exiv2: patch CVE-2026-25884

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25884 Backport the commits referenced by the NVD advisory. One of the patches contain some binary data (for test data), which needs to be applied with git PATCHTOOL.. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-03-11 10:42:33 +0100
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-26 10:29:23 +0530
commit: 18824f8a2db50af7b8e6ba196d86ecdba6b5091f (patch)
tree: fdd21857b82c79993374993105c6f83e113090de /meta-oe
parent: 51be807682045359c256e41b28f5e82f1514044f (diff)
download: meta-openembedded-18824f8a2db50af7b8e6ba196d86ecdba6b5091f.tar.gz
3 files changed, 100 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch
new file mode 100644
index 0000000000..a2b41adcef
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch
@@ -0,0 +1,69 @@
+From 237f63c2abcd6c346bf5d27044ab76f5388bb4e8 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sat, 7 Feb 2026 22:50:46 +0000
+Subject: [PATCH] Regression test for
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
+CVE: CVE-2026-25884
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/191138fef73f331de1311e735d8e6359a36fa786]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ test/data/issue_ghsa_9mxq_4j5g_5wrp.crw       | Bin 0 -> 74 bytes
+ .../github/test_issue_ghsa_9mxq_4j5g_5wrp.py  |  24 ++++++++++++++++++
+ .../test_regression_allfiles.py               |   1 +
+ 3 files changed, 25 insertions(+)
+ create mode 100644 test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
+ create mode 100644 tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+diff --git a/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw b/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
+new file mode 100644
+index 0000000000000000000000000000000000000000..816af2663b3ec93d0d4de4755a02b5d0f5d09640
+GIT binary patch
+literal 74
+zcmebDRA69W@NjhuaCUYH`mcZv7#X+>WPvJpfmnfwK>?&13|Kip6i5oF1;hjZi0B7h
+literal 0
+HcmV?d00001
+diff --git a/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+new file mode 100644
+index 000000000..199328f25
+--- /dev/null
+++ b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+
+
+class CrwMap_decode0x0805_OutOfBoundsRead(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
+    """
+
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp"
+
+    filename = path("$data_path/issue_ghsa_9mxq_4j5g_5wrp.crw")
+    commands = ["$exiv2 $filename"]
+    stdout = ["""File name       : $filename
+File size       : 74 Bytes
+MIME type       : image/x-canon-crw
+Image size      : 0 x 0
+"""
+]
+    stderr   = ["""$filename: No Exif data found in the file
+"""]
+    retval = [253]
+diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
+index d1bec2ed3..87caa9798 100644
+--- a/tests/regression_tests/test_regression_allfiles.py
+++ b/tests/regression_tests/test_regression_allfiles.py
+@@ -122,6 +122,7 @@ def get_valid_files(data_dir):
+         "issue_ghsa_g9xm_7538_mq8w_poc.mov",
+         "issue_ghsa_38h4_fx85_qcx7_poc.tiff",
+         "issue_ghsa_496f_x7cq_cq39_poc.jpg",
+        "issue_ghsa_9mxq_4j5g_5wrp.crw",
+         "pocIssue283.jpg",
+         "poc_1522.jp2",
+         "xmpsdk.xmp",
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch
new file mode 100644
index 0000000000..b461e09c71
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch
@@ -0,0 +1,25 @@
+From 5c5ab83247997396b8a7de8e4425a1a04db01c14 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sat, 31 Jan 2026 15:31:55 +0000
+Subject: [PATCH] Fix out-of-bounds read.
+CVE: CVE-2026-25884
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/5b8f1f4d92b8f27a5a80e0c3d3eb9dce7620d9f1]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/crwimage_int.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
+index 9e2c1c6a4..1d2378a61 100644
+--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
+@@ -646,7 +646,7 @@ const CrwMapping* CrwMap::crwMapping(uint16_t crwDir, uint16_t crwTagId) {
+ 
+ void CrwMap::decode0x0805(const CiffComponent& ciffComponent, const CrwMapping* /*pCrwMapping*/, Image& image,
+                           ByteOrder /*byteOrder*/) {
+-  std::string s(reinterpret_cast<const char*>(ciffComponent.pData()));
+  auto s = std::string(reinterpret_cast<const char*>(ciffComponent.pData()), ciffComponent.size());
+   image.setComment(s);
+ }  // CrwMap::decode0x0805
+ 
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb
index e1f57ae8c7..45d88e2a3d 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb
@@ -4,7 +4,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2"
 DEPENDS = "zlib expat brotli libinih"
-SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x;tag=v${PV}"
+SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x;tag=v${PV} \
+           file://CVE-2026-25884-1.patch \
+           file://CVE-2026-25884-2.patch \
+           "
 SRCREV = "afcb7a8ba84a7de36d2f1ee7689394e078697956"
+PATCHTOOL = "git"
 inherit cmake gettext
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-03-11 10:42:33 +0100
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-26 10:29:23 +0530
commit	18824f8a2db50af7b8e6ba196d86ecdba6b5091f (patch)
tree	fdd21857b82c79993374993105c6f83e113090de /meta-oe
parent	51be807682045359c256e41b28f5e82f1514044f (diff)
download	meta-openembedded-18824f8a2db50af7b8e6ba196d86ecdba6b5091f.tar.gz

diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch new file mode 100644 index 0000000000..a2b41adcef --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch
@@ -0,0 +1,69 @@
		1	From 237f63c2abcd6c346bf5d27044ab76f5388bb4e8 Mon Sep 17 00:00:00 2001
		2	From: Kevin Backhouse <kevinbackhouse@github.com>
		3	Date: Sat, 7 Feb 2026 22:50:46 +0000
		4	Subject: [PATCH] Regression test for
		5	https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
		6
		7	CVE: CVE-2026-25884
		8	Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/191138fef73f331de1311e735d8e6359a36fa786]
		9	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		10	---
		11	test/data/issue_ghsa_9mxq_4j5g_5wrp.crw \| Bin 0 -> 74 bytes
		12	.../github/test_issue_ghsa_9mxq_4j5g_5wrp.py \| 24 ++++++++++++++++++
		13	.../test_regression_allfiles.py \| 1 +
		14	3 files changed, 25 insertions(+)
		15	create mode 100644 test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
		16	create mode 100644 tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
		17
		18	diff --git a/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw b/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
		19	new file mode 100644
		20	index 0000000000000000000000000000000000000000..816af2663b3ec93d0d4de4755a02b5d0f5d09640
		21	GIT binary patch
		22	literal 74
		23	zcmebDRA69W@NjhuaCUYH`mcZv7#X+>WPvJpfmnfwK>?&13\|Kip6i5oF1;hjZi0B7h
		24
		25	literal 0
		26	HcmV?d00001
		27
		28	diff --git a/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
		29	new file mode 100644
		30	index 000000000..199328f25
		31	--- /dev/null
		32	+++ b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
		33	@@ -0,0 +1,24 @@
		34	+# -- coding: utf-8 --
		35	+
		36	+from system_tests import CaseMeta, CopyTmpFiles, path
		37	+
		38	+
		39	+class CrwMap_decode0x0805_OutOfBoundsRead(metaclass=CaseMeta):
		40	+ """
		41	+ Regression test for the bug described in:
		42	+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
		43	+ """
		44	+
		45	+ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp"
		46	+
		47	+ filename = path("$data_path/issue_ghsa_9mxq_4j5g_5wrp.crw")
		48	+ commands = ["$exiv2 $filename"]
		49	+ stdout = ["""File name : $filename
		50	+File size : 74 Bytes
		51	+MIME type : image/x-canon-crw
		52	+Image size : 0 x 0
		53	+"""
		54	+]
		55	+ stderr = ["""$filename: No Exif data found in the file
		56	+"""]
		57	+ retval = [253]
		58	diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
		59	index d1bec2ed3..87caa9798 100644
		60	--- a/tests/regression_tests/test_regression_allfiles.py
		61	+++ b/tests/regression_tests/test_regression_allfiles.py
		62	@@ -122,6 +122,7 @@ def get_valid_files(data_dir):
		63	"issue_ghsa_g9xm_7538_mq8w_poc.mov",
		64	"issue_ghsa_38h4_fx85_qcx7_poc.tiff",
		65	"issue_ghsa_496f_x7cq_cq39_poc.jpg",
		66	+ "issue_ghsa_9mxq_4j5g_5wrp.crw",
		67	"pocIssue283.jpg",
		68	"poc_1522.jp2",
		69	"xmpsdk.xmp",


diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch new file mode 100644 index 0000000000..b461e09c71 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch
@@ -0,0 +1,25 @@
		1	From 5c5ab83247997396b8a7de8e4425a1a04db01c14 Mon Sep 17 00:00:00 2001
		2	From: Kevin Backhouse <kevinbackhouse@github.com>
		3	Date: Sat, 31 Jan 2026 15:31:55 +0000
		4	Subject: [PATCH] Fix out-of-bounds read.
		5
		6	CVE: CVE-2026-25884
		7	Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/5b8f1f4d92b8f27a5a80e0c3d3eb9dce7620d9f1]
		8	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		9	---
		10	src/crwimage_int.cpp \| 2 +-
		11	1 file changed, 1 insertion(+), 1 deletion(-)
		12
		13	diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
		14	index 9e2c1c6a4..1d2378a61 100644
		15	--- a/src/crwimage_int.cpp
		16	+++ b/src/crwimage_int.cpp
		17	@@ -646,7 +646,7 @@ const CrwMapping* CrwMap::crwMapping(uint16_t crwDir, uint16_t crwTagId) {
		18
		19	void CrwMap::decode0x0805(const CiffComponent& ciffComponent, const CrwMapping* /pCrwMapping/, Image& image,
		20	ByteOrder /byteOrder/) {
		21	- std::string s(reinterpret_cast<const char*>(ciffComponent.pData()));
		22	+ auto s = std::string(reinterpret_cast<const char*>(ciffComponent.pData()), ciffComponent.size());
		23	image.setComment(s);
		24	} // CrwMap::decode0x0805
		25


diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb index e1f57ae8c7..45d88e2a3d 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb
@@ -4,7 +4,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2"
4		4
5	DEPENDS = "zlib expat brotli libinih"	5	DEPENDS = "zlib expat brotli libinih"
6		6
7	SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x;tag=v${PV}"	7	SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x;tag=v${PV} \
		8	file://CVE-2026-25884-1.patch \
		9	file://CVE-2026-25884-2.patch \
		10	"
8	SRCREV = "afcb7a8ba84a7de36d2f1ee7689394e078697956"	11	SRCREV = "afcb7a8ba84a7de36d2f1ee7689394e078697956"
9		12
		13	PATCHTOOL = "git"
		14
10	inherit cmake gettext	15	inherit cmake gettext