diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-04-20 08:27:47 +0200 |
|---|---|---|
| committer | Khem Raj <khem.raj@oss.qualcomm.com> | 2026-04-20 07:35:35 -0700 |
| commit | 420e5aec46b8e9344c4d9e692f2e05236b9c89e5 (patch) | |
| tree | 75cf7ef7b957afbb898e8ddc109ad8fd6ea3c12b | |
| parent | 2e3be1dddc215192ff277740271d65cdceaa0b18 (diff) | |
| download | meta-openembedded-420e5aec46b8e9344c4d9e692f2e05236b9c89e5.tar.gz | |
libgphoto2: patch CVE-2026-40340
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40340
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch | 40 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb | 1 |
2 files changed, 41 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch new file mode 100644 index 0000000000..a0852692b0 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From fd9f234df894caec6c65144b5a4f0264aadf0989 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcus Meissner <marcus@jet.franken.de> | ||
| 3 | Date: Wed, 8 Apr 2026 16:01:48 +0200 | ||
| 4 | Subject: [PATCH] Fixed ObjectInfo Parser OOB Read | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | ptp_unpack_OI() validates len < PTP_oi_SequenceNumber (i.e., len < 48) but then accesses: | ||
| 10 | |||
| 11 | Offsets 48–51: dtoh32a(data + PTP_oi_SequenceNumber) at line 563 (4 bytes OOB) | ||
| 12 | Offset 52: data[PTP_oi_filenamelen] at line 547 (5 bytes OOB) | ||
| 13 | Offset 56: data[PTP_oi_filenamelen+4] at line 547 (9 bytes OOB) | ||
| 14 | |||
| 15 | The Samsung Galaxy 64-bit objectsize detection heuristic reads up to 9 bytes beyond the validated boundary. | ||
| 16 | |||
| 17 | CVE-2026-40340 | ||
| 18 | |||
| 19 | Reported-By: Sebastián Alba <sebasjosue84@gmail.com> | ||
| 20 | |||
| 21 | CVE: CVE-2026-40340 | ||
| 22 | Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33] | ||
| 23 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 24 | --- | ||
| 25 | camlibs/ptp2/ptp-pack.c | 2 +- | ||
| 26 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 27 | |||
| 28 | diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c | ||
| 29 | index 28648a5..9eba06f 100644 | ||
| 30 | --- a/camlibs/ptp2/ptp-pack.c | ||
| 31 | +++ b/camlibs/ptp2/ptp-pack.c | ||
| 32 | @@ -526,7 +526,7 @@ ptp_unpack_OI (PTPParams *params, const unsigned char* data, PTPObjectInfo *oi, | ||
| 33 | { | ||
| 34 | char *capture_date; | ||
| 35 | |||
| 36 | - if (!data || len < PTP_oi_SequenceNumber) | ||
| 37 | + if (!data || len < PTP_oi_filenamelen + 5) | ||
| 38 | return; | ||
| 39 | |||
| 40 | oi->Filename = oi->Keywords = NULL; | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index be761bc940..c82e76a06e 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb | |||
| @@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ | |||
| 19 | file://CVE-2026-40336.patch \ | 19 | file://CVE-2026-40336.patch \ |
| 20 | file://CVE-2026-40338.patch \ | 20 | file://CVE-2026-40338.patch \ |
| 21 | file://CVE-2026-40339.patch \ | 21 | file://CVE-2026-40339.patch \ |
| 22 | file://CVE-2026-40340.patch \ | ||
| 22 | " | 23 | " |
| 23 | SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" | 24 | SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" |
| 24 | 25 | ||