exiv2: patch CVE-2026-25884

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25884 Backport the commits referenced by the NVD advisory. One of the patches contain some binary data (for test data), which needs to be applied with git PATCHTOOL. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2026-03-11 11:03:50 +01:00
parent 75e3ed1850
commit 7e66b15669
3 changed files with 98 additions and 0 deletions
@@ -0,0 +1,69 @@
+From 847f79c7054865ad25c83b4131dc01c4d674f67b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sat, 7 Feb 2026 22:50:46 +0000
+Subject: [PATCH] Regression test for
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
+
+CVE: CVE-2026-25884
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/191138fef73f331de1311e735d8e6359a36fa786]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ test/data/issue_ghsa_9mxq_4j5g_5wrp.crw       | Bin 0 -> 74 bytes
+ .../github/test_issue_ghsa_9mxq_4j5g_5wrp.py  |  24 ++++++++++++++++++
+ .../test_regression_allfiles.py               |   1 +
+ 3 files changed, 25 insertions(+)
+ create mode 100644 test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
+ create mode 100644 tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+
+diff --git a/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw b/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
+new file mode 100644
+index 0000000000000000000000000000000000000000..816af2663b3ec93d0d4de4755a02b5d0f5d09640
+GIT binary patch
+literal 74
+zcmebDRA69W@NjhuaCUYH`mcZv7#X+>WPvJpfmnfwK>?&13|Kip6i5oF1;hjZi0B7h
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+new file mode 100644
+index 000000000..199328f25
+--- /dev/null
+++ b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+
+
+class CrwMap_decode0x0805_OutOfBoundsRead(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
+    """
+
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp"
+
+    filename = path("$data_path/issue_ghsa_9mxq_4j5g_5wrp.crw")
+    commands = ["$exiv2 $filename"]
+    stdout = ["""File name       : $filename
+File size       : 74 Bytes
+MIME type       : image/x-canon-crw
+Image size      : 0 x 0
+"""
+]
+    stderr   = ["""$filename: No Exif data found in the file
+"""]
+    retval = [253]
+diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
+index eb7f7cef2..09a218e18 100644
+--- a/tests/regression_tests/test_regression_allfiles.py
+++ b/tests/regression_tests/test_regression_allfiles.py
+@@ -120,6 +120,7 @@ def get_valid_files(data_dir):
+         "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",
+         "issue_ghsa_hrw9_ggg3_3r4r_poc.jpg",
+         "issue_ghsa_g9xm_7538_mq8w_poc.mov",
+        "issue_ghsa_9mxq_4j5g_5wrp.crw",
+         "pocIssue283.jpg",
+         "poc_1522.jp2",
+         "xmpsdk.xmp",
@@ -0,0 +1,25 @@
+From 99bf2cea56832cc6f72a5006fe6bac6b15a49889 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sat, 31 Jan 2026 15:31:55 +0000
+Subject: [PATCH] Fix out-of-bounds read.
+
+CVE: CVE-2026-25884
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/5b8f1f4d92b8f27a5a80e0c3d3eb9dce7620d9f1]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/crwimage_int.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
+index 68b56971f..8aa151672 100644
+--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
+@@ -642,7 +642,7 @@ const CrwMapping* CrwMap::crwMapping(uint16_t crwDir, uint16_t crwTagId) {
+ 
+ void CrwMap::decode0x0805(const CiffComponent& ciffComponent, const CrwMapping* /*pCrwMapping*/, Image& image,
+                           ByteOrder /*byteOrder*/) {
+-  std::string s(reinterpret_cast<const char*>(ciffComponent.pData()));
+  auto s = std::string(reinterpret_cast<const char*>(ciffComponent.pData()), ciffComponent.size());
+   image.setComment(s);
+ }  // CrwMap::decode0x0805
+ 
@@ -8,8 +8,12 @@ SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \
           file://0001-Revert-fix-copy-constructors.patch \
           file://0001-CVE-2025-54080-fix.patch \
           file://0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch \
+           file://CVE-2026-25884-1.patch \
+           file://CVE-2026-25884-2.patch \
           "
 SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e"
 S = "${WORKDIR}/git"

+PATCHTOOL = "git"
+
 inherit cmake gettext