exiv2: Fix CVE-2021-29457

References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457 The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22] CVE: CVE-2021-29457 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: wangmy <wangmy@fujitsu.com> 2021-05-18 16:03:28 +0800
committer: Khem Raj <raj.khem@gmail.com> 2021-05-19 09:17:49 -0700
commit: 5be72693096cef671bf54bf1dd6ee8125614d064 (patch)
tree: 31f225cb38b0ff606a5de869c338e79c07c8630d /meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
parent: bdf1be7c5511f3d19e4786b9f2bcad88dfb2a9e4 (diff)
download: meta-openembedded-5be72693096cef671bf54bf1dd6ee8125614d064.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index ed1e8de5c2..a13db42edd 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -9,7 +9,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
 # Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
 inherit dos2unix
-SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch"
+SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
+            file://CVE-2021-29457.patch"
 S = "${WORKDIR}/${BPN}-${PV}-Source"
author	wangmy <wangmy@fujitsu.com>	2021-05-18 16:03:28 +0800
committer	Khem Raj <raj.khem@gmail.com>	2021-05-19 09:17:49 -0700
commit	5be72693096cef671bf54bf1dd6ee8125614d064 (patch)
tree	31f225cb38b0ff606a5de869c338e79c07c8630d /meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
parent	bdf1be7c5511f3d19e4786b9f2bcad88dfb2a9e4 (diff)
download	meta-openembedded-5be72693096cef671bf54bf1dd6ee8125614d064.tar.gz

diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index ed1e8de5c2..a13db42edd 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -9,7 +9,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
9		9
10	# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either	10	# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
11	inherit dos2unix	11	inherit dos2unix
12	SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch"	12	SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
		13	file://CVE-2021-29457.patch"
13		14
14	S = "${WORKDIR}/${BPN}-${PV}-Source"	15	S = "${WORKDIR}/${BPN}-${PV}-Source"
15		16