Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4]
[1] https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58 [2] https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b [3] https://nvd.nist.gov/vuln/detail/CVE-2026-40385 [4] https://nvd.nist.gov/vuln/detail/CVE-2026-40386 Signed-off-by: Hitendra Prajapati <[email protected]> --- .../libexif/libexif/CVE-2026-40385.patch | 35 ++++++++++++++ .../libexif/libexif/CVE-2026-40386.patch | 46 +++++++++++++++++++ .../recipes-support/libexif/libexif_0.6.24.bb | 2 + 3 files changed, 83 insertions(+) create mode 100644 meta/recipes-support/libexif/libexif/CVE-2026-40385.patch create mode 100644 meta/recipes-support/libexif/libexif/CVE-2026-40386.patch diff --git a/meta/recipes-support/libexif/libexif/CVE-2026-40385.patch b/meta/recipes-support/libexif/libexif/CVE-2026-40385.patch new file mode 100644 index 0000000000..75f7fea6e4 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2026-40385.patch @@ -0,0 +1,35 @@ +From 93003b93e50b3d259bd2227d8775b73a53c35d58 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <[email protected]> +Date: Fri, 3 Apr 2026 11:18:47 +0200 +Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes + +The addition o2 = datao + exif_get_long(buf + o2, n->order) +could have overflowed on systems with 32bit unsigned int size_t. + +This could have caused out of bound reads of data, leading to +misparsing of exif / crashes. + +Reported-By: Kerwin <[email protected]> + +CVE: CVE-2026-40385 +Upstream-Status: Backport from [https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58] +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + libexif/olympus/exif-mnote-data-olympus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c +index 3dbe1d3..a5ed7ad 100644 +--- a/libexif/olympus/exif-mnote-data-olympus.c ++++ b/libexif/olympus/exif-mnote-data-olympus.c +@@ -382,6 +382,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + o2 += 2; + + /* Go to where the number of entries is. */ ++ if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2, n->order))) return; + o2 = datao + exif_get_long (buf + o2, n->order); + break; + +-- +2.50.1 + diff --git a/meta/recipes-support/libexif/libexif/CVE-2026-40386.patch b/meta/recipes-support/libexif/libexif/CVE-2026-40386.patch new file mode 100644 index 0000000000..3792aa02a6 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2026-40386.patch @@ -0,0 +1,46 @@ +From dc6eac6e9655d14d0779d99e82d0f5f442d2f34b Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <[email protected]> +Date: Thu, 2 Apr 2026 13:26:31 +0200 +Subject: [PATCH] fixed 2 unsigned integer underflows + +this could cause crashes or data leaks. + +Reported-by: Kerwin <[email protected]> + +CVE: CVE-2026-40386 +Upstream-Status: Backport from [https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b] +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + libexif/fuji/exif-mnote-data-fuji.c | 2 +- + libexif/olympus/exif-mnote-data-olympus.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c +index e3af4e1..3f295d3 100644 +--- a/libexif/fuji/exif-mnote-data-fuji.c ++++ b/libexif/fuji/exif-mnote-data-fuji.c +@@ -68,7 +68,7 @@ exif_mnote_data_fuji_get_value (ExifMnoteData *d, unsigned int i, char *val, uns + ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) d; + + if (!d || !val) return NULL; +- if (i > n->count -1) return NULL; ++ if (i >= n->count) return NULL; + /* + exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataFuji", + "Querying value for tag '%s'...", +diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c +index a5ed7ad..bdeb5a9 100644 +--- a/libexif/olympus/exif-mnote-data-olympus.c ++++ b/libexif/olympus/exif-mnote-data-olympus.c +@@ -76,7 +76,7 @@ exif_mnote_data_olympus_get_value (ExifMnoteData *d, unsigned int i, char *val, + ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) d; + + if (!d || !val) return NULL; +- if (i > n->count -1) return NULL; ++ if (i >= n->count) return NULL; + /* + exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus", + "Querying value for tag '%s'...", +-- +2.50.1 + diff --git a/meta/recipes-support/libexif/libexif_0.6.24.bb b/meta/recipes-support/libexif/libexif_0.6.24.bb index b3ee15a37f..8418b72c52 100644 --- a/meta/recipes-support/libexif/libexif_0.6.24.bb +++ b/meta/recipes-support/libexif/libexif_0.6.24.bb @@ -11,6 +11,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libexif-${PV}.tar.bz2 \ file://0001-Add-serial-tests-config-needed-by-ptest.patch \ file://run-ptest \ file://CVE-2026-32775.patch \ + file://CVE-2026-40385.patch \ + file://CVE-2026-40386.patch \ " SRC_URI[sha256sum] = "d47564c433b733d83b6704c70477e0a4067811d184ec565258ac563d8223f6ae" -- 2.50.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237017): https://lists.openembedded.org/g/openembedded-core/message/237017 Mute This Topic: https://lists.openembedded.org/mt/119309566/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
