1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00

libexif: fix for CVE-2026-40385, CVE-2026-40386

Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4]

[1] https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58
[2] https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-40385
[4] https://nvd.nist.gov/vuln/detail/CVE-2026-40386

(From OE-Core rev: 9175f776404a1f4536e0320495c446e80a281172)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Hitendra Prajapati
2026-05-14 11:38:26 +05:30
committed by Paul Barker
parent 175a1d0fe3
commit b233e7b40f
3 changed files with 83 additions and 0 deletions
@@ -0,0 +1,35 @@
From 93003b93e50b3d259bd2227d8775b73a53c35d58 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Fri, 3 Apr 2026 11:18:47 +0200
Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes
The addition o2 = datao + exif_get_long(buf + o2, n->order)
could have overflowed on systems with 32bit unsigned int size_t.
This could have caused out of bound reads of data, leading to
misparsing of exif / crashes.
Reported-By: Kerwin <kerwinxia66001@gmail.com>
CVE: CVE-2026-40385
Upstream-Status: Backport from [https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
libexif/olympus/exif-mnote-data-olympus.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
index 3dbe1d3..a5ed7ad 100644
--- a/libexif/olympus/exif-mnote-data-olympus.c
+++ b/libexif/olympus/exif-mnote-data-olympus.c
@@ -382,6 +382,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
o2 += 2;
/* Go to where the number of entries is. */
+ if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2, n->order))) return;
o2 = datao + exif_get_long (buf + o2, n->order);
break;
--
2.50.1
@@ -0,0 +1,46 @@
From dc6eac6e9655d14d0779d99e82d0f5f442d2f34b Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Thu, 2 Apr 2026 13:26:31 +0200
Subject: [PATCH] fixed 2 unsigned integer underflows
this could cause crashes or data leaks.
Reported-by: Kerwin <kerwinxia66001@gmail.com>
CVE: CVE-2026-40386
Upstream-Status: Backport from [https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
libexif/fuji/exif-mnote-data-fuji.c | 2 +-
libexif/olympus/exif-mnote-data-olympus.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
index e3af4e1..3f295d3 100644
--- a/libexif/fuji/exif-mnote-data-fuji.c
+++ b/libexif/fuji/exif-mnote-data-fuji.c
@@ -68,7 +68,7 @@ exif_mnote_data_fuji_get_value (ExifMnoteData *d, unsigned int i, char *val, uns
ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) d;
if (!d || !val) return NULL;
- if (i > n->count -1) return NULL;
+ if (i >= n->count) return NULL;
/*
exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataFuji",
"Querying value for tag '%s'...",
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
index a5ed7ad..bdeb5a9 100644
--- a/libexif/olympus/exif-mnote-data-olympus.c
+++ b/libexif/olympus/exif-mnote-data-olympus.c
@@ -76,7 +76,7 @@ exif_mnote_data_olympus_get_value (ExifMnoteData *d, unsigned int i, char *val,
ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) d;
if (!d || !val) return NULL;
- if (i > n->count -1) return NULL;
+ if (i >= n->count) return NULL;
/*
exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
"Querying value for tag '%s'...",
--
2.50.1
@@ -11,6 +11,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libexif-${PV}.tar.bz2 \
file://0001-Add-serial-tests-config-needed-by-ptest.patch \
file://run-ptest \
file://CVE-2026-32775.patch \
file://CVE-2026-40385.patch \
file://CVE-2026-40386.patch \
"
SRC_URI[sha256sum] = "d47564c433b733d83b6704c70477e0a4067811d184ec565258ac563d8223f6ae"