From 420e5aec46b8e9344c4d9e692f2e05236b9c89e5 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Mon, 20 Apr 2026 08:27:47 +0200 Subject: [PATCH] libgphoto2: patch CVE-2026-40340 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40340 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj --- .../gphoto2/libgphoto2/CVE-2026-40340.patch | 40 +++++++++++++++++++ .../gphoto2/libgphoto2_2.5.33.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch new file mode 100644 index 0000000000..a0852692b0 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch @@ -0,0 +1,40 @@ +From fd9f234df894caec6c65144b5a4f0264aadf0989 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 8 Apr 2026 16:01:48 +0200 +Subject: [PATCH] Fixed ObjectInfo Parser OOB Read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ptp_unpack_OI() validates len < PTP_oi_SequenceNumber (i.e., len < 48) but then accesses: + + Offsets 48–51: dtoh32a(data + PTP_oi_SequenceNumber) at line 563 (4 bytes OOB) + Offset 52: data[PTP_oi_filenamelen] at line 547 (5 bytes OOB) + Offset 56: data[PTP_oi_filenamelen+4] at line 547 (9 bytes OOB) + +The Samsung Galaxy 64-bit objectsize detection heuristic reads up to 9 bytes beyond the validated boundary. + + CVE-2026-40340 + +Reported-By: Sebastián Alba + +CVE: CVE-2026-40340 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index 28648a5..9eba06f 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -526,7 +526,7 @@ ptp_unpack_OI (PTPParams *params, const unsigned char* data, PTPObjectInfo *oi, + { + char *capture_date; + +- if (!data || len < PTP_oi_SequenceNumber) ++ if (!data || len < PTP_oi_filenamelen + 5) + return; + + oi->Filename = oi->Keywords = NULL; diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index be761bc940..c82e76a06e 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://CVE-2026-40336.patch \ file://CVE-2026-40338.patch \ file://CVE-2026-40339.patch \ + file://CVE-2026-40340.patch \ " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2"