exiv2: patch CVE-2021-32617

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32617 Pick the patch from the PR that's mentioned by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-22 20:31:25 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-30 15:13:57 +0100
commit: 19fb28a912850f517f83b72690abfcbb19ff49c7 (patch)
tree: 294a7f1ee8e4dd191b49866c52754187b7dc9cb2 /meta-oe
parent: 3a8bb6596078552cf0c26dab0c4d23160a4eb519 (diff)
download: meta-openembedded-19fb28a912850f517f83b72690abfcbb19ff49c7.tar.gz
2 files changed, 130 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-32617.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-32617.patch
new file mode 100644
index 0000000000..b34554e86b
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-32617.patch
@@ -0,0 +1,129 @@
+From 8353d035bc2e0a0500251168a350d0252900386b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sun, 16 May 2021 15:05:08 +0100
+Subject: [PATCH] Fix quadratic complexity performance bug.
+CVE: CVE-2021-32617
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/c261fbaa2567687eec6a595d3016212fd6ae648d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ xmpsdk/src/XMPMeta-Parse.cpp | 57 +++++++++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 21 deletions(-)
+diff --git a/xmpsdk/src/XMPMeta-Parse.cpp b/xmpsdk/src/XMPMeta-Parse.cpp
+index 9f66fe8..6959693 100644
+--- a/xmpsdk/src/XMPMeta-Parse.cpp
+++ b/xmpsdk/src/XMPMeta-Parse.cpp
+@@ -976,12 +976,26 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+ {
+        const XMP_Uns8 * bufEnd = buffer + length;
+        
+-       const XMP_Uns8 * spanStart = buffer;
+        const XMP_Uns8 * spanEnd;
+
+       // `buffer` is copied into this std::string. If `buffer` only
+       // contains valid UTF-8 and no escape characters, then the copy
+       // will be identical to the original, but invalid characters are
+       // replaced - usually with a space character.  This std::string was
+       // added as a performance fix for:
+       // https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
+       // Previously, the code was repeatedly calling
+       // `xmlParser->ParseBuffer()`, which turned out to have quadratic
+       // complexity, because expat kept reparsing the entire string from
+       // the beginning.
+       std::string copy;
+                
+-       for ( spanEnd = spanStart; spanEnd < bufEnd; ++spanEnd ) {
+       for ( spanEnd = buffer; spanEnd < bufEnd; ++spanEnd ) {
+ 
+-               if ( (0x20 <= *spanEnd) && (*spanEnd <= 0x7E) && (*spanEnd != '&') ) continue;  // A regular ASCII character.
+               if ( (0x20 <= *spanEnd) && (*spanEnd <= 0x7E) && (*spanEnd != '&') ) {
+                       copy.push_back(*spanEnd);
+                       continue;       // A regular ASCII character.
+               }
+ 
+                if ( *spanEnd >= 0x80 ) {
+                
+@@ -992,21 +1006,20 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+                        if ( uniLen > 0 ) {
+ 
+                                // A valid UTF-8 character, keep it as-is.
+                               copy.append((const char*)spanEnd, uniLen);
+                                spanEnd += uniLen - 1;  // ! The loop increment will put back the +1.
+ 
+                        } else if ( (uniLen < 0) && (! last) ) {
+ 
+                                // Have a partial UTF-8 character at the end of the buffer and more input coming.
+-                               xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+                               xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false );
+                                return (spanEnd - buffer);
+ 
+                        } else {
+ 
+                                // Not a valid UTF-8 sequence. Replace the first byte with the Latin-1 equivalent.
+-                               xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+                                const char * replacement = kReplaceLatin1 [ *spanEnd - 0x80 ];
+-                               xmlParser->ParseBuffer ( replacement, strlen ( replacement ), false );
+-                               spanStart = spanEnd + 1;        // ! The loop increment will do "spanEnd = spanStart".
+                               copy.append ( replacement );
+ 
+                        }
+                
+@@ -1014,11 +1027,12 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+ 
+                        // Replace ASCII controls other than tab, LF, and CR with a space.
+ 
+-                       if ( (*spanEnd == kTab) || (*spanEnd == kLF) || (*spanEnd == kCR) ) continue;
+                       if ( (*spanEnd == kTab) || (*spanEnd == kLF) || (*spanEnd == kCR) ) {
+                               copy.push_back(*spanEnd);
+                               continue;
+                       }
+ 
+-                       xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+-                       xmlParser->ParseBuffer ( " ", 1, false );
+-                       spanStart = spanEnd + 1;        // ! The loop increment will do "spanEnd = spanStart".
+                       copy.push_back(' ');
+                
+                } else {
+                
+@@ -1030,18 +1044,21 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+                        if ( escLen < 0 ) {
+ 
+                                // Have a partial numeric escape in this buffer, wait for more input.
+-                               if ( last ) continue;   // No more buffers, not an escape, absorb as normal input.
+-                               xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+                               if ( last ) {
+                                       copy.push_back('&');
+                                       continue;       // No more buffers, not an escape, absorb as normal input.
+                               }
+                               xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false );
+                                return (spanEnd - buffer);
+ 
+                        } else if ( escLen > 0 ) {
+ 
+                                // Have a complete numeric escape to replace.
+-                               xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+-                               xmlParser->ParseBuffer ( " ", 1, false );
+-                               spanStart = spanEnd + escLen;
+-                               spanEnd = spanStart - 1;        // ! The loop continuation will increment spanEnd!
+                               copy.push_back(' ');
+                               spanEnd = spanEnd + escLen - 1; // ! The loop continuation will increment spanEnd!
+ 
+                       } else {
+                               copy.push_back('&');
+                        }
+ 
+                }
+@@ -1049,10 +1066,8 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
+        }
+        
+        XMP_Assert ( spanEnd == bufEnd );
+-
+-       if ( spanStart < bufEnd ) xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+-       if ( last ) xmlParser->ParseBuffer ( " ", 1, true );
+-       
+       copy.push_back(' ');
+       xmlParser->ParseBuffer ( copy.c_str(), copy.size(), true );
+        return length;
+ 
+ }      // ProcessUTF8Portion
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index c8c5edbed4..389d8da921 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source
           file://CVE-2021-29473.patch \
           file://CVE-2021-3482.patch \
           file://CVE-2021-29623.patch \
+           file://CVE-2021-32617.patch \
           "
 SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-22 20:31:25 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-30 15:13:57 +0100
commit	19fb28a912850f517f83b72690abfcbb19ff49c7 (patch)
tree	294a7f1ee8e4dd191b49866c52754187b7dc9cb2 /meta-oe
parent	3a8bb6596078552cf0c26dab0c4d23160a4eb519 (diff)
download	meta-openembedded-19fb28a912850f517f83b72690abfcbb19ff49c7.tar.gz

diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-32617.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-32617.patch new file mode 100644 index 0000000000..b34554e86b --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-32617.patch
@@ -0,0 +1,129 @@
		1	From 8353d035bc2e0a0500251168a350d0252900386b Mon Sep 17 00:00:00 2001
		2	From: Kevin Backhouse <kevinbackhouse@github.com>
		3	Date: Sun, 16 May 2021 15:05:08 +0100
		4	Subject: [PATCH] Fix quadratic complexity performance bug.
		5
		6	CVE: CVE-2021-32617
		7	Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/c261fbaa2567687eec6a595d3016212fd6ae648d]
		8	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		9	---
		10	xmpsdk/src/XMPMeta-Parse.cpp \| 57 +++++++++++++++++++++++-------------
		11	1 file changed, 36 insertions(+), 21 deletions(-)
		12
		13	diff --git a/xmpsdk/src/XMPMeta-Parse.cpp b/xmpsdk/src/XMPMeta-Parse.cpp
		14	index 9f66fe8..6959693 100644
		15	--- a/xmpsdk/src/XMPMeta-Parse.cpp
		16	+++ b/xmpsdk/src/XMPMeta-Parse.cpp
		17	@@ -976,12 +976,26 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
		18	{
		19	const XMP_Uns8 * bufEnd = buffer + length;
		20
		21	- const XMP_Uns8 * spanStart = buffer;
		22	const XMP_Uns8 * spanEnd;
		23	+
		24	+ // `buffer` is copied into this std::string. If `buffer` only
		25	+ // contains valid UTF-8 and no escape characters, then the copy
		26	+ // will be identical to the original, but invalid characters are
		27	+ // replaced - usually with a space character. This std::string was
		28	+ // added as a performance fix for:
		29	+ // https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
		30	+ // Previously, the code was repeatedly calling
		31	+ // `xmlParser->ParseBuffer()`, which turned out to have quadratic
		32	+ // complexity, because expat kept reparsing the entire string from
		33	+ // the beginning.
		34	+ std::string copy;
		35
		36	- for ( spanEnd = spanStart; spanEnd < bufEnd; ++spanEnd ) {
		37	+ for ( spanEnd = buffer; spanEnd < bufEnd; ++spanEnd ) {
		38
		39	- if ( (0x20 <= spanEnd) && (spanEnd <= 0x7E) && (*spanEnd != '&') ) continue; // A regular ASCII character.
		40	+ if ( (0x20 <= spanEnd) && (spanEnd <= 0x7E) && (*spanEnd != '&') ) {
		41	+ copy.push_back(*spanEnd);
		42	+ continue; // A regular ASCII character.
		43	+ }
		44
		45	if ( *spanEnd >= 0x80 ) {
		46
		47	@@ -992,21 +1006,20 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
		48	if ( uniLen > 0 ) {
		49
		50	// A valid UTF-8 character, keep it as-is.
		51	+ copy.append((const char*)spanEnd, uniLen);
		52	spanEnd += uniLen - 1; // ! The loop increment will put back the +1.
		53
		54	} else if ( (uniLen < 0) && (! last) ) {
		55
		56	// Have a partial UTF-8 character at the end of the buffer and more input coming.
		57	- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
		58	+ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false );
		59	return (spanEnd - buffer);
		60
		61	} else {
		62
		63	// Not a valid UTF-8 sequence. Replace the first byte with the Latin-1 equivalent.
		64	- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
		65	const char * replacement = kReplaceLatin1 [ *spanEnd - 0x80 ];
		66	- xmlParser->ParseBuffer ( replacement, strlen ( replacement ), false );
		67	- spanStart = spanEnd + 1; // ! The loop increment will do "spanEnd = spanStart".
		68	+ copy.append ( replacement );
		69
		70	}
		71
		72	@@ -1014,11 +1027,12 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
		73
		74	// Replace ASCII controls other than tab, LF, and CR with a space.
		75
		76	- if ( (spanEnd == kTab) \|\| (spanEnd == kLF) \|\| (*spanEnd == kCR) ) continue;
		77	+ if ( (spanEnd == kTab) \|\| (spanEnd == kLF) \|\| (*spanEnd == kCR) ) {
		78	+ copy.push_back(*spanEnd);
		79	+ continue;
		80	+ }
		81
		82	- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
		83	- xmlParser->ParseBuffer ( " ", 1, false );
		84	- spanStart = spanEnd + 1; // ! The loop increment will do "spanEnd = spanStart".
		85	+ copy.push_back(' ');
		86
		87	} else {
		88
		89	@@ -1030,18 +1044,21 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
		90	if ( escLen < 0 ) {
		91
		92	// Have a partial numeric escape in this buffer, wait for more input.
		93	- if ( last ) continue; // No more buffers, not an escape, absorb as normal input.
		94	- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
		95	+ if ( last ) {
		96	+ copy.push_back('&');
		97	+ continue; // No more buffers, not an escape, absorb as normal input.
		98	+ }
		99	+ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false );
		100	return (spanEnd - buffer);
		101
		102	} else if ( escLen > 0 ) {
		103
		104	// Have a complete numeric escape to replace.
		105	- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
		106	- xmlParser->ParseBuffer ( " ", 1, false );
		107	- spanStart = spanEnd + escLen;
		108	- spanEnd = spanStart - 1; // ! The loop continuation will increment spanEnd!
		109	+ copy.push_back(' ');
		110	+ spanEnd = spanEnd + escLen - 1; // ! The loop continuation will increment spanEnd!
		111
		112	+ } else {
		113	+ copy.push_back('&');
		114	}
		115
		116	}
		117	@@ -1049,10 +1066,8 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
		118	}
		119
		120	XMP_Assert ( spanEnd == bufEnd );
		121	-
		122	- if ( spanStart < bufEnd ) xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
		123	- if ( last ) xmlParser->ParseBuffer ( " ", 1, true );
		124	-
		125	+ copy.push_back(' ');
		126	+ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), true );
		127	return length;
		128
		129	} // ProcessUTF8Portion


diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index c8c5edbed4..389d8da921 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source
14	file://CVE-2021-29473.patch \	14	file://CVE-2021-29473.patch \
15	file://CVE-2021-3482.patch \	15	file://CVE-2021-3482.patch \
16	file://CVE-2021-29623.patch \	16	file://CVE-2021-29623.patch \
		17	file://CVE-2021-32617.patch \
17	"	18	"
18	SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"	19	SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"
19		20