Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25884
Backport the commits referenced by the NVD advisory. One of the patches contain some binary data (for test data), which needs to be applied with git PATCHTOOL. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../exiv2/exiv2/CVE-2026-25884-1.patch | 69 +++++++++++++++++++ .../exiv2/exiv2/CVE-2026-25884-2.patch | 25 +++++++ meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb | 4 ++ 3 files changed, 98 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch new file mode 100644 index 0000000000..aab8094b0c --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch @@ -0,0 +1,69 @@ +From 847f79c7054865ad25c83b4131dc01c4d674f67b Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <[email protected]> +Date: Sat, 7 Feb 2026 22:50:46 +0000 +Subject: [PATCH] Regression test for + https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp + +CVE: CVE-2026-25884 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/191138fef73f331de1311e735d8e6359a36fa786] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + test/data/issue_ghsa_9mxq_4j5g_5wrp.crw | Bin 0 -> 74 bytes + .../github/test_issue_ghsa_9mxq_4j5g_5wrp.py | 24 ++++++++++++++++++ + .../test_regression_allfiles.py | 1 + + 3 files changed, 25 insertions(+) + create mode 100644 test/data/issue_ghsa_9mxq_4j5g_5wrp.crw + create mode 100644 tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py + +diff --git a/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw b/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw +new file mode 100644 +index 0000000000000000000000000000000000000000..816af2663b3ec93d0d4de4755a02b5d0f5d09640 +GIT binary patch +literal 74 +zcmebDRA69W@NjhuaCUYH`mcZv7#X+>WPvJpfmnfwK>?&13|Kip6i5oF1;hjZi0B7h + +literal 0 +HcmV?d00001 + +diff --git a/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py +new file mode 100644 +index 000000000..199328f25 +--- /dev/null ++++ b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py +@@ -0,0 +1,24 @@ ++# -*- coding: utf-8 -*- ++ ++from system_tests import CaseMeta, CopyTmpFiles, path ++ ++ ++class CrwMap_decode0x0805_OutOfBoundsRead(metaclass=CaseMeta): ++ """ ++ Regression test for the bug described in: ++ https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp ++ """ ++ ++ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp"; ++ ++ filename = path("$data_path/issue_ghsa_9mxq_4j5g_5wrp.crw") ++ commands = ["$exiv2 $filename"] ++ stdout = ["""File name : $filename ++File size : 74 Bytes ++MIME type : image/x-canon-crw ++Image size : 0 x 0 ++""" ++] ++ stderr = ["""$filename: No Exif data found in the file ++"""] ++ retval = [253] +diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py +index eb7f7cef2..09a218e18 100644 +--- a/tests/regression_tests/test_regression_allfiles.py ++++ b/tests/regression_tests/test_regression_allfiles.py +@@ -120,6 +120,7 @@ def get_valid_files(data_dir): + "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2", + "issue_ghsa_hrw9_ggg3_3r4r_poc.jpg", + "issue_ghsa_g9xm_7538_mq8w_poc.mov", ++ "issue_ghsa_9mxq_4j5g_5wrp.crw", + "pocIssue283.jpg", + "poc_1522.jp2", + "xmpsdk.xmp", diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch new file mode 100644 index 0000000000..58c8513e02 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch @@ -0,0 +1,25 @@ +From 99bf2cea56832cc6f72a5006fe6bac6b15a49889 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <[email protected]> +Date: Sat, 31 Jan 2026 15:31:55 +0000 +Subject: [PATCH] Fix out-of-bounds read. + +CVE: CVE-2026-25884 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/5b8f1f4d92b8f27a5a80e0c3d3eb9dce7620d9f1] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/crwimage_int.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp +index 68b56971f..8aa151672 100644 +--- a/src/crwimage_int.cpp ++++ b/src/crwimage_int.cpp +@@ -642,7 +642,7 @@ const CrwMapping* CrwMap::crwMapping(uint16_t crwDir, uint16_t crwTagId) { + + void CrwMap::decode0x0805(const CiffComponent& ciffComponent, const CrwMapping* /*pCrwMapping*/, Image& image, + ByteOrder /*byteOrder*/) { +- std::string s(reinterpret_cast<const char*>(ciffComponent.pData())); ++ auto s = std::string(reinterpret_cast<const char*>(ciffComponent.pData()), ciffComponent.size()); + image.setComment(s); + } // CrwMap::decode0x0805 + diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb index db32398b4f..cea5455354 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb @@ -8,8 +8,12 @@ SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \ file://0001-Revert-fix-copy-constructors.patch \ file://0001-CVE-2025-54080-fix.patch \ file://0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch \ + file://CVE-2026-25884-1.patch \ + file://CVE-2026-25884-2.patch \ " SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e" S = "${WORKDIR}/git" +PATCHTOOL = "git" + inherit cmake gettext
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#125078): https://lists.openembedded.org/g/openembedded-devel/message/125078 Mute This Topic: https://lists.openembedded.org/mt/118257438/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
