diff options
| author | Wang Mingyu <wangmy@fujitsu.com> | 2026-06-02 18:07:24 +0800 |
|---|---|---|
| committer | Khem Raj <khem.raj@oss.qualcomm.com> | 2026-06-07 18:21:37 -0700 |
| commit | cb1beb95fd7aca15fb3e9540818bb24b67c4b905 (patch) | |
| tree | c8dc03615eb80ebd90d1a339ccc85f373e7b6700 /meta-oe | |
| parent | 2f84b8c1f1cc293be1d458d223f8c61212ac0133 (diff) | |
| download | meta-openembedded-cb1beb95fd7aca15fb3e9540818bb24b67c4b905.tar.gz | |
libgphoto2: upgrade 2.5.33 -> 2.5.34
0001-libgphoto2-fix-const-correctness-for-c23-builds.patch
CVE-2026-40333.patch
CVE-2026-40334.patch
CVE-2026-40335.patch
CVE-2026-40336.patch
CVE-2026-40338.patch
CVE-2026-40339.patch
CVE-2026-40340.patch
CVE-2026-40341.patch
removed since they're included in 2.5.34
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch | 84 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch | 150 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch | 37 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch | 43 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch | 44 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch | 34 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch | 41 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch | 40 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch | 69 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb (renamed from meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb) | 11 |
10 files changed, 1 insertions, 552 deletions
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch deleted file mode 100644 index 9ded174095..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch +++ /dev/null | |||
| @@ -1,84 +0,0 @@ | |||
| 1 | From bfa786a260bfd4660e8186ebad8778718e85e8cd Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Khem Raj <khem.raj@oss.qualcomm.com> | ||
| 3 | Date: Sat, 4 Apr 2026 14:56:01 -0700 | ||
| 4 | Subject: [PATCH] libgphoto2: fix const-correctness for c23 builds | ||
| 5 | |||
| 6 | C23 treats the return values of strrchr() and strchr() as const char * | ||
| 7 | when the input string is const-qualified. Update local variables to use | ||
| 8 | const char * where appropriate to avoid discarded-qualifier warnings and | ||
| 9 | build failures with -std=gnu23. | ||
| 10 | |||
| 11 | No functional change intended. | ||
| 12 | |||
| 13 | Upstream-Status: Submitted [https://github.com/gphoto/libgphoto2/pull/1235] | ||
| 14 | Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> | ||
| 15 | --- | ||
| 16 | camlibs/directory/directory.c | 2 +- | ||
| 17 | libgphoto2/gphoto2-file.c | 6 +++--- | ||
| 18 | libgphoto2/gphoto2-filesys.c | 2 +- | ||
| 19 | packaging/generic/print-camera-list.c | 2 +- | ||
| 20 | 4 files changed, 6 insertions(+), 6 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/camlibs/directory/directory.c b/camlibs/directory/directory.c | ||
| 23 | index 790405d54..cc63c6684 100644 | ||
| 24 | --- a/camlibs/directory/directory.c | ||
| 25 | +++ b/camlibs/directory/directory.c | ||
| 26 | @@ -125,7 +125,7 @@ static const char * | ||
| 27 | get_mime_type (const char *filename) | ||
| 28 | { | ||
| 29 | |||
| 30 | - char *dot; | ||
| 31 | + const char *dot; | ||
| 32 | int x=0; | ||
| 33 | |||
| 34 | dot = strrchr(filename, '.'); | ||
| 35 | diff --git a/libgphoto2/gphoto2-file.c b/libgphoto2/gphoto2-file.c | ||
| 36 | index 04d4d5e3e..1a9dbc193 100644 | ||
| 37 | --- a/libgphoto2/gphoto2-file.c | ||
| 38 | +++ b/libgphoto2/gphoto2-file.c | ||
| 39 | @@ -610,7 +610,7 @@ int | ||
| 40 | gp_file_open (CameraFile *file, const char *filename) | ||
| 41 | { | ||
| 42 | FILE *fp; | ||
| 43 | - char *name, *dot; | ||
| 44 | + const char *name, *dot; | ||
| 45 | long size, size_read; | ||
| 46 | int i; | ||
| 47 | struct stat s; | ||
| 48 | @@ -906,8 +906,8 @@ gp_file_get_name (CameraFile *file, const char **name) | ||
| 49 | int | ||
| 50 | gp_file_get_name_by_type (CameraFile *file, const char *basename, CameraFileType type, char **newname) | ||
| 51 | { | ||
| 52 | - char *prefix = NULL, *s, *new, *slash = NULL; | ||
| 53 | - const char *suffix = NULL; | ||
| 54 | + char *prefix = NULL, *new; | ||
| 55 | + const char *suffix = NULL, *s, *slash = NULL; | ||
| 56 | int i; | ||
| 57 | |||
| 58 | C_PARAMS (file && basename && newname); | ||
| 59 | diff --git a/libgphoto2/gphoto2-filesys.c b/libgphoto2/gphoto2-filesys.c | ||
| 60 | index 45f957292..07decff24 100644 | ||
| 61 | --- a/libgphoto2/gphoto2-filesys.c | ||
| 62 | +++ b/libgphoto2/gphoto2-filesys.c | ||
| 63 | @@ -521,7 +521,7 @@ append_to_folder (CameraFilesystemFolder *folder, | ||
| 64 | CameraFilesystemFolder **newfolder | ||
| 65 | ) { | ||
| 66 | CameraFilesystemFolder *f; | ||
| 67 | - char *s; | ||
| 68 | + const char *s; | ||
| 69 | |||
| 70 | GP_LOG_D ("Append to folder %p/%s - %s", folder, folder->name, foldername); | ||
| 71 | /* Handle multiple slashes, and slashes at the end */ | ||
| 72 | diff --git a/packaging/generic/print-camera-list.c b/packaging/generic/print-camera-list.c | ||
| 73 | index 1707b4e87..44530b4ae 100644 | ||
| 74 | --- a/packaging/generic/print-camera-list.c | ||
| 75 | +++ b/packaging/generic/print-camera-list.c | ||
| 76 | @@ -1138,7 +1138,7 @@ escape_html(const char *str) { | ||
| 77 | newstr = malloc(strlen(str)+1+inc); | ||
| 78 | s = str; ns = newstr; | ||
| 79 | do { | ||
| 80 | - char *x; | ||
| 81 | + const char *x; | ||
| 82 | x = strchr(s,'&'); | ||
| 83 | if (x) { | ||
| 84 | memcpy (ns, s, x-s); | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch deleted file mode 100644 index 77c307e88d..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch +++ /dev/null | |||
| @@ -1,150 +0,0 @@ | |||
| 1 | From 8fefd2da7b9e2c7c448086cd251b108c0ebf1262 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcus Meissner <marcus@jet.franken.de> | ||
| 3 | Date: Wed, 8 Apr 2026 15:18:42 +0200 | ||
| 4 | Subject: [PATCH] Fixed EOS ImageFormat/CustomFuncEx Parsers Lack Length | ||
| 5 | Parameter | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() accept | ||
| 11 | const unsigned char** data but no length/size parameter. They perform | ||
| 12 | unbounded reads via dtoh32o calls (up to 36 bytes for ImageFormat, | ||
| 13 | up to 1024 bytes for CustomFuncEx). Callers in ptp_unpack_EOS_events() | ||
| 14 | have xsize available but never pass it. | ||
| 15 | |||
| 16 | CVE-2026-40333 | ||
| 17 | |||
| 18 | Reported-By: Sebastián Alba <sebasjosue84@gmail.com> | ||
| 19 | |||
| 20 | CVE: CVE-2026-40333 | ||
| 21 | Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53] | ||
| 22 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 23 | --- | ||
| 24 | camlibs/ptp2/ptp-pack.c | 53 ++++++++++++++++++++++++++++++++++------- | ||
| 25 | 1 file changed, 44 insertions(+), 9 deletions(-) | ||
| 26 | |||
| 27 | diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c | ||
| 28 | index 09421b7..09dcc24 100644 | ||
| 29 | --- a/camlibs/ptp2/ptp-pack.c | ||
| 30 | +++ b/camlibs/ptp2/ptp-pack.c | ||
| 31 | @@ -1448,7 +1448,7 @@ ptp_unpack_Canon_EOS_FE (PTPParams *params, const unsigned char* data, unsigned | ||
| 32 | |||
| 33 | |||
| 34 | static inline uint16_t | ||
| 35 | -ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data ) | ||
| 36 | +ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data, unsigned int *size ) | ||
| 37 | { | ||
| 38 | /* | ||
| 39 | EOS ImageFormat entries look are a sequence of u32 values: | ||
| 40 | @@ -1492,30 +1492,57 @@ ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data ) | ||
| 41 | |||
| 42 | const uint8_t* d = *data; | ||
| 43 | uint32_t offset = 0; | ||
| 44 | - uint32_t n = dtoh32o (d, offset); | ||
| 45 | + uint32_t n; | ||
| 46 | uint32_t l, t1, s1, c1, t2 = 0, s2 = 0, c2 = 0; | ||
| 47 | |||
| 48 | + if (*size < sizeof(uint32_t)) { | ||
| 49 | + ptp_debug (params, "parsing EOS ImageFormat property failed 1 (size %d)", *size); | ||
| 50 | + return 0; | ||
| 51 | + } | ||
| 52 | + n = dtoh32o (d, offset); | ||
| 53 | + *size -= sizeof(uint32_t); | ||
| 54 | + | ||
| 55 | if (n != 1 && n !=2) { | ||
| 56 | ptp_debug (params, "parsing EOS ImageFormat property failed (n != 1 && n != 2: %d)", n); | ||
| 57 | return 0; | ||
| 58 | } | ||
| 59 | - | ||
| 60 | + if (*size < sizeof(uint32_t)) { | ||
| 61 | + ptp_debug (params, "parsing EOS ImageFormat property failed 2 (size %d)", *size); | ||
| 62 | + return 0; | ||
| 63 | + } | ||
| 64 | l = dtoh32o (d, offset); | ||
| 65 | + *size -= sizeof(uint32_t); | ||
| 66 | + | ||
| 67 | if (l != 0x10) { | ||
| 68 | ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l); | ||
| 69 | return 0; | ||
| 70 | } | ||
| 71 | |||
| 72 | + if (*size < 3*sizeof(uint32_t)) { | ||
| 73 | + ptp_debug (params, "parsing EOS ImageFormat property failed 3 (size %d)", *size); | ||
| 74 | + return 0; | ||
| 75 | + } | ||
| 76 | t1 = dtoh32o (d, offset); | ||
| 77 | s1 = dtoh32o (d, offset); | ||
| 78 | c1 = dtoh32o (d, offset); | ||
| 79 | + *size -= 3*sizeof(uint32_t); | ||
| 80 | |||
| 81 | if (n == 2) { | ||
| 82 | + if (*size < sizeof(uint32_t)) { | ||
| 83 | + ptp_debug (params, "parsing EOS ImageFormat property failed 4 (size %d)", *size); | ||
| 84 | + return 0; | ||
| 85 | + } | ||
| 86 | l = dtoh32o (d, offset); | ||
| 87 | + *size -= sizeof(uint32_t); | ||
| 88 | + | ||
| 89 | if (l != 0x10) { | ||
| 90 | ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l); | ||
| 91 | return 0; | ||
| 92 | } | ||
| 93 | + if (*size < 3*sizeof(uint32_t)) { | ||
| 94 | + ptp_debug (params, "parsing EOS ImageFormat property failed 5 (size %d)", *size); | ||
| 95 | + return 0; | ||
| 96 | + } | ||
| 97 | t2 = dtoh32o (d, offset); | ||
| 98 | s2 = dtoh32o (d, offset); | ||
| 99 | c2 = dtoh32o (d, offset); | ||
| 100 | @@ -1668,12 +1695,20 @@ ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint3 | ||
| 101 | |||
| 102 | |||
| 103 | static inline char* | ||
| 104 | -ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data ) | ||
| 105 | +ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data, unsigned int *size ) | ||
| 106 | { | ||
| 107 | - uint32_t s = dtoh32a( *data ); | ||
| 108 | - uint32_t n = s/4, i; | ||
| 109 | + uint32_t s, n, i; | ||
| 110 | char *str, *p; | ||
| 111 | |||
| 112 | + if (*size < sizeof(uint32_t)) | ||
| 113 | + return strdup("bad length"); | ||
| 114 | + | ||
| 115 | + s = dtoh32a( *data ); | ||
| 116 | + n = s/4; | ||
| 117 | + | ||
| 118 | + if (*size < 4+s) | ||
| 119 | + return strdup("bad length"); | ||
| 120 | + | ||
| 121 | if (s > 1024) { | ||
| 122 | ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s); | ||
| 123 | return strdup("bad length"); | ||
| 124 | @@ -1962,7 +1997,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in | ||
| 125 | case PTP_DPC_CANON_EOS_ImageFormatExtHD: | ||
| 126 | /* special handling of ImageFormat properties */ | ||
| 127 | for (j=0;j<dpd_count;j++) { | ||
| 128 | - dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata ); | ||
| 129 | + dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize ); | ||
| 130 | ptp_debug (params, INDENT "prop %x option[%2d] == 0x%04x", dpc, j, dpd->FORM.Enum.SupportedValue[j].u16); | ||
| 131 | } | ||
| 132 | break; | ||
| 133 | @@ -2267,7 +2302,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in | ||
| 134 | case PTP_DPC_CANON_EOS_ImageFormatSD: | ||
| 135 | case PTP_DPC_CANON_EOS_ImageFormatExtHD: | ||
| 136 | dpd->DataType = PTP_DTC_UINT16; | ||
| 137 | - dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata ); | ||
| 138 | + dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize ); | ||
| 139 | dpd->CurrentValue.u16 = dpd->DefaultValue.u16; | ||
| 140 | ptp_debug (params, INDENT "prop %x value == 0x%04x (u16)", dpc, dpd->CurrentValue.u16); | ||
| 141 | break; | ||
| 142 | @@ -2275,7 +2310,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in | ||
| 143 | dpd->DataType = PTP_DTC_STR; | ||
| 144 | free (dpd->DefaultValue.str); | ||
| 145 | free (dpd->CurrentValue.str); | ||
| 146 | - dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata ); | ||
| 147 | + dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata, &xsize ); | ||
| 148 | dpd->CurrentValue.str = strdup( (char*)dpd->DefaultValue.str ); | ||
| 149 | ptp_debug (params, INDENT "prop %x value == %s", dpc, dpd->CurrentValue.str); | ||
| 150 | break; | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch deleted file mode 100644 index 883582dff0..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch +++ /dev/null | |||
| @@ -1,37 +0,0 @@ | |||
| 1 | From 20b33a26b2efdbf2c35c5cacc54a041855ec764b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcus Meissner <marcus@jet.franken.de> | ||
| 3 | Date: Wed, 8 Apr 2026 15:15:54 +0200 | ||
| 4 | Subject: [PATCH] Fixed Canon FolderEntry Missing Null Termination | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | ptp_unpack_Canon_FE() copies filename with strncpy into a 13-byte | ||
| 10 | buffer without explicit null termination. The EOS variant at line | ||
| 11 | 1451–1452 correctly adds fe->Filename[PTP_CANON_FilenameBufferLen-1] | ||
| 12 | = 0; confirming this was recognized as necessary but not applied to the | ||
| 13 | original Canon path. | ||
| 14 | |||
| 15 | CVE-2026-40334 | ||
| 16 | |||
| 17 | Reported-By: Sebastián Alba <sebasjosue84@gmail.com> | ||
| 18 | |||
| 19 | CVE: CVE-2026-40334 | ||
| 20 | Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873] | ||
| 21 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 22 | --- | ||
| 23 | camlibs/ptp2/ptp-pack.c | 1 + | ||
| 24 | 1 file changed, 1 insertion(+) | ||
| 25 | |||
| 26 | diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c | ||
| 27 | index 09dcc24..982b4f4 100644 | ||
| 28 | --- a/camlibs/ptp2/ptp-pack.c | ||
| 29 | +++ b/camlibs/ptp2/ptp-pack.c | ||
| 30 | @@ -1369,6 +1369,7 @@ ptp_unpack_Canon_FE (PTPParams *params, const unsigned char* data, PTPCANONFolde | ||
| 31 | fe->ObjectSize = dtoh32a(data + PTP_cfe_ObjectSize); | ||
| 32 | fe->Time = (time_t)dtoh32a(data + PTP_cfe_Time); | ||
| 33 | strncpy(fe->Filename, (char*)data + PTP_cfe_Filename, PTP_CANON_FilenameBufferLen); | ||
| 34 | + fe->Filename[PTP_CANON_FilenameBufferLen-1] = '\0'; | ||
| 35 | } | ||
| 36 | |||
| 37 | /* | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch deleted file mode 100644 index dfe832e6c8..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch +++ /dev/null | |||
| @@ -1,43 +0,0 @@ | |||
| 1 | From edcdf804662eb4340fdc371af4853d6579e969ab Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcus Meissner <marcus@jet.franken.de> | ||
| 3 | Date: Wed, 8 Apr 2026 15:07:38 +0200 | ||
| 4 | Subject: [PATCH] =?UTF-8?q?Fixed=20UINT128/INT128=20Unchecked=20Offset=20A?= | ||
| 5 | =?UTF-8?q?dvance=20(CWE-125)=20=E2=80=94=20MEDIUM?= | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | Finding 5: UINT128/INT128 Unchecked Offset Advance (CWE-125) — MEDIUM | ||
| 11 | |||
| 12 | In ptp_unpack_DPV(), the PTP_DTC_UINT128 and PTP_DTC_INT128 cases advance *offset += 16 without verifying 16 bytes remain. The entry check at line 609 only guarantees *offset < total (at least 1 byte available). After the unchecked advance, *offset can exceed total, and the CTVAL macro's bounds check (total - *offset < sizeof(target)) wraps due to unsigned arithmetic. | ||
| 13 | |||
| 14 | CVE-2026-40335 | ||
| 15 | |||
| 16 | Reported-By: Sebastián Alba <sebasjosue84@gmail.com> | ||
| 17 | |||
| 18 | CVE: CVE-2026-40335 | ||
| 19 | Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/433bde9888d70aa726e32744cd751d7dbe94379a] | ||
| 20 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 21 | --- | ||
| 22 | camlibs/ptp2/ptp-pack.c | 4 ++++ | ||
| 23 | 1 file changed, 4 insertions(+) | ||
| 24 | |||
| 25 | diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c | ||
| 26 | index 982b4f4..7fc120d 100644 | ||
| 27 | --- a/camlibs/ptp2/ptp-pack.c | ||
| 28 | +++ b/camlibs/ptp2/ptp-pack.c | ||
| 29 | @@ -614,10 +614,14 @@ ptp_unpack_DPV ( | ||
| 30 | case PTP_DTC_UINT64: CTVAL(value->u64,dtoh64a); break; | ||
| 31 | |||
| 32 | case PTP_DTC_UINT128: | ||
| 33 | + if (total - *offset < 16) | ||
| 34 | + return 0; | ||
| 35 | *offset += 16; | ||
| 36 | /*fprintf(stderr,"unhandled unpack of uint128n");*/ | ||
| 37 | break; | ||
| 38 | case PTP_DTC_INT128: | ||
| 39 | + if (total - *offset < 16) | ||
| 40 | + return 0; | ||
| 41 | *offset += 16; | ||
| 42 | /*fprintf(stderr,"unhandled unpack of int128n");*/ | ||
| 43 | break; | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch deleted file mode 100644 index 1a809b4f25..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch +++ /dev/null | |||
| @@ -1,44 +0,0 @@ | |||
| 1 | From e19c45d3530f1585805711e14aa4ea788e499f46 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcus Meissner <marcus@jet.franken.de> | ||
| 3 | Date: Wed, 8 Apr 2026 15:13:51 +0200 | ||
| 4 | Subject: [PATCH] Fixed Sony DPD Secondary Enum List Memory Leak | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | Finding 4: Sony DPD Secondary Enum List Memory Leak (CWE-401) — LOW | ||
| 10 | |||
| 11 | File: ptp-pack.c:884-885 | ||
| 12 | |||
| 13 | When processing a secondary enumeration list (2024+ Sony cameras), line | ||
| 14 | 884–885 overwrites dpd->FORM.Enum.SupportedValue with a new calloc() | ||
| 15 | without freeing the previous allocation from line 857. The original | ||
| 16 | array and any string values it contains are leaked. | ||
| 17 | |||
| 18 | CVE-2026-40336 | ||
| 19 | |||
| 20 | Reported-By: Sebastián Alba <sebasjosue84@gmail.com> | ||
| 21 | |||
| 22 | CVE: CVE-2026-40336 | ||
| 23 | Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/404ff02c75f3cb280196fc260a63c4d26cf1a8f6] | ||
| 24 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 25 | --- | ||
| 26 | camlibs/ptp2/ptp-pack.c | 5 +++++ | ||
| 27 | 1 file changed, 5 insertions(+) | ||
| 28 | |||
| 29 | diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c | ||
| 30 | index 7fc120d..fc51d77 100644 | ||
| 31 | --- a/camlibs/ptp2/ptp-pack.c | ||
| 32 | +++ b/camlibs/ptp2/ptp-pack.c | ||
| 33 | @@ -879,6 +879,11 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp | ||
| 34 | /* check if we have a secondary list of items, this is for newer Sonys (2024) */ | ||
| 35 | if (val < 0x200) { /* if a secondary list is not provided, this will be the next property code - 0x5XXX or 0xDxxx */ | ||
| 36 | if (dpd->FormFlag == PTP_DPFF_Enumeration) { | ||
| 37 | + /* free old enum variables */ | ||
| 38 | + for (i=0;i<dpd->FORM.Enum.NumberOfValues;i++) | ||
| 39 | + ptp_free_propvalue (dpd->DataType, dpd->FORM.Enum.SupportedValue+i); | ||
| 40 | + free (dpd->FORM.Enum.SupportedValue); | ||
| 41 | + | ||
| 42 | N = dtoh16o(data, *poffset); | ||
| 43 | dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0])); | ||
| 44 | if (!dpd->FORM.Enum.SupportedValue) | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch deleted file mode 100644 index 9f233f2ec9..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch +++ /dev/null | |||
| @@ -1,34 +0,0 @@ | |||
| 1 | From 43cc20e807cd2935869617a7d8b9488070712c0e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcus Meissner <marcus@jet.franken.de> | ||
| 3 | Date: Sat, 11 Apr 2026 10:47:52 +0200 | ||
| 4 | Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20Enum=20Count=20OOB=20Read?= | ||
| 5 | =?UTF-8?q?=20(CWE-125)=20=E2=80=94=20MEDIUM?= | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | In the PTP_DPFF_Enumeration case of ptp_unpack_Sony_DPD(), dtoh16o(data, *poffset) reads 2 bytes for enumeration count N without verifying 2 bytes remain. The standard parser at line 704 has this check. | ||
| 11 | |||
| 12 | CVE-2026-40338 | ||
| 13 | |||
| 14 | Reported-By: Sebastián Alba <sebasjosue84@gmail.com> | ||
| 15 | |||
| 16 | CVE: CVE-2026-40338 | ||
| 17 | Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845] | ||
| 18 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 19 | --- | ||
| 20 | camlibs/ptp2/ptp-pack.c | 1 + | ||
| 21 | 1 file changed, 1 insertion(+) | ||
| 22 | |||
| 23 | diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c | ||
| 24 | index fc51d77..f90d2a5 100644 | ||
| 25 | --- a/camlibs/ptp2/ptp-pack.c | ||
| 26 | +++ b/camlibs/ptp2/ptp-pack.c | ||
| 27 | @@ -851,6 +851,7 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp | ||
| 28 | break; | ||
| 29 | case PTP_DPFF_Enumeration: { | ||
| 30 | #define N dpd->FORM.Enum.NumberOfValues | ||
| 31 | + if (*poffset + sizeof(uint16_t) > dpdlen) goto outofmemory; | ||
| 32 | N = dtoh16o(data, *poffset); | ||
| 33 | dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0])); | ||
| 34 | if (!dpd->FORM.Enum.SupportedValue) | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch deleted file mode 100644 index b00ac72772..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch +++ /dev/null | |||
| @@ -1,41 +0,0 @@ | |||
| 1 | From 585e8113b541469347d09c341c2e8b468b431adb Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcus Meissner <marcus@jet.franken.de> | ||
| 3 | Date: Sat, 11 Apr 2026 10:50:47 +0200 | ||
| 4 | Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20FormFlag=20OOB=20Read=20(C?= | ||
| 5 | =?UTF-8?q?WE-125)=20=E2=80=94=20MEDIUM?= | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | ptp_unpack_Sony_DPD() reads the FormFlag byte via dtoh8o(data, *poffset) | ||
| 11 | without a prior bounds check. The standard ptp_unpack_DPD() at line | ||
| 12 | 686–687 correctly validates *offset + sizeof(uint8_t) > dpdlen before | ||
| 13 | this same read, but the Sony variant omits this check. | ||
| 14 | |||
| 15 | CVE-2026-40339 | ||
| 16 | |||
| 17 | Reported-By: Sebastián Alba <sebasjosue84@gmail.com> | ||
| 18 | |||
| 19 | CVE: CVE-2026-40339 | ||
| 20 | Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d] | ||
| 21 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 22 | --- | ||
| 23 | camlibs/ptp2/ptp-pack.c | 3 ++- | ||
| 24 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 25 | |||
| 26 | diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c | ||
| 27 | index f90d2a5..28648a5 100644 | ||
| 28 | --- a/camlibs/ptp2/ptp-pack.c | ||
| 29 | +++ b/camlibs/ptp2/ptp-pack.c | ||
| 30 | @@ -833,9 +833,10 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp | ||
| 31 | code or the Data Type is a string (with two empty strings as | ||
| 32 | values). In both cases Form Flag should be set to 0x00 and FORM is | ||
| 33 | not present. */ | ||
| 34 | - | ||
| 35 | if (*poffset==PTP_dpd_Sony_DefaultValue) | ||
| 36 | return 1; | ||
| 37 | + if (*poffset + sizeof(uint8_t) > dpdlen) | ||
| 38 | + return 1; | ||
| 39 | |||
| 40 | dpd->FormFlag = dtoh8o(data, *poffset); | ||
| 41 | ptp_debug (params, "formflag 0x%04x", dpd->FormFlag); | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch deleted file mode 100644 index a0852692b0..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch +++ /dev/null | |||
| @@ -1,40 +0,0 @@ | |||
| 1 | From fd9f234df894caec6c65144b5a4f0264aadf0989 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcus Meissner <marcus@jet.franken.de> | ||
| 3 | Date: Wed, 8 Apr 2026 16:01:48 +0200 | ||
| 4 | Subject: [PATCH] Fixed ObjectInfo Parser OOB Read | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | ptp_unpack_OI() validates len < PTP_oi_SequenceNumber (i.e., len < 48) but then accesses: | ||
| 10 | |||
| 11 | Offsets 48–51: dtoh32a(data + PTP_oi_SequenceNumber) at line 563 (4 bytes OOB) | ||
| 12 | Offset 52: data[PTP_oi_filenamelen] at line 547 (5 bytes OOB) | ||
| 13 | Offset 56: data[PTP_oi_filenamelen+4] at line 547 (9 bytes OOB) | ||
| 14 | |||
| 15 | The Samsung Galaxy 64-bit objectsize detection heuristic reads up to 9 bytes beyond the validated boundary. | ||
| 16 | |||
| 17 | CVE-2026-40340 | ||
| 18 | |||
| 19 | Reported-By: Sebastián Alba <sebasjosue84@gmail.com> | ||
| 20 | |||
| 21 | CVE: CVE-2026-40340 | ||
| 22 | Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33] | ||
| 23 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 24 | --- | ||
| 25 | camlibs/ptp2/ptp-pack.c | 2 +- | ||
| 26 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 27 | |||
| 28 | diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c | ||
| 29 | index 28648a5..9eba06f 100644 | ||
| 30 | --- a/camlibs/ptp2/ptp-pack.c | ||
| 31 | +++ b/camlibs/ptp2/ptp-pack.c | ||
| 32 | @@ -526,7 +526,7 @@ ptp_unpack_OI (PTPParams *params, const unsigned char* data, PTPObjectInfo *oi, | ||
| 33 | { | ||
| 34 | char *capture_date; | ||
| 35 | |||
| 36 | - if (!data || len < PTP_oi_SequenceNumber) | ||
| 37 | + if (!data || len < PTP_oi_filenamelen + 5) | ||
| 38 | return; | ||
| 39 | |||
| 40 | oi->Filename = oi->Keywords = NULL; | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch deleted file mode 100644 index b71792c185..0000000000 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch +++ /dev/null | |||
| @@ -1,69 +0,0 @@ | |||
| 1 | From 3674dbeafa5157a264ca5e562ffdbef159a2185f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Marcus Meissner <marcus@jet.franken.de> | ||
| 3 | Date: Wed, 8 Apr 2026 15:28:52 +0200 | ||
| 4 | Subject: [PATCH] Fixed OOB read in ptp_unpack_EOS_FocusInfoEx | ||
| 5 | |||
| 6 | Do not read out values before checking there is sufficient size | ||
| 7 | |||
| 8 | CVE-2026-40341 | ||
| 9 | |||
| 10 | CVE: CVE-2026-40341 | ||
| 11 | Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/c385b34af260595dfbb5f9329526be5158985987] | ||
| 12 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 13 | --- | ||
| 14 | camlibs/ptp2/ptp-pack.c | 34 +++++++++++++++++++++++++--------- | ||
| 15 | 1 file changed, 25 insertions(+), 9 deletions(-) | ||
| 16 | |||
| 17 | diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c | ||
| 18 | index 9eba06f..11428ab 100644 | ||
| 19 | --- a/camlibs/ptp2/ptp-pack.c | ||
| 20 | +++ b/camlibs/ptp2/ptp-pack.c | ||
| 21 | @@ -1629,23 +1629,39 @@ ptp_pack_EOS_ImageFormat (PTPParams* params, unsigned char* data, uint16_t value | ||
| 22 | static inline char* | ||
| 23 | ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint32_t datasize) | ||
| 24 | { | ||
| 25 | - uint32_t size = dtoh32a( *data ); | ||
| 26 | - uint32_t halfsize = dtoh16a( (*data) + 4); | ||
| 27 | - uint32_t version = dtoh16a( (*data) + 6); | ||
| 28 | - uint32_t focus_points_in_struct = dtoh16a( (*data) + 8); | ||
| 29 | - uint32_t focus_points_in_use = dtoh16a( (*data) + 10); | ||
| 30 | - uint32_t sizeX = dtoh16a( (*data) + 12); | ||
| 31 | - uint32_t sizeY = dtoh16a( (*data) + 14); | ||
| 32 | - uint32_t size2X = dtoh16a( (*data) + 16); | ||
| 33 | - uint32_t size2Y = dtoh16a( (*data) + 18); | ||
| 34 | + uint32_t size; | ||
| 35 | + uint32_t halfsize; | ||
| 36 | + uint32_t version; | ||
| 37 | + uint32_t focus_points_in_struct; | ||
| 38 | + uint32_t focus_points_in_use; | ||
| 39 | + uint32_t sizeX; | ||
| 40 | + uint32_t sizeY; | ||
| 41 | + uint32_t size2X; | ||
| 42 | + uint32_t size2Y; | ||
| 43 | uint32_t i; | ||
| 44 | uint32_t maxlen; | ||
| 45 | char *str, *p; | ||
| 46 | |||
| 47 | + if (datasize<4) { | ||
| 48 | + ptp_error(params, "FocusInfoEx has invalid size (%d)", datasize); | ||
| 49 | + return strdup("bad size 0"); | ||
| 50 | + } | ||
| 51 | + | ||
| 52 | + size = dtoh32a( *data ); | ||
| 53 | if ((size > datasize) || (size < 20)) { | ||
| 54 | ptp_error(params, "FocusInfoEx has invalid size (%d) vs datasize (%d)", size, datasize); | ||
| 55 | return strdup("bad size 1"); | ||
| 56 | } | ||
| 57 | + | ||
| 58 | + halfsize = dtoh16a( (*data) + 4); | ||
| 59 | + version = dtoh16a( (*data) + 6); | ||
| 60 | + focus_points_in_struct = dtoh16a( (*data) + 8); | ||
| 61 | + focus_points_in_use = dtoh16a( (*data) + 10); | ||
| 62 | + sizeX = dtoh16a( (*data) + 12); | ||
| 63 | + sizeY = dtoh16a( (*data) + 14); | ||
| 64 | + size2X = dtoh16a( (*data) + 16); | ||
| 65 | + size2Y = dtoh16a( (*data) + 18); | ||
| 66 | + | ||
| 67 | /* If data is zero-filled, then it is just a placeholder, so nothing | ||
| 68 | useful, but also not an error */ | ||
| 69 | if (!focus_points_in_struct || !focus_points_in_use) { | ||
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb index 04c4786f84..fca158fe11 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb | |||
| @@ -12,17 +12,8 @@ DEPENDS = "libtool jpeg virtual/libusb0 libexif zlib libxml2" | |||
| 12 | SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ | 12 | SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ |
| 13 | file://40-libgphoto2.rules \ | 13 | file://40-libgphoto2.rules \ |
| 14 | file://0001-configure-Filter-out-buildpaths-from-CC.patch \ | 14 | file://0001-configure-Filter-out-buildpaths-from-CC.patch \ |
| 15 | file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \ | ||
| 16 | file://CVE-2026-40333.patch \ | ||
| 17 | file://CVE-2026-40334.patch \ | ||
| 18 | file://CVE-2026-40335.patch \ | ||
| 19 | file://CVE-2026-40336.patch \ | ||
| 20 | file://CVE-2026-40338.patch \ | ||
| 21 | file://CVE-2026-40339.patch \ | ||
| 22 | file://CVE-2026-40340.patch \ | ||
| 23 | file://CVE-2026-40341.patch \ | ||
| 24 | " | 15 | " |
| 25 | SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" | 16 | SRC_URI[libgphoto2.sha256sum] = "51993f5d9bfb6b4e5925cbbe5883085791bff6f81bcacb8ffe1b783ce76d586a" |
| 26 | 17 | ||
| 27 | UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/" | 18 | UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/" |
| 28 | 19 | ||
