIWwCL1u0vvwB98LB1IQJUYYSI8qiVC8UMn FPGuwK40TaZAowqniuMz1blEHt7A0Gf4mnqX+XfmbDBFUZR++mlWa9INK86M6lPrXEuc EPIULpx3BSEeSO1LpP3etA0Fso6N0djZURKIT+jG/8Q0EjpHoV+QA90loQL/DFyBFzqk ra+owgfTTF79AOLehoQOwtjUTYhuqwN+AEduXN3Iemb/wXDOHvYF4wwkM40THvY2WwTT 1H3xjKZwkR5fGegcY7asZMbub3ChmciDisBr7pHeX2x/5rE0xSCF1L05SFtzK1jegJ03 EMmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772310274; x=1772915074; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Pbp41OXKy/l8ITGQoNUSNDuPnoUsyqIXVlK0t99yqgI=; b=udxuq9SPtqORrCFqbSGd8arppa9kuVs3aVfYLt/zZMiy5irc7R9DQcJZNge5M6ieRF 8OPRYsKOCTglDhckALf8OiaezP4rQY7xM6mNwUGzLd6kvLhNFKfKu1CX6p0PRFUfTm4D qsqgz1tonnDdwSfg2Tyj8mLXFtBIy4BLSC9D+V8EqIbb354ODhOJyX8wx3n9sPD9Ux6u PcJS0ef5TE9daqtFlHd+mj+nZuqDmfBp0ryTyBQ8fZfXJG1us9Zhl6O1kOpbbpnZySaO zPjuZGam9zQpAXHNwq2YkEHn0K2gWAMHy+ECaHXFC3/tLU20DYkftSiSa5T7adetDsJq YZSw== X-Gm-Message-State: AOJu0YyIwr99+V+J3QizN91w7HclSGOw7tzZJe73bysglqgXudMsKTq8 BJu74LMALnbBHdgDAvK9KLhXlSG4kvEN0Bz2To8gXPcNU05cEF8hELZM7mhVsQ== X-Gm-Gg: ATEYQzwW5L+SoJZHAS4BP77gbx8HiZTQV5lBEHQYSGvqJ1JCCLB0xWq/hCAvZKQnr/+ r5T192bvX0eDCLp/BdbDqpBb7O2zAb7q0f4/AbO3YcEgreDOV/98yne7GSoAnWRKZFmEkwouUAk c6ybR8BI6PTs3uVM0fBkb5EmQTVdRyBF0J8dzyTUoAxwe53VD878VZlUlb2UXB+irSwiaAR2/3/ UxQPzBbZEsk54+hKl9hhtcFDK+gBRbU8oLegmM2K1K6iINcKHA7CuDrk3mYK7udqL1IvWYyOxkS P8NDaMR/aPyYGx/wCht9f0m9caJ4FhVCM742LZr7F1j8EhZjoHBWgaa/WM7fOcZHHZBuxcjd3yz XEpvfwnBg0qX+6K1Q/a8YhJrsS8To2xenWre+oOa7sX6PmnbRpTJCMnDzK3Kqx5UmonVRrf+Q1k Ku7QLZKPOqlialmv4sxtBw X-Received: by 2002:a05:600c:4e08:b0:477:fcb:2256 with SMTP id 5b1f17b1804b1-483c9c0bb0amr118577695e9.17.1772310273512; Sat, 28 Feb 2026 12:24:33 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfb776b0sm94889995e9.1.2026.02.28.12.24.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Feb 2026 12:24:33 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 3/5] exiv2: patch CVE-2021-37619 Date: Sat, 28 Feb 2026 21:24:27 +0100 Message-ID: <20260228202429.2424513-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260228202429.2424513-1-skandigraun@gmail.com> References: <20260228202429.2424513-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 28 Feb 2026 20:24:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124786 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37619 Pick the patch from the PR referenced by the NVD advisory. Note that the regression test is not part of this patch, as no patchtool could apply it in do_patch task. The test patch was however manually applied during preparing this patch, and all tests were executed successfully. Signed-off-by: Gyorgy Sarvari --- .../exiv2/exiv2/CVE-2021-37619.patch | 37 +++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch new file mode 100644 index 0000000000..9faf778743 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch @@ -0,0 +1,37 @@ +From 0b74e631713d328a5f2bd1d9d26baf2e12b9da56 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Wed, 30 Jun 2021 18:02:43 +0100 +Subject: [PATCH] fix: fix incorrect loop condition (#1752) + +* Regression test for https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v + +* Fix incorrect loop condition. + +CVE: CVE-2021-37619 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/86d0a1d5d9f6dc41013a6690408add974e59167c] +Signed-off-by: Gyorgy Sarvari +--- + src/jp2image.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 2da69f1..482ef63 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -658,12 +658,14 @@ static void boxes_check(size_t b,size_t m) + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +- while ( count < length || !bWroteColor ) { ++ while ( count < length && !bWroteColor ) { + enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +- Jp2BoxHeader subBox = *pSubBox ; ++ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy. ++ Jp2BoxHeader subBox; ++ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader)); + Jp2BoxHeader newBox = subBox; + + if ( count < length ) { diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 3d41bc93b2..e7eac337dc 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source file://CVE-2021-37615-1.patch \ file://CVE-2021-37615-2.patch \ file://CVE-2021-37618.patch \ + file://CVE-2021-37619.patch \ " SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778" From patchwork Sat Feb 28 20:24:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82189 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06A0EFEFB6B for ; Sat, 28 Feb 2026 20:24:42 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.126392.1772310276902837507 for ; Sat, 28 Feb 2026 12:24:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Huqhuygc; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-482f454be5bso37608515e9.0 for ; Sat, 28 Feb 2026 12:24:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772310275; x=1772915075; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=m3WNlSSEOlbSrMAM31p3vxRuH5GQr3xLTvLW5OccxHk=; b=Huqhuygce5d0sqHyxj4Lnuz9IflXo0iAG971M7yLw5BFi8O1JHiavYNVxLtE5yb5wu fdTftA96QomHCGg89Oc6yqhCEJrhEkaJyn86mUkE2U6nm1c7lJrnaMSqdchtwieUgHgO xU0rXmov4GnIGMGfb56t+NO51FrXgODvHuErytH0CP81oK3mpl2qXjgSlXiDedyxEC9l 89PHZmgNwNwjE3K5UmsTahWhPT6+RGGsE+IbDY5Xv/bST2v3pK18tZBkmpSMySFoF40T cVmn6lqJScPaNcbLTVT6k9pNPORv3SBU+wiPUE2XgMDKS+aBNbzmk3sNQpyDiS1VG7TE mc4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772310275; x=1772915075; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=m3WNlSSEOlbSrMAM31p3vxRuH5GQr3xLTvLW5OccxHk=; b=uxv9aMuJwh5a2yKQN256KWA4zfNMMHBwbfqElCa+Gag9K9/Rdk+dwaa8gVHGryQNOT 8U1XMagz9L+0sbKS+9RTYNDDYdrlFFHDAZlMHyHRfTiZZSHVtMavVOIb2jeavz8kFyHK 9NcZFUXwxiP658VbglJQcjj69Bu3QrwImnNgswepuzobTa+dTRL4YgvppHCsrJnTltSp wh4q5UdGX6Hq5CiXMRD++KVZoerhZF9xNDwW0ULWWdwfEt7oBBTz7of01DzHY1bA76wE rv3W4Csm5nJPj5xgWVvHbrULkiepzjtsqZu9Zdg6EVFr7sQeWIbUVmYKkuktFcFUKWFD w/dA== X-Gm-Message-State: AOJu0Yy3nlQQZxnWdS6f/3xFR1Oqnb2HkbUKLG9lFx0eA+hgFf2PpV9t vmWoxC976Q3qju+yx9PwgPbkbKYLHDfDhh6SAjxrXKH1UFGNrKRDhH/zfHmRow== X-Gm-Gg: ATEYQzzQ8Jl+oH4tkyyztScoD5jlR6n7PPvCeUOfrEOshzVYny8zRAGpru88t/ZHNHb FWYNYRE1Z3YPafe7NflsD15aG+CnXPU6h7rDQWXrtNB+AZi6ebF7+VDHku/JPTgi0/y8JuRY6/4 cTh4+EXQHmcXD9xeM6hE8+6Omq2BnPsXezEa2DXRsDOZMpG71ZpLWkhbbz9BrTkMp+pXI/PIYK7 kTWHSNffVoWPhinEtN30QX51R4yhwfF56lZOnkTTVonQJ+ChNEuBeEvheNdoCvxegr55DAJoG7/ hHI92tvmEoSXuxVB+bythIhJFPJa8scn8X9LWj/1H7y6rmCK2pmy4PAWwZADup8zYud2KpUOoxm 8JzJCk32iHZO9IGVHEOYqY7QC8Ixn9WxympK6Htfs4EeSeNKTcmECkrBwO0c8/aLTI3HylWtk4i s8VDg4a1W/gzez1d09uOaQ X-Received: by 2002:a05:600c:474c:b0:483:a352:b4e4 with SMTP id 5b1f17b1804b1-483c990bdf0mr122397745e9.6.1772310275147; Sat, 28 Feb 2026 12:24:35 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfb776b0sm94889995e9.1.2026.02.28.12.24.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Feb 2026 12:24:33 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/5] exiv2: patch CVE-2021-37620 Date: Sat, 28 Feb 2026 21:24:28 +0100 Message-ID: <20260228202429.2424513-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260228202429.2424513-1-skandigraun@gmail.com> References: <20260228202429.2424513-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 28 Feb 2026 20:24:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124787 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37620 Pick the patches from the PR that is referenced by the NVD advisory. Two notes: 1. The regression test contains a binary patch, that couldn't be applied in the do_patch task. Due to this the test was not backported. It was however applied manually and executed successfully during the preparation of this patch. 2. The commit changes some "unsigned" types to "size_t", which is not included in this backport. They were already done by another patch (the one for CVE-2021-34334). Signed-off-by: Gyorgy Sarvari --- .../exiv2/exiv2/CVE-2021-37620-1.patch | 26 ++ .../exiv2/exiv2/CVE-2021-37620-2.patch | 305 ++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 2 + 3 files changed, 333 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37620-1.patch create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37620-2.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37620-1.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37620-1.patch new file mode 100644 index 0000000000..f072ea6ab0 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37620-1.patch @@ -0,0 +1,26 @@ +From 672bb4c98a98911f91834617e8a7374acb903206 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Sat, 10 Jul 2021 10:42:24 +0100 +Subject: [PATCH] Check that `type` isn't an empty string. + +CVE: CVE-2021-37620 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/2e7bb581a234bfb0d0c9e16a1dbf037a8c30681e] +Signed-off-by: Gyorgy Sarvari +--- + src/value.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/value.cpp b/src/value.cpp +index 95eb05a..2536b84 100644 +--- a/src/value.cpp ++++ b/src/value.cpp +@@ -714,6 +714,9 @@ namespace Exiv2 { + if (buf.length() > 5 && buf.substr(0, 5) == "type=") { + std::string::size_type pos = buf.find_first_of(' '); + type = buf.substr(5, pos-5); ++ if (type.empty()) { ++ throw Error(kerInvalidXmpText, type); ++ } + // Strip quotes (so you can also specify the type without quotes) + if (type[0] == '"') type = type.substr(1); + if (type[type.length()-1] == '"') type = type.substr(0, type.length()-1); diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37620-2.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37620-2.patch new file mode 100644 index 0000000000..bbb4176aa5 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37620-2.patch @@ -0,0 +1,305 @@ +From 13fb2c4f55a268f0ad864005428e93f80d813b8a Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Sun, 11 Jul 2021 12:04:53 +0100 +Subject: [PATCH] Safer std::vector indexing. + +CVE: CVE-2021-37620 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/76e313745e813f80e8910aceb2210af3ad8cf897] +Signed-off-by: Gyorgy Sarvari +--- + samples/addmoddel.cpp | 2 +- + samples/exiv2json.cpp | 6 +++--- + src/actions.cpp | 20 +++++++++++--------- + src/basicio.cpp | 6 +++--- + src/exiv2.cpp | 4 ++-- + src/minoltamn_int.cpp | 2 +- + src/properties.cpp | 2 +- + src/sigmamn_int.cpp | 6 +++--- + src/tags_int.cpp | 2 +- + src/tiffvisitor_int.cpp | 2 +- + src/utils.cpp | 4 ++-- + src/value.cpp | 6 ++++-- + src/xmp.cpp | 3 +-- + 13 files changed, 34 insertions(+), 31 deletions(-) + +diff --git a/samples/addmoddel.cpp b/samples/addmoddel.cpp +index e171edd..215e432 100644 +--- a/samples/addmoddel.cpp ++++ b/samples/addmoddel.cpp +@@ -77,7 +77,7 @@ try { + if (prv == 0) throw Exiv2::Error(Exiv2::kerErrorMessage, "Downcast failed"); + rv = Exiv2::URationalValue::AutoPtr(prv); + // Modify the value directly through the interface of URationalValue +- rv->value_[2] = std::make_pair(88,77); ++ rv->value_.at(2) = std::make_pair(88,77); + // Copy the modified value back to the metadatum + pos->setValue(rv.get()); + std::cout << "Modified key \"" << key +diff --git a/samples/exiv2json.cpp b/samples/exiv2json.cpp +index fe5a014..91dee73 100644 +--- a/samples/exiv2json.cpp ++++ b/samples/exiv2json.cpp +@@ -57,7 +57,7 @@ bool getToken(std::string& in,Token& token,Exiv2::StringSet* pNS=NULL) + + while ( !result && in.length() ) { + std::string c = in.substr(0,1); +- char C = c[0]; ++ char C = c.at(0); + in = in.substr(1,std::string::npos); + if ( in.length() == 0 && C != ']' ) token.n += c; + if ( C == '/' || C == '[' || C == ':' || C == '.' || C == ']' || in.length() == 0 ) { +@@ -97,7 +97,7 @@ Jzon::Node& addToTree(Jzon::Node& r1,Token token) + + Jzon::Node& recursivelyBuildTree(Jzon::Node& root,Tokens& tokens,size_t k) + { +- return addToTree( k==0 ? root : recursivelyBuildTree(root,tokens,k-1), tokens[k] ); ++ return addToTree( k==0 ? root : recursivelyBuildTree(root,tokens,k-1), tokens.at(k) ); + } + + // build the json tree for this key. return location and discover the name +@@ -109,7 +109,7 @@ Jzon::Node& objectForKey(const std::string& Key,Jzon::Object& root,std::string& + std::string input = Key ; // Example: "XMP.xmp.MP.RegionInfo/MPRI:Regions[1]/MPReg:Rectangle" + while ( getToken(input,token,pNS) ) tokens.push_back(token); + size_t l = tokens.size()-1; // leave leaf name to push() +- name = tokens[l].n ; ++ name = tokens.at(l).n ; + + // The second token. For example: XMP.dc is a namespace + if ( pNS && tokens.size() > 1 ) pNS->insert(tokens[1].n); +diff --git a/src/actions.cpp b/src/actions.cpp +index 97acac7..a771e21 100644 +--- a/src/actions.cpp ++++ b/src/actions.cpp +@@ -1108,19 +1108,21 @@ namespace Action { + + const Params::PreviewNumbers& numbers = Params::instance().previewNumbers_; + for (Params::PreviewNumbers::const_iterator n = numbers.begin(); n != numbers.end(); ++n) { +- if (*n == 0) { ++ size_t num = static_cast(*n); ++ if (num == 0) { + // Write all previews +- for (int num = 0; num < static_cast(pvList.size()); ++num) { +- writePreviewFile(pvMgr.getPreviewImage(pvList[num]), num + 1); ++ for (num = 0; num < pvList.size(); ++num) { ++ writePreviewFile(pvMgr.getPreviewImage(pvList[num]), static_cast(num + 1)); + } + break; + } +- if (*n > static_cast(pvList.size())) { ++ num--; ++ if (num >= pvList.size()) { + std::cerr << path_ << ": " << _("Image does not have preview") +- << " " << *n << "\n"; ++ << " " << num + 1 << "\n"; + continue; + } +- writePreviewFile(pvMgr.getPreviewImage(pvList[*n - 1]), *n); ++ writePreviewFile(pvMgr.getPreviewImage(pvList[num]), static_cast(num + 1)); + } + return 0; + } // Extract::writePreviews +@@ -1680,7 +1682,7 @@ namespace Action { + return 0; + } + std::string timeStr = md->toString(); +- if (timeStr == "" || timeStr[0] == ' ') { ++ if (timeStr.empty() || timeStr[0] == ' ') { + std::cerr << path << ": " << _("Timestamp of metadatum with key") << " `" + << ek << "' " << _("not set\n"); + return 1; +@@ -2240,7 +2242,7 @@ namespace { + << "' " << _("exists. [O]verwrite, [r]ename or [s]kip?") + << " "; + std::cin >> s; +- switch (s[0]) { ++ switch (s.at(0)) { + case 'o': + case 'O': + go = false; +@@ -2305,7 +2307,7 @@ namespace { + << ": " << _("Overwrite") << " `" << path << "'? "; + std::string s; + std::cin >> s; +- if (s[0] != 'y' && s[0] != 'Y') return 1; ++ if (s.at(0) != 'y' && s.at(0) != 'Y') return 1; + } + return 0; + } +diff --git a/src/basicio.cpp b/src/basicio.cpp +index 7b707e1..ad24938 100644 +--- a/src/basicio.cpp ++++ b/src/basicio.cpp +@@ -190,11 +190,11 @@ namespace Exiv2 { + case opRead: + // Flush if current mode allows reading, else reopen (in mode "r+b" + // as in this case we know that we can write to the file) +- if (openMode_[0] == 'r' || openMode_[1] == '+') reopen = false; ++ if (openMode_.at(0) == 'r' || openMode_.at(1) == '+') reopen = false; + break; + case opWrite: + // Flush if current mode allows writing, else reopen +- if (openMode_[0] != 'r' || openMode_[1] == '+') reopen = false; ++ if (openMode_.at(0) != 'r' || openMode_.at(1) == '+') reopen = false; + break; + case opSeek: + reopen = false; +@@ -2131,7 +2131,7 @@ namespace Exiv2 { + void HttpIo::HttpImpl::writeRemote(const byte* data, size_t size, long from, long to) + { + std::string scriptPath(getEnv(envHTTPPOST)); +- if (scriptPath == "") { ++ if (scriptPath.empty()) { + throw Error(kerErrorMessage, "Please set the path of the server script to handle http post data to EXIV2_HTTP_POST environmental variable."); + } + +diff --git a/src/exiv2.cpp b/src/exiv2.cpp +index 3d9fa4f..69077c9 100644 +--- a/src/exiv2.cpp ++++ b/src/exiv2.cpp +@@ -1460,8 +1460,8 @@ namespace { + if (valStart != std::string::npos) { + value = parseEscapes(line.substr(valStart, valEnd+1-valStart)); + std::string::size_type last = value.length()-1; +- if ( (value[0] == '"' && value[last] == '"') +- || (value[0] == '\'' && value[last] == '\'')) { ++ if ( (value.at(0) == '"' && value.at(last) == '"') ++ || (value.at(0) == '\'' && value.at(last) == '\'')) { + value = value.substr(1, value.length()-2); + } + } +diff --git a/src/minoltamn_int.cpp b/src/minoltamn_int.cpp +index 77521fc..fc3a73c 100644 +--- a/src/minoltamn_int.cpp ++++ b/src/minoltamn_int.cpp +@@ -2037,7 +2037,7 @@ namespace Exiv2 { + { + const TagDetails* td = find(minoltaSonyLensID, lensID); + std::vector tokens = split(td[0].label_,"|"); +- return os << exvGettext(trim(tokens[index-1]).c_str()); ++ return os << exvGettext(trim(tokens.at(index-1)).c_str()); + } + + static std::ostream& resolveLens0x1c(std::ostream& os, const Value& value, +diff --git a/src/properties.cpp b/src/properties.cpp +index c6ebd34..af09f0f 100644 +--- a/src/properties.cpp ++++ b/src/properties.cpp +@@ -2612,7 +2612,7 @@ namespace Exiv2 { + // If property is a path for a nested property, determines the innermost element + std::string::size_type i = property.find_last_of('/'); + if (i != std::string::npos) { +- for (; i != std::string::npos && !isalpha(property[i]); ++i) {} ++ for (; i != std::string::npos && !isalpha(property.at(i)); ++i) {} + property = property.substr(i); + i = property.find_first_of(':'); + if (i != std::string::npos) { +diff --git a/src/sigmamn_int.cpp b/src/sigmamn_int.cpp +index da1beaa..62077bb 100644 +--- a/src/sigmamn_int.cpp ++++ b/src/sigmamn_int.cpp +@@ -134,7 +134,7 @@ namespace Exiv2 { + std::string v = value.toString(); + std::string::size_type pos = v.find(':'); + if (pos != std::string::npos) { +- if (v[pos + 1] == ' ') ++pos; ++ if (v.at(pos + 1) == ' ') ++pos; + v = v.substr(pos + 1); + } + return os << v; +@@ -144,7 +144,7 @@ namespace Exiv2 { + const Value& value, + const ExifData*) + { +- switch (value.toString()[0]) { ++ switch (value.toString().at(0)) { + case 'P': os << _("Program"); break; + case 'A': os << _("Aperture priority"); break; + case 'S': os << _("Shutter priority"); break; +@@ -158,7 +158,7 @@ namespace Exiv2 { + const Value& value, + const ExifData*) + { +- switch (value.toString()[0]) { ++ switch (value.toString().at(0)) { + case 'A': os << _("Average"); break; + case 'C': os << _("Center"); break; + case '8': os << _("8-Segment"); break; +diff --git a/src/tags_int.cpp b/src/tags_int.cpp +index df05522..4a4a555 100644 +--- a/src/tags_int.cpp ++++ b/src/tags_int.cpp +@@ -2867,7 +2867,7 @@ namespace Exiv2 { + } + + std::string stringValue = value.toString(); +- if (stringValue[19] == 'Z') { ++ if (stringValue.at(19) == 'Z') { + stringValue = stringValue.substr(0, 19); + } + for (size_t i = 0; i < stringValue.length(); ++i) { +diff --git a/src/tiffvisitor_int.cpp b/src/tiffvisitor_int.cpp +index cca9679..5b9addf 100644 +--- a/src/tiffvisitor_int.cpp ++++ b/src/tiffvisitor_int.cpp +@@ -482,7 +482,7 @@ namespace Exiv2 { + uint.push_back((uint16_t) object->pValue()->toLong(i)); + } + // Check this is AFInfo2 (ints[0] = bytes in object) +- if ( ints[0] != object->pValue()->count()*2 ) return ; ++ if ( ints.at(0) != object->pValue()->count()*2 ) return ; + + std::string familyGroup(std::string("Exif.") + groupName(object->group()) + "."); + +diff --git a/src/utils.cpp b/src/utils.cpp +index 66e9898..6b06074 100644 +--- a/src/utils.cpp ++++ b/src/utils.cpp +@@ -65,7 +65,7 @@ namespace Util { + if (p.length() == 2 && p[1] == ':') return p; // For Windows paths + std::string::size_type idx = p.find_last_of("\\/"); + if (idx == std::string::npos) return "."; +- if (idx == 1 && p[0] == '\\' && p[1] == '\\') return p; // For Windows paths ++ if (idx == 1 && p.at(0) == '\\' && p.at(1) == '\\') return p; // For Windows paths + p = p.substr(0, idx == 0 ? 1 : idx); + while ( p.length() > 1 + && (p[p.length()-1] == '\\' || p[p.length()-1] == '/')) { +@@ -85,7 +85,7 @@ namespace Util { + } + if (p.length() == 2 && p[1] == ':') return ""; // For Windows paths + std::string::size_type idx = p.find_last_of("\\/"); +- if (idx == 1 && p[0] == '\\' && p[1] == '\\') return ""; // For Windows paths ++ if (idx == 1 && p.at(0) == '\\' && p.at(1) == '\\') return ""; // For Windows paths + if (idx != std::string::npos) p = p.substr(idx+1); + if (delsuffix) p = p.substr(0, p.length() - suffix(p).length()); + return p; +diff --git a/src/value.cpp b/src/value.cpp +index 2536b84..470b864 100644 +--- a/src/value.cpp ++++ b/src/value.cpp +@@ -497,8 +497,10 @@ namespace Exiv2 { + std::string::size_type pos = comment.find_first_of(' '); + std::string name = comment.substr(8, pos-8); + // Strip quotes (so you can also specify the charset without quotes) +- if (name[0] == '"') name = name.substr(1); +- if (name[name.length()-1] == '"') name = name.substr(0, name.length()-1); ++ if (!name.empty()) { ++ if (name[0] == '"') name = name.substr(1); ++ if (name[name.length()-1] == '"') name = name.substr(0, name.length()-1); ++ } + charsetId = CharsetInfo::charsetIdByName(name); + if (charsetId == invalidCharsetId) { + #ifndef SUPPRESS_WARNINGS +diff --git a/src/xmp.cpp b/src/xmp.cpp +index 03ce7e0..40b8f8c 100644 +--- a/src/xmp.cpp ++++ b/src/xmp.cpp +@@ -500,8 +500,7 @@ namespace Exiv2 { + bool bNS = out.find(':') != std::string::npos && !bURI; + + // pop trailing ':' on a namespace +- if ( bNS ) { +- std::size_t length = out.length(); ++ if ( bNS && !out.empty() ) { + if ( out[length-1] == ':' ) out = out.substr(0,length-1); + } + diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index e7eac337dc..4001f1b639 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -26,6 +26,8 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source file://CVE-2021-37615-2.patch \ file://CVE-2021-37618.patch \ file://CVE-2021-37619.patch \ + file://CVE-2021-37620-1.patch \ + file://CVE-2021-37620-2.patch \ " SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778" From patchwork Sat Feb 28 20:24:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82185 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E022DFEE4FB for ; Sat, 28 Feb 2026 20:24:41 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.126393.1772310277648251219 for ; Sat, 28 Feb 2026 12:24:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=aF7Q13X8; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-483487335c2so28106335e9.2 for ; Sat, 28 Feb 2026 12:24:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772310276; x=1772915076; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ct+3prt4u5iXGWe0pj6m38OSTCQkjGpjpIRvfTadbTY=; b=aF7Q13X8zwM62SYAvn3xjN8JMNDaXr70XRFjq2NeV50/rATUDNsrbT0MJ7DV+ldzmh /vKtSy833J2/mjO303krjPrDkaPLwNRdOrTizfCM6c9qRLWAX/jkK9ZD0uZwjA496r+4 gcUn3YAOgX+S/Q6Be4JhXiLAykftMT3cV9Lp2id/4+OrzQ67G8ChBvipXnNjrb1MmQ1K Hjetoe5jZHRXG9o7NFfIXslfQAjZL4iuv/Q7BdbnfqJbbnXU6bG0k/w4yAt6Uu7tlgDe nh1Pl9fjq1KQsMnUupez83p7B81cs4mCqqeAG9Awe9QoBTgq3bhHYhS9uB0qoLUTnguW FnMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772310276; x=1772915076; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Ct+3prt4u5iXGWe0pj6m38OSTCQkjGpjpIRvfTadbTY=; b=TWrkKPiRaFONhlgQ92UGKnTWS2Nw51WYbJQkaf+Y5iv1XEO3HKMjB7IlcG485pbgfd sDE8e0jhC6cnOuNpT3ded/oArxVs1wHjPZ2s61z8iZOUlCHxr2fEH1z6rEqcqmJWPFew eP9vD/HZkSfcigcn+MWAnuiGJiXTfGbk/UQbCTmjk45ITPgS3didoiCLO17Nujk7KVAa WE/vs5dl69W7pdOSanp6Jr9hcPPfG1GSFlEqcYZ76V80RZzfvzCV9lk4r+XOMiac/0Vw b8JN66eBcE6pPnQegGu6FD/RWSbP3iWxAl8or7XBzLWTEl497QDtq9uVyGVNMwPSiwGr 9EBg== X-Gm-Message-State: AOJu0Yx9cOaTGsPosDXJ5updc49e2xdz6AoKtumdpefXaJnO3Mmt2gUr jnNjKobDpvBdslJ0HqUyEkQgargNFy+LZwEUvnSTd2xu/wCbfDV3YUFqo8Z+kw== X-Gm-Gg: ATEYQzxG9Wqw/nEj/+Q9LM2Yxu7533P6jcXQvebSvMqQisJ+OxcpF2Z5dG48vTYtrnD G+GfoTAyajqfHMWRqM8iRtRNs7uoEH38FSyNt9Bh3gYoLQt1RlWH6FhlbQQof6eN2NmfCrqJD4T 5JQans+bKlkl8ZfUXMt+zoAhjM/ZB/QJzuNNPBeioKsXGFeOMR6i+lwy3+0XlL0AxvIDvBtlO4x I7C1nQlT41++wZ6rfkk4ieWjn3k5W7nZIljDJ4oVbC5ycW7/qCl9orTu82LPuP29ynKJ91efH7w tJViXW9gEdZ3Qz1ZpUXRuNDjLv6eq42Aogv11fdQi7YIASlJzWg2kmRUBAjWh2d9rDCcuFxM+co 8Oc3/qykytPy53vpbBr+vdkem2qJLrfxPuWf86ahdPpee9yAH54f4BrVp3gY3RPBqhtI/s0642T bGZicr4ykGBJzWj/jxrJ3+ X-Received: by 2002:a05:600c:c058:b0:483:75f1:54f with SMTP id 5b1f17b1804b1-483ca84a962mr99337085e9.31.1772310275837; Sat, 28 Feb 2026 12:24:35 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfb776b0sm94889995e9.1.2026.02.28.12.24.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Feb 2026 12:24:35 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 5/5] exiv2: patch CVE-2021-37621 Date: Sat, 28 Feb 2026 21:24:29 +0100 Message-ID: <20260228202429.2424513-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260228202429.2424513-1-skandigraun@gmail.com> References: <20260228202429.2424513-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 28 Feb 2026 20:24:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124788 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37621 Backport the patch that is referenced by the NVD advisory. The regression test contains a binary patch, that couldn't be applied in the do_patch task. Due to this the test was not backported. It was however applied manually and executed successfully during the preparation of this patch. Signed-off-by: Gyorgy Sarvari --- .../exiv2/exiv2/CVE-2021-37621-1.patch | 25 +++ .../exiv2/exiv2/CVE-2021-37621-2.patch | 187 ++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 2 + 3 files changed, 214 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37621-1.patch create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37621-2.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37621-1.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37621-1.patch new file mode 100644 index 0000000000..1ca9fd2b0d --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37621-1.patch @@ -0,0 +1,25 @@ +From 4fbd3390829f8418e1ec95252c2fd6b851850508 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Tue, 13 Jul 2021 22:50:16 +0100 +Subject: [PATCH] dirLength == 0 can cause an infinite loop. + +CVE: CVE-2021-37621 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/191cd2690608f19335d82ed2be36c7ce8bdc60b9] +Signed-off-by: Gyorgy Sarvari +--- + src/image.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/image.cpp b/src/image.cpp +index 2fa41e5..7c2eaa9 100644 +--- a/src/image.cpp ++++ b/src/image.cpp +@@ -353,6 +353,8 @@ namespace Exiv2 { + throw Error(kerCorruptedMetadata); + } + uint16_t dirLength = byteSwap2(dir,0,bSwap); ++ // Prevent infinite loops. (GHSA-m479-7frc-gqqg) ++ enforce(dirLength > 0, kerCorruptedMetadata); + + bool tooBig = dirLength > 500; + if ( tooBig ) throw Error(kerTiffDirectoryTooLarge); diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37621-2.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37621-2.patch new file mode 100644 index 0000000000..a4578aae17 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37621-2.patch @@ -0,0 +1,187 @@ +From 2973c3277af6922209a80985eccbd50b48088be6 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Tue, 13 Jul 2021 22:53:40 +0100 +Subject: [PATCH] Defensive programming in Image::printIFDStructure + +CVE: CVE-2021-37621 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/d9fd4c4272df172ae89c0a9c41341adc75ebba86] +Signed-off-by: Gyorgy Sarvari +--- + src/image.cpp | 82 +++++++++++++++++++++++++++++++-------------------- + 1 file changed, 50 insertions(+), 32 deletions(-) + +diff --git a/src/image.cpp b/src/image.cpp +index 7c2eaa9..6b1b1d8 100644 +--- a/src/image.cpp ++++ b/src/image.cpp +@@ -27,6 +27,7 @@ + #include "image.hpp" + #include "image_int.hpp" + #include "error.hpp" ++#include "enforce.hpp" + #include "futils.hpp" + #include "safe_op.hpp" + #include "slice.hpp" +@@ -149,6 +150,19 @@ namespace { + // class member definitions + namespace Exiv2 { + ++ // BasicIo::read() with error checking ++ static void readOrThrow(BasicIo& iIo, byte* buf, long rcount, ErrorCode err) { ++ const long nread = iIo.read(buf, rcount); ++ enforce(nread == rcount, err); ++ enforce(!iIo.error(), err); ++ } ++ ++ // BasicIo::seek() with error checking ++ static void seekOrThrow(BasicIo& iIo, long offset, BasicIo::Position pos, ErrorCode err) { ++ const int r = iIo.seek(offset, pos); ++ enforce(r == 0, err); ++ } ++ + Image::Image(int imageType, + uint16_t supportedMetadata, + BasicIo::AutoPtr io) +@@ -347,11 +361,8 @@ namespace Exiv2 { + + do { + // Read top of directory +- const int seekSuccess = !io.seek(start,BasicIo::beg); +- const long bytesRead = io.read(dir.pData_, 2); +- if (!seekSuccess || bytesRead == 0) { +- throw Error(kerCorruptedMetadata); +- } ++ seekOrThrow(io, start, BasicIo::beg, kerCorruptedMetadata); ++ readOrThrow(io, dir.pData_, 2, kerCorruptedMetadata); + uint16_t dirLength = byteSwap2(dir,0,bSwap); + // Prevent infinite loops. (GHSA-m479-7frc-gqqg) + enforce(dirLength > 0, kerCorruptedMetadata); +@@ -378,7 +389,7 @@ namespace Exiv2 { + } + bFirst = false; + +- io.read(dir.pData_, 12); ++ readOrThrow(io, dir.pData_, 12, kerCorruptedMetadata); + uint16_t tag = byteSwap2(dir,0,bSwap); + uint16_t type = byteSwap2(dir,2,bSwap); + uint32_t count = byteSwap4(dir,4,bSwap); +@@ -411,20 +422,27 @@ namespace Exiv2 { + // if ( offset > io.size() ) offset = 0; // Denial of service? + + // #55 and #56 memory allocation crash test/data/POC8 +- long long allocate = (long long) size*count + pad+20; +- if ( allocate > (long long) io.size() ) { ++ const uint64_t allocate64 = static_cast(size) * count + pad + 20; ++ if ( allocate64 > io.size() ) { + throw Error(kerInvalidMalloc); + } +- DataBuf buf((long)allocate); // allocate a buffer ++ // Overflow check ++ enforce(allocate64 <= static_cast(std::numeric_limits::max()), kerCorruptedMetadata); ++ enforce(allocate64 <= static_cast(std::numeric_limits::max()), kerCorruptedMetadata); ++ const long allocate = static_cast(allocate64); ++ DataBuf buf(allocate); // allocate a buffer + std::memset(buf.pData_, 0, buf.size_); + std::memcpy(buf.pData_,dir.pData_+8,4); // copy dir[8:11] into buffer (short strings) +- const bool bOffsetIsPointer = count*size > 4; ++ ++ // We have already checked that this multiplication cannot overflow. ++ const uint32_t count_x_size = count*size; ++ const bool bOffsetIsPointer = count_x_size > 4; + + if ( bOffsetIsPointer ) { // read into buffer +- size_t restore = io.tell(); // save +- io.seek(offset,BasicIo::beg); // position +- io.read(buf.pData_,count*size);// read +- io.seek(restore,BasicIo::beg); // restore ++ const long restore = io.tell(); // save ++ seekOrThrow(io, offset, BasicIo::beg, kerCorruptedMetadata); // position ++ readOrThrow(io, buf.pData_, static_cast(count_x_size), kerCorruptedMetadata); // read ++ seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata); // restore + } + + if ( bPrint ) { +@@ -463,10 +481,10 @@ namespace Exiv2 { + + if ( option == kpsRecursive && (tag == 0x8769 /* ExifTag */ || tag == 0x014a/*SubIFDs*/ || type == tiffIfd) ) { + for ( size_t k = 0 ; k < count ; k++ ) { +- size_t restore = io.tell(); ++ const long restore = io.tell(); + uint32_t offset = byteSwap4(buf,k*size,bSwap); + printIFDStructure(io,out,option,offset,bSwap,c,depth); +- io.seek(restore,BasicIo::beg); ++ seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata); + } + } else if ( option == kpsRecursive && tag == 0x83bb /* IPTCNAA */ ) { + +@@ -474,38 +492,38 @@ namespace Exiv2 { + throw Error(kerCorruptedMetadata); + } + +- const size_t restore = io.tell(); +- io.seek(offset, BasicIo::beg); // position ++ const long restore = io.tell(); ++ seekOrThrow(io, offset, BasicIo::beg, kerCorruptedMetadata); // position + std::vector bytes(count) ; // allocate memory + // TODO: once we have C++11 use bytes.data() +- const long read_bytes = io.read(&bytes[0], count); +- io.seek(restore, BasicIo::beg); ++ readOrThrow(io, &bytes[0], count, kerCorruptedMetadata); ++ seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata); + // TODO: once we have C++11 use bytes.data() +- IptcData::printStructure(out, makeSliceUntil(&bytes[0], read_bytes), depth); ++ IptcData::printStructure(out, makeSliceUntil(&bytes[0], count), depth); + + } else if ( option == kpsRecursive && tag == 0x927c /* MakerNote */ && count > 10) { +- size_t restore = io.tell(); // save ++ const long restore = io.tell(); // save + + uint32_t jump= 10 ; + byte bytes[20] ; + const char* chars = (const char*) &bytes[0] ; +- io.seek(offset,BasicIo::beg); // position +- io.read(bytes,jump ) ; // read ++ seekOrThrow(io, offset, BasicIo::beg, kerCorruptedMetadata); // position ++ readOrThrow(io, bytes, jump, kerCorruptedMetadata) ; // read + bytes[jump]=0 ; + if ( ::strcmp("Nikon",chars) == 0 ) { + // tag is an embedded tiff +- byte* bytes=new byte[count-jump] ; // allocate memory +- io.read(bytes,count-jump) ; // read +- MemIo memIo(bytes,count-jump) ; // create a file ++ const long byteslen = count-jump; ++ DataBuf bytes(byteslen); // allocate a buffer ++ readOrThrow(io, bytes.pData_, byteslen, kerCorruptedMetadata); // read ++ MemIo memIo(bytes.pData_, byteslen) ; // create a file + printTiffStructure(memIo,out,option,depth); +- delete[] bytes ; // free + } else { + // tag is an IFD +- io.seek(0,BasicIo::beg); // position ++ seekOrThrow(io, 0, BasicIo::beg, kerCorruptedMetadata); // position + printIFDStructure(io,out,option,offset,bSwap,c,depth); + } + +- io.seek(restore,BasicIo::beg); // restore ++ seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata); // restore + } + } + +@@ -518,7 +536,7 @@ namespace Exiv2 { + } + } + if ( start ) { +- io.read(dir.pData_, 4); ++ readOrThrow(io, dir.pData_, 4, kerCorruptedMetadata); + start = tooBig ? 0 : byteSwap4(dir,0,bSwap); + } + } while (start) ; +@@ -538,7 +556,7 @@ namespace Exiv2 { + DataBuf dir(dirSize); + + // read header (we already know for certain that we have a Tiff file) +- io.read(dir.pData_, 8); ++ readOrThrow(io, dir.pData_, 8, kerCorruptedMetadata); + char c = (char) dir.pData_[0] ; + bool bSwap = ( c == 'M' && isLittleEndianPlatform() ) + || ( c == 'I' && isBigEndianPlatform() ) diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 4001f1b639..eecd02d78a 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -28,6 +28,8 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source file://CVE-2021-37619.patch \ file://CVE-2021-37620-1.patch \ file://CVE-2021-37620-2.patch \ + file://CVE-2021-37621-1.patch \ + file://CVE-2021-37621-2.patch \ " SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"