mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-05-07 05:10:20 +00:00
Code Issues Projects Releases Wiki Activity

libgphoto2: patch CVE-2026-40340

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40340

Backport the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit is contained in:
Gyorgy Sarvari
2026-04-20 08:27:47 +02:00
committed by Khem Raj
parent 2e3be1dddc
commit 420e5aec46
2 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch
+40
View File
@@ -0,0 +1,40 @@
From fd9f234df894caec6c65144b5a4f0264aadf0989 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Wed, 8 Apr 2026 16:01:48 +0200
Subject: [PATCH] Fixed ObjectInfo Parser OOB Read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ptp_unpack_OI() validates len < PTP_oi_SequenceNumber (i.e., len < 48) but then accesses:
Offsets 4851: dtoh32a(data + PTP_oi_SequenceNumber) at line 563 (4 bytes OOB)
Offset 52: data[PTP_oi_filenamelen] at line 547 (5 bytes OOB)
Offset 56: data[PTP_oi_filenamelen+4] at line 547 (9 bytes OOB)
The Samsung Galaxy 64-bit objectsize detection heuristic reads up to 9 bytes beyond the validated boundary.
CVE-2026-40340
Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
CVE: CVE-2026-40340
Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
camlibs/ptp2/ptp-pack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
index 28648a5..9eba06f 100644
--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
@@ -526,7 +526,7 @@ ptp_unpack_OI (PTPParams *params, const unsigned char* data, PTPObjectInfo *oi,
{
char *capture_date;
- if (!data || len < PTP_oi_SequenceNumber)
+ if (!data || len < PTP_oi_filenamelen + 5)
return;
oi->Filename = oi->Keywords = NULL;
meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
+1
View File
@@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \
file://CVE-2026-40336.patch \
file://CVE-2026-40338.patch \
file://CVE-2026-40339.patch \
file://CVE-2026-40340.patch \
"
SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2"