diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch new file mode 100644 index 0000000000..9f233f2ec9 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch @@ -0,0 +1,34 @@ +From 43cc20e807cd2935869617a7d8b9488070712c0e Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Sat, 11 Apr 2026 10:47:52 +0200 +Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20Enum=20Count=20OOB=20Read?= + =?UTF-8?q?=20(CWE-125)=20=E2=80=94=20MEDIUM?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In the PTP_DPFF_Enumeration case of ptp_unpack_Sony_DPD(), dtoh16o(data, *poffset) reads 2 bytes for enumeration count N without verifying 2 bytes remain. The standard parser at line 704 has this check. + +CVE-2026-40338 + +Reported-By: Sebastián Alba + +CVE: CVE-2026-40338 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index fc51d77..f90d2a5 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -851,6 +851,7 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp + break; + case PTP_DPFF_Enumeration: { + #define N dpd->FORM.Enum.NumberOfValues ++ if (*poffset + sizeof(uint16_t) > dpdlen) goto outofmemory; + N = dtoh16o(data, *poffset); + dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0])); + if (!dpd->FORM.Enum.SupportedValue) diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index bb5470fa7a..df23932535 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -17,6 +17,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://CVE-2026-40334.patch \ file://CVE-2026-40335.patch \ file://CVE-2026-40336.patch \ + file://CVE-2026-40338.patch \ " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2"