From 49a682f2eda7d3405347fe9665d435b04fd9cfa3 Mon Sep 17 00:00:00 2001 From: Ankur Tyagi Date: Wed, 13 May 2026 17:04:46 +1200 Subject: [PATCH] lcms: patch CVE-2026-41254 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254 Backport the patches referenced by the NVD advisory. Signed-off-by: Ankur Tyagi Signed-off-by: Anuj Mittal --- .../lcms/lcms/CVE-2026-41254_1.patch | 30 ++++++++++++++++ .../lcms/lcms/CVE-2026-41254_2.patch | 36 +++++++++++++++++++ meta-oe/recipes-support/lcms/lcms_2.16.bb | 5 ++- 3 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch create mode 100644 meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch new file mode 100644 index 0000000000..7bf46706e5 --- /dev/null +++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch @@ -0,0 +1,30 @@ +From 524f3df7511b49543a65a7de2a08640777c1b29c Mon Sep 17 00:00:00 2001 +From: Marti Maria +Date: Thu, 19 Feb 2026 09:07:20 +0100 +Subject: [PATCH] Fix integer overflow in CubeSize() + +Thanks to @zerojackyi for reporting + +(cherry picked from commit da6110b1d14abc394633a388209abd5ebedd7ab0) + +CVE: CVE-2026-41254 +Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0] +Signed-off-by: Ankur Tyagi +--- + src/cmslut.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/cmslut.c b/src/cmslut.c +index 1ea61a8..3488d0c 100644 +--- a/src/cmslut.c ++++ b/src/cmslut.c +@@ -460,7 +460,8 @@ void EvaluateCLUTfloatIn16(const cmsFloat32Number In[], cmsFloat32Number Out[], + static + cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b) + { +- cmsUInt32Number rv, dim; ++ cmsUInt32Number dim; ++ cmsUInt64Number rv; + + _cmsAssert(Dims != NULL); + diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch new file mode 100644 index 0000000000..0602258ef5 --- /dev/null +++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch @@ -0,0 +1,36 @@ +From 73ffd45705d368c159bb819ab0b1a033638c3ffe Mon Sep 17 00:00:00 2001 +From: Marti Maria +Date: Thu, 12 Mar 2026 22:57:35 +0100 +Subject: [PATCH] check for overflow + +Thanks to Guanni Qu for detecting & reporting the issue + +(cherry picked from commit e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc) + +CVE: CVE-2026-41254 +Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc] +Signed-off-by: Ankur Tyagi +--- + src/cmslut.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cmslut.c b/src/cmslut.c +index 3488d0c..f2d0ec4 100644 +--- a/src/cmslut.c ++++ b/src/cmslut.c +@@ -468,12 +468,12 @@ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b) + for (rv = 1; b > 0; b--) { + + dim = Dims[b-1]; +- if (dim <= 1) return 0; // Error +- +- rv *= dim; ++ if (dim <= 1) return 0; + + // Check for overflow + if (rv > UINT_MAX / dim) return 0; ++ ++ rv *= dim; + } + + // Again, prevent overflow diff --git a/meta-oe/recipes-support/lcms/lcms_2.16.bb b/meta-oe/recipes-support/lcms/lcms_2.16.bb index 8135f83a05..8a70572907 100644 --- a/meta-oe/recipes-support/lcms/lcms_2.16.bb +++ b/meta-oe/recipes-support/lcms/lcms_2.16.bb @@ -3,7 +3,10 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a" -SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz" +SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \ + file://CVE-2026-41254_1.patch \ + file://CVE-2026-41254_2.patch \ +" SRC_URI[sha256sum] = "d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51" DEPENDS = "tiff"