mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-05-07 05:10:20 +00:00
Code Issues Projects Releases Wiki Activity

libgphoto2: patch CVE-2026-40339

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40339

Backport the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit is contained in:
Gyorgy Sarvari
2026-04-20 08:27:46 +02:00
committed by Khem Raj
parent f22e17508e
commit 2e3be1dddc
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch
+41
View File
@@ -0,0 +1,41 @@
From 585e8113b541469347d09c341c2e8b468b431adb Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Sat, 11 Apr 2026 10:50:47 +0200
Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20FormFlag=20OOB=20Read=20(C?=
=?UTF-8?q?WE-125)=20=E2=80=94=20MEDIUM?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ptp_unpack_Sony_DPD() reads the FormFlag byte via dtoh8o(data, *poffset)
without a prior bounds check. The standard ptp_unpack_DPD() at line
686687 correctly validates *offset + sizeof(uint8_t) > dpdlen before
this same read, but the Sony variant omits this check.
CVE-2026-40339
Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
CVE: CVE-2026-40339
Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
camlibs/ptp2/ptp-pack.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
index f90d2a5..28648a5 100644
--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
@@ -833,9 +833,10 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
code or the Data Type is a string (with two empty strings as
values). In both cases Form Flag should be set to 0x00 and FORM is
not present. */
-
if (*poffset==PTP_dpd_Sony_DefaultValue)
return 1;
+ if (*poffset + sizeof(uint8_t) > dpdlen)
+ return 1;
dpd->FormFlag = dtoh8o(data, *poffset);
ptp_debug (params, "formflag 0x%04x", dpd->FormFlag);
meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
+1
View File
@@ -18,6 +18,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \
file://CVE-2026-40335.patch \
file://CVE-2026-40336.patch \
file://CVE-2026-40338.patch \
file://CVE-2026-40339.patch \
"
SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2"