summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2026-05-13 17:04:47 +1200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-05-21 08:57:46 +0530
commit100da99a04bff89f53822c220e223298cb780f66 (patch)
treee1ff040d4609839ca85faa2ee5c72772544bbbf1
parent49a682f2eda7d3405347fe9665d435b04fd9cfa3 (diff)
downloadmeta-openembedded-100da99a04bff89f53822c220e223298cb780f66.tar.gz
lcms: patch CVE-2026-42798
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-42798 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-oe/recipes-support/lcms/lcms/CVE-2026-42798.patch38
-rw-r--r--meta-oe/recipes-support/lcms/lcms_2.16.bb1
2 files changed, 39 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-42798.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-42798.patch
new file mode 100644
index 0000000000..1fc3b0ca6d
--- /dev/null
+++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-42798.patch
@@ -0,0 +1,38 @@
1From e5638450eafbe2e79b4dbbf9fcbc47998cf35427 Mon Sep 17 00:00:00 2001
2From: Marti Maria <marti.maria@littlecms.com>
3Date: Thu, 19 Feb 2026 08:48:50 +0100
4Subject: [PATCH] Fix for ParseCube integer overflow in LUT allocation
5
6thanks to @zerojackyi for reporting
7
8(cherry picked from commit 6a686019825a89b715d16671f18d049523354176)
9
10CVE: CVE-2026-42798
11Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/6a686019825a89b715d16671f18d049523354176]
12Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
13---
14 src/cmscgats.c | 11 ++++++++++-
15 1 file changed, 10 insertions(+), 1 deletion(-)
16
17diff --git a/src/cmscgats.c b/src/cmscgats.c
18index bccbf58..b099331 100644
19--- a/src/cmscgats.c
20+++ b/src/cmscgats.c
21@@ -3128,7 +3128,16 @@ cmsBool ParseCube(cmsIT8* cube, cmsStage** Shaper, cmsStage** CLUT, char title[]
22
23 if (lut_size > 0) {
24
25- int nodes = lut_size * lut_size * lut_size;
26+ int nodes;
27+
28+ /**
29+ * Professional LUT‑generation tools (e.g., Nobe LutBake) list 65×65×65 as their highest supported size.
30+ */
31+ if (lut_size > 65)
32+ return SynError(cube, "LUT size '%d' is over maximum of 65", lut_size);
33+
34+ nodes = lut_size * lut_size * lut_size;
35+
36
37 cmsFloat32Number* lut_table = _cmsMalloc(cube->ContextID, nodes * 3 * sizeof(cmsFloat32Number));
38 if (lut_table == NULL) return FALSE;
diff --git a/meta-oe/recipes-support/lcms/lcms_2.16.bb b/meta-oe/recipes-support/lcms/lcms_2.16.bb
index 8a70572907..7544e83578 100644
--- a/meta-oe/recipes-support/lcms/lcms_2.16.bb
+++ b/meta-oe/recipes-support/lcms/lcms_2.16.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"
6SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \ 6SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \
7 file://CVE-2026-41254_1.patch \ 7 file://CVE-2026-41254_1.patch \
8 file://CVE-2026-41254_2.patch \ 8 file://CVE-2026-41254_2.patch \
9 file://CVE-2026-42798.patch \
9" 10"
10SRC_URI[sha256sum] = "d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51" 11SRC_URI[sha256sum] = "d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51"
11 12