exiv2: patch CVE-2025-26623

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26623 Apply the first to PRs from the relevant issue. (The second PR adds a test, and the 3rd PR tries to reimplement correctly the feature that introduced the vulnerability: it is switching some raw pointers to smart pointers. It was not picked because the 1. In the original issue it is stated that the first PR itself fixes the vulnerability 2. The patch doesn't apply clean due to the time gap between our and their version 3. The behavior of the application does not change ) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 7907a3e206fb049e609996df8d09141bfb291fcd) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-10-15 12:32:23 +1300
committer: Anuj Mittal <anuj.mittal@intel.com> 2025-10-30 14:43:35 +0800
commit: cd7e963b09c996828602b3fac4af13b83e6b2849 (patch)
tree: 3d368c38f82498f66e283c3afe4a99b1b0b01797
parent: e34da7d9dca10fd2b42aa0987ac0413e8f87e385 (diff)
download: meta-openembedded-cd7e963b09c996828602b3fac4af13b83e6b2849.tar.gz
2 files changed, 85 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch
new file mode 100644
index 0000000000..b3074e2823
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch
@@ -0,0 +1,82 @@
+From f338465efb49166c543dcc2fc52810370ea90475 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Mon, 17 Feb 2025 16:34:40 -0800
+Subject: [PATCH] Revert "fix copy constructors"
+This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5.
+This commit is wrong and ends up resulting in use after frees because of
+C pointers. The proper solution is shared_ptr instead of C pointers but
+that's a lot more involved than reverting this.
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+CVE: CVE-2025-26623
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/3174/commits/638ff11ce7480000974b5c619eafcb8618e3b586]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/tiffcomposite_int.cpp | 19 +++++++++++++++++++
+ src/tiffcomposite_int.hpp |  6 +++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
+index 95ce450c7..3e6e93d5c 100644
+--- a/src/tiffcomposite_int.cpp
+++ b/src/tiffcomposite_int.cpp
+@@ -127,6 +127,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) :
+     storage_(rhs.storage_) {
+ }
+ 
+TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) {
+}
+
+TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) {
+}
+
+TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) :
+    TiffEntryBase(rhs),
+    cfgSelFct_(rhs.cfgSelFct_),
+    arraySet_(rhs.arraySet_),
+    arrayCfg_(rhs.arrayCfg_),
+    arrayDef_(rhs.arrayDef_),
+    defSize_(rhs.defSize_),
+    setSize_(rhs.setSize_),
+    origData_(rhs.origData_),
+    origSize_(rhs.origSize_),
+    pRoot_(rhs.pRoot_) {
+}
+
+ TiffComponent::UniquePtr TiffComponent::clone() const {
+   return UniquePtr(doClone());
+ }
+diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp
+index 4506a4dca..307e0bd9e 100644
+--- a/src/tiffcomposite_int.hpp
+++ b/src/tiffcomposite_int.hpp
+@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffDirectory(const TiffDirectory&) = default;
+  TiffDirectory(const TiffDirectory& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
+@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffSubIfd(const TiffSubIfd&) = default;
+  TiffSubIfd(const TiffSubIfd& rhs);
+   TiffSubIfd& operator=(const TiffSubIfd&) = delete;
+   //@}
+ 
+@@ -1346,7 +1346,7 @@ class TiffBinaryArray : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffBinaryArray(const TiffBinaryArray&) = default;
+  TiffBinaryArray(const TiffBinaryArray& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
index 3e33ab7953..81e9954c1d 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
@@ -4,7 +4,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2"
 DEPENDS = "zlib expat brotli libinih"
-SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x"
+SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \
+           file://0001-Revert-fix-copy-constructors.patch \
+           "
 SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e"
 S = "${WORKDIR}/git"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-10-15 12:32:23 +1300
committer	Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +0800
commit	cd7e963b09c996828602b3fac4af13b83e6b2849 (patch)
tree	3d368c38f82498f66e283c3afe4a99b1b0b01797
parent	e34da7d9dca10fd2b42aa0987ac0413e8f87e385 (diff)
download	meta-openembedded-cd7e963b09c996828602b3fac4af13b83e6b2849.tar.gz

diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch new file mode 100644 index 0000000000..b3074e2823 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch
@@ -0,0 +1,82 @@
		1	From f338465efb49166c543dcc2fc52810370ea90475 Mon Sep 17 00:00:00 2001
		2	From: Rosen Penev <rosenp@gmail.com>
		3	Date: Mon, 17 Feb 2025 16:34:40 -0800
		4	Subject: [PATCH] Revert "fix copy constructors"
		5
		6	This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5.
		7
		8	This commit is wrong and ends up resulting in use after frees because of
		9	C pointers. The proper solution is shared_ptr instead of C pointers but
		10	that's a lot more involved than reverting this.
		11
		12	Signed-off-by: Rosen Penev <rosenp@gmail.com>
		13
		14	CVE: CVE-2025-26623
		15	Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/3174/commits/638ff11ce7480000974b5c619eafcb8618e3b586]
		16	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		17	---
		18	src/tiffcomposite_int.cpp \| 19 +++++++++++++++++++
		19	src/tiffcomposite_int.hpp \| 6 +++---
		20	2 files changed, 22 insertions(+), 3 deletions(-)
		21
		22	diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
		23	index 95ce450c7..3e6e93d5c 100644
		24	--- a/src/tiffcomposite_int.cpp
		25	+++ b/src/tiffcomposite_int.cpp
		26	@@ -127,6 +127,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) :
		27	storage_(rhs.storage_) {
		28	}
		29
		30	+TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) {
		31	+}
		32	+
		33	+TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) {
		34	+}
		35	+
		36	+TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) :
		37	+ TiffEntryBase(rhs),
		38	+ cfgSelFct_(rhs.cfgSelFct_),
		39	+ arraySet_(rhs.arraySet_),
		40	+ arrayCfg_(rhs.arrayCfg_),
		41	+ arrayDef_(rhs.arrayDef_),
		42	+ defSize_(rhs.defSize_),
		43	+ setSize_(rhs.setSize_),
		44	+ origData_(rhs.origData_),
		45	+ origSize_(rhs.origSize_),
		46	+ pRoot_(rhs.pRoot_) {
		47	+}
		48	+
		49	TiffComponent::UniquePtr TiffComponent::clone() const {
		50	return UniquePtr(doClone());
		51	}
		52	diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp
		53	index 4506a4dca..307e0bd9e 100644
		54	--- a/src/tiffcomposite_int.hpp
		55	+++ b/src/tiffcomposite_int.hpp
		56	@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent {
		57	//! @name Protected Creators
		58	//@{
		59	//! Copy constructor (used to implement clone()).
		60	- TiffDirectory(const TiffDirectory&) = default;
		61	+ TiffDirectory(const TiffDirectory& rhs);
		62	//@}
		63
		64	//! @name Protected Manipulators
		65	@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase {
		66	//! @name Protected Creators
		67	//@{
		68	//! Copy constructor (used to implement clone()).
		69	- TiffSubIfd(const TiffSubIfd&) = default;
		70	+ TiffSubIfd(const TiffSubIfd& rhs);
		71	TiffSubIfd& operator=(const TiffSubIfd&) = delete;
		72	//@}
		73
		74	@@ -1346,7 +1346,7 @@ class TiffBinaryArray : public TiffEntryBase {
		75	//! @name Protected Creators
		76	//@{
		77	//! Copy constructor (used to implement clone()).
		78	- TiffBinaryArray(const TiffBinaryArray&) = default;
		79	+ TiffBinaryArray(const TiffBinaryArray& rhs);
		80	//@}
		81
		82	//! @name Protected Manipulators


diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb index 3e33ab7953..81e9954c1d 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb
@@ -4,7 +4,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2"
4		4
5	DEPENDS = "zlib expat brotli libinih"	5	DEPENDS = "zlib expat brotli libinih"
6		6
7	SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x"	7	SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \
		8	file://0001-Revert-fix-copy-constructors.patch \
		9	"
8	SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e"	10	SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e"
9	S = "${WORKDIR}/git"	11	S = "${WORKDIR}/git"
10		12