summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorWang Mingyu <wangmy@fujitsu.com>2026-06-02 18:07:24 +0800
committerKhem Raj <khem.raj@oss.qualcomm.com>2026-06-07 18:21:37 -0700
commitcb1beb95fd7aca15fb3e9540818bb24b67c4b905 (patch)
treec8dc03615eb80ebd90d1a339ccc85f373e7b6700 /meta-oe
parent2f84b8c1f1cc293be1d458d223f8c61212ac0133 (diff)
downloadmeta-openembedded-cb1beb95fd7aca15fb3e9540818bb24b67c4b905.tar.gz
libgphoto2: upgrade 2.5.33 -> 2.5.34
0001-libgphoto2-fix-const-correctness-for-c23-builds.patch CVE-2026-40333.patch CVE-2026-40334.patch CVE-2026-40335.patch CVE-2026-40336.patch CVE-2026-40338.patch CVE-2026-40339.patch CVE-2026-40340.patch CVE-2026-40341.patch removed since they're included in 2.5.34 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch84
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch150
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch37
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch43
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch44
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch34
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch41
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch40
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch69
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb (renamed from meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb)11
10 files changed, 1 insertions, 552 deletions
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch
deleted file mode 100644
index 9ded174095..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch
+++ /dev/null
@@ -1,84 +0,0 @@
1From bfa786a260bfd4660e8186ebad8778718e85e8cd Mon Sep 17 00:00:00 2001
2From: Khem Raj <khem.raj@oss.qualcomm.com>
3Date: Sat, 4 Apr 2026 14:56:01 -0700
4Subject: [PATCH] libgphoto2: fix const-correctness for c23 builds
5
6C23 treats the return values of strrchr() and strchr() as const char *
7when the input string is const-qualified. Update local variables to use
8const char * where appropriate to avoid discarded-qualifier warnings and
9build failures with -std=gnu23.
10
11No functional change intended.
12
13Upstream-Status: Submitted [https://github.com/gphoto/libgphoto2/pull/1235]
14Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
15---
16 camlibs/directory/directory.c | 2 +-
17 libgphoto2/gphoto2-file.c | 6 +++---
18 libgphoto2/gphoto2-filesys.c | 2 +-
19 packaging/generic/print-camera-list.c | 2 +-
20 4 files changed, 6 insertions(+), 6 deletions(-)
21
22diff --git a/camlibs/directory/directory.c b/camlibs/directory/directory.c
23index 790405d54..cc63c6684 100644
24--- a/camlibs/directory/directory.c
25+++ b/camlibs/directory/directory.c
26@@ -125,7 +125,7 @@ static const char *
27 get_mime_type (const char *filename)
28 {
29
30- char *dot;
31+ const char *dot;
32 int x=0;
33
34 dot = strrchr(filename, '.');
35diff --git a/libgphoto2/gphoto2-file.c b/libgphoto2/gphoto2-file.c
36index 04d4d5e3e..1a9dbc193 100644
37--- a/libgphoto2/gphoto2-file.c
38+++ b/libgphoto2/gphoto2-file.c
39@@ -610,7 +610,7 @@ int
40 gp_file_open (CameraFile *file, const char *filename)
41 {
42 FILE *fp;
43- char *name, *dot;
44+ const char *name, *dot;
45 long size, size_read;
46 int i;
47 struct stat s;
48@@ -906,8 +906,8 @@ gp_file_get_name (CameraFile *file, const char **name)
49 int
50 gp_file_get_name_by_type (CameraFile *file, const char *basename, CameraFileType type, char **newname)
51 {
52- char *prefix = NULL, *s, *new, *slash = NULL;
53- const char *suffix = NULL;
54+ char *prefix = NULL, *new;
55+ const char *suffix = NULL, *s, *slash = NULL;
56 int i;
57
58 C_PARAMS (file && basename && newname);
59diff --git a/libgphoto2/gphoto2-filesys.c b/libgphoto2/gphoto2-filesys.c
60index 45f957292..07decff24 100644
61--- a/libgphoto2/gphoto2-filesys.c
62+++ b/libgphoto2/gphoto2-filesys.c
63@@ -521,7 +521,7 @@ append_to_folder (CameraFilesystemFolder *folder,
64 CameraFilesystemFolder **newfolder
65 ) {
66 CameraFilesystemFolder *f;
67- char *s;
68+ const char *s;
69
70 GP_LOG_D ("Append to folder %p/%s - %s", folder, folder->name, foldername);
71 /* Handle multiple slashes, and slashes at the end */
72diff --git a/packaging/generic/print-camera-list.c b/packaging/generic/print-camera-list.c
73index 1707b4e87..44530b4ae 100644
74--- a/packaging/generic/print-camera-list.c
75+++ b/packaging/generic/print-camera-list.c
76@@ -1138,7 +1138,7 @@ escape_html(const char *str) {
77 newstr = malloc(strlen(str)+1+inc);
78 s = str; ns = newstr;
79 do {
80- char *x;
81+ const char *x;
82 x = strchr(s,'&');
83 if (x) {
84 memcpy (ns, s, x-s);
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch
deleted file mode 100644
index 77c307e88d..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch
+++ /dev/null
@@ -1,150 +0,0 @@
1From 8fefd2da7b9e2c7c448086cd251b108c0ebf1262 Mon Sep 17 00:00:00 2001
2From: Marcus Meissner <marcus@jet.franken.de>
3Date: Wed, 8 Apr 2026 15:18:42 +0200
4Subject: [PATCH] Fixed EOS ImageFormat/CustomFuncEx Parsers Lack Length
5 Parameter
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() accept
11const unsigned char** data but no length/size parameter. They perform
12unbounded reads via dtoh32o calls (up to 36 bytes for ImageFormat,
13up to 1024 bytes for CustomFuncEx). Callers in ptp_unpack_EOS_events()
14have xsize available but never pass it.
15
16 CVE-2026-40333
17
18Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
19
20CVE: CVE-2026-40333
21Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53]
22Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
23---
24 camlibs/ptp2/ptp-pack.c | 53 ++++++++++++++++++++++++++++++++++-------
25 1 file changed, 44 insertions(+), 9 deletions(-)
26
27diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
28index 09421b7..09dcc24 100644
29--- a/camlibs/ptp2/ptp-pack.c
30+++ b/camlibs/ptp2/ptp-pack.c
31@@ -1448,7 +1448,7 @@ ptp_unpack_Canon_EOS_FE (PTPParams *params, const unsigned char* data, unsigned
32
33
34 static inline uint16_t
35-ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
36+ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data, unsigned int *size )
37 {
38 /*
39 EOS ImageFormat entries look are a sequence of u32 values:
40@@ -1492,30 +1492,57 @@ ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
41
42 const uint8_t* d = *data;
43 uint32_t offset = 0;
44- uint32_t n = dtoh32o (d, offset);
45+ uint32_t n;
46 uint32_t l, t1, s1, c1, t2 = 0, s2 = 0, c2 = 0;
47
48+ if (*size < sizeof(uint32_t)) {
49+ ptp_debug (params, "parsing EOS ImageFormat property failed 1 (size %d)", *size);
50+ return 0;
51+ }
52+ n = dtoh32o (d, offset);
53+ *size -= sizeof(uint32_t);
54+
55 if (n != 1 && n !=2) {
56 ptp_debug (params, "parsing EOS ImageFormat property failed (n != 1 && n != 2: %d)", n);
57 return 0;
58 }
59-
60+ if (*size < sizeof(uint32_t)) {
61+ ptp_debug (params, "parsing EOS ImageFormat property failed 2 (size %d)", *size);
62+ return 0;
63+ }
64 l = dtoh32o (d, offset);
65+ *size -= sizeof(uint32_t);
66+
67 if (l != 0x10) {
68 ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
69 return 0;
70 }
71
72+ if (*size < 3*sizeof(uint32_t)) {
73+ ptp_debug (params, "parsing EOS ImageFormat property failed 3 (size %d)", *size);
74+ return 0;
75+ }
76 t1 = dtoh32o (d, offset);
77 s1 = dtoh32o (d, offset);
78 c1 = dtoh32o (d, offset);
79+ *size -= 3*sizeof(uint32_t);
80
81 if (n == 2) {
82+ if (*size < sizeof(uint32_t)) {
83+ ptp_debug (params, "parsing EOS ImageFormat property failed 4 (size %d)", *size);
84+ return 0;
85+ }
86 l = dtoh32o (d, offset);
87+ *size -= sizeof(uint32_t);
88+
89 if (l != 0x10) {
90 ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
91 return 0;
92 }
93+ if (*size < 3*sizeof(uint32_t)) {
94+ ptp_debug (params, "parsing EOS ImageFormat property failed 5 (size %d)", *size);
95+ return 0;
96+ }
97 t2 = dtoh32o (d, offset);
98 s2 = dtoh32o (d, offset);
99 c2 = dtoh32o (d, offset);
100@@ -1668,12 +1695,20 @@ ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint3
101
102
103 static inline char*
104-ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data )
105+ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data, unsigned int *size )
106 {
107- uint32_t s = dtoh32a( *data );
108- uint32_t n = s/4, i;
109+ uint32_t s, n, i;
110 char *str, *p;
111
112+ if (*size < sizeof(uint32_t))
113+ return strdup("bad length");
114+
115+ s = dtoh32a( *data );
116+ n = s/4;
117+
118+ if (*size < 4+s)
119+ return strdup("bad length");
120+
121 if (s > 1024) {
122 ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s);
123 return strdup("bad length");
124@@ -1962,7 +1997,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
125 case PTP_DPC_CANON_EOS_ImageFormatExtHD:
126 /* special handling of ImageFormat properties */
127 for (j=0;j<dpd_count;j++) {
128- dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
129+ dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
130 ptp_debug (params, INDENT "prop %x option[%2d] == 0x%04x", dpc, j, dpd->FORM.Enum.SupportedValue[j].u16);
131 }
132 break;
133@@ -2267,7 +2302,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
134 case PTP_DPC_CANON_EOS_ImageFormatSD:
135 case PTP_DPC_CANON_EOS_ImageFormatExtHD:
136 dpd->DataType = PTP_DTC_UINT16;
137- dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
138+ dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
139 dpd->CurrentValue.u16 = dpd->DefaultValue.u16;
140 ptp_debug (params, INDENT "prop %x value == 0x%04x (u16)", dpc, dpd->CurrentValue.u16);
141 break;
142@@ -2275,7 +2310,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
143 dpd->DataType = PTP_DTC_STR;
144 free (dpd->DefaultValue.str);
145 free (dpd->CurrentValue.str);
146- dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata );
147+ dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata, &xsize );
148 dpd->CurrentValue.str = strdup( (char*)dpd->DefaultValue.str );
149 ptp_debug (params, INDENT "prop %x value == %s", dpc, dpd->CurrentValue.str);
150 break;
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch
deleted file mode 100644
index 883582dff0..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From 20b33a26b2efdbf2c35c5cacc54a041855ec764b Mon Sep 17 00:00:00 2001
2From: Marcus Meissner <marcus@jet.franken.de>
3Date: Wed, 8 Apr 2026 15:15:54 +0200
4Subject: [PATCH] Fixed Canon FolderEntry Missing Null Termination
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9ptp_unpack_Canon_FE() copies filename with strncpy into a 13-byte
10buffer without explicit null termination. The EOS variant at line
111451–1452 correctly adds fe->Filename[PTP_CANON_FilenameBufferLen-1]
12= 0; confirming this was recognized as necessary but not applied to the
13original Canon path.
14
15 CVE-2026-40334
16
17Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
18
19CVE: CVE-2026-40334
20Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873]
21Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
22---
23 camlibs/ptp2/ptp-pack.c | 1 +
24 1 file changed, 1 insertion(+)
25
26diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
27index 09dcc24..982b4f4 100644
28--- a/camlibs/ptp2/ptp-pack.c
29+++ b/camlibs/ptp2/ptp-pack.c
30@@ -1369,6 +1369,7 @@ ptp_unpack_Canon_FE (PTPParams *params, const unsigned char* data, PTPCANONFolde
31 fe->ObjectSize = dtoh32a(data + PTP_cfe_ObjectSize);
32 fe->Time = (time_t)dtoh32a(data + PTP_cfe_Time);
33 strncpy(fe->Filename, (char*)data + PTP_cfe_Filename, PTP_CANON_FilenameBufferLen);
34+ fe->Filename[PTP_CANON_FilenameBufferLen-1] = '\0';
35 }
36
37 /*
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch
deleted file mode 100644
index dfe832e6c8..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From edcdf804662eb4340fdc371af4853d6579e969ab Mon Sep 17 00:00:00 2001
2From: Marcus Meissner <marcus@jet.franken.de>
3Date: Wed, 8 Apr 2026 15:07:38 +0200
4Subject: [PATCH] =?UTF-8?q?Fixed=20UINT128/INT128=20Unchecked=20Offset=20A?=
5 =?UTF-8?q?dvance=20(CWE-125)=20=E2=80=94=20MEDIUM?=
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Finding 5: UINT128/INT128 Unchecked Offset Advance (CWE-125) — MEDIUM
11
12In ptp_unpack_DPV(), the PTP_DTC_UINT128 and PTP_DTC_INT128 cases advance *offset += 16 without verifying 16 bytes remain. The entry check at line 609 only guarantees *offset < total (at least 1 byte available). After the unchecked advance, *offset can exceed total, and the CTVAL macro's bounds check (total - *offset < sizeof(target)) wraps due to unsigned arithmetic.
13
14CVE-2026-40335
15
16Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
17
18CVE: CVE-2026-40335
19Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/433bde9888d70aa726e32744cd751d7dbe94379a]
20Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
21---
22 camlibs/ptp2/ptp-pack.c | 4 ++++
23 1 file changed, 4 insertions(+)
24
25diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
26index 982b4f4..7fc120d 100644
27--- a/camlibs/ptp2/ptp-pack.c
28+++ b/camlibs/ptp2/ptp-pack.c
29@@ -614,10 +614,14 @@ ptp_unpack_DPV (
30 case PTP_DTC_UINT64: CTVAL(value->u64,dtoh64a); break;
31
32 case PTP_DTC_UINT128:
33+ if (total - *offset < 16)
34+ return 0;
35 *offset += 16;
36 /*fprintf(stderr,"unhandled unpack of uint128n");*/
37 break;
38 case PTP_DTC_INT128:
39+ if (total - *offset < 16)
40+ return 0;
41 *offset += 16;
42 /*fprintf(stderr,"unhandled unpack of int128n");*/
43 break;
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch
deleted file mode 100644
index 1a809b4f25..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From e19c45d3530f1585805711e14aa4ea788e499f46 Mon Sep 17 00:00:00 2001
2From: Marcus Meissner <marcus@jet.franken.de>
3Date: Wed, 8 Apr 2026 15:13:51 +0200
4Subject: [PATCH] Fixed Sony DPD Secondary Enum List Memory Leak
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Finding 4: Sony DPD Secondary Enum List Memory Leak (CWE-401) — LOW
10
11File: ptp-pack.c:884-885
12
13When processing a secondary enumeration list (2024+ Sony cameras), line
14884–885 overwrites dpd->FORM.Enum.SupportedValue with a new calloc()
15without freeing the previous allocation from line 857. The original
16array and any string values it contains are leaked.
17
18CVE-2026-40336
19
20Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
21
22CVE: CVE-2026-40336
23Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/404ff02c75f3cb280196fc260a63c4d26cf1a8f6]
24Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
25---
26 camlibs/ptp2/ptp-pack.c | 5 +++++
27 1 file changed, 5 insertions(+)
28
29diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
30index 7fc120d..fc51d77 100644
31--- a/camlibs/ptp2/ptp-pack.c
32+++ b/camlibs/ptp2/ptp-pack.c
33@@ -879,6 +879,11 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
34 /* check if we have a secondary list of items, this is for newer Sonys (2024) */
35 if (val < 0x200) { /* if a secondary list is not provided, this will be the next property code - 0x5XXX or 0xDxxx */
36 if (dpd->FormFlag == PTP_DPFF_Enumeration) {
37+ /* free old enum variables */
38+ for (i=0;i<dpd->FORM.Enum.NumberOfValues;i++)
39+ ptp_free_propvalue (dpd->DataType, dpd->FORM.Enum.SupportedValue+i);
40+ free (dpd->FORM.Enum.SupportedValue);
41+
42 N = dtoh16o(data, *poffset);
43 dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0]));
44 if (!dpd->FORM.Enum.SupportedValue)
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch
deleted file mode 100644
index 9f233f2ec9..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1From 43cc20e807cd2935869617a7d8b9488070712c0e Mon Sep 17 00:00:00 2001
2From: Marcus Meissner <marcus@jet.franken.de>
3Date: Sat, 11 Apr 2026 10:47:52 +0200
4Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20Enum=20Count=20OOB=20Read?=
5 =?UTF-8?q?=20(CWE-125)=20=E2=80=94=20MEDIUM?=
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10In the PTP_DPFF_Enumeration case of ptp_unpack_Sony_DPD(), dtoh16o(data, *poffset) reads 2 bytes for enumeration count N without verifying 2 bytes remain. The standard parser at line 704 has this check.
11
12CVE-2026-40338
13
14Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
15
16CVE: CVE-2026-40338
17Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845]
18Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
19---
20 camlibs/ptp2/ptp-pack.c | 1 +
21 1 file changed, 1 insertion(+)
22
23diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
24index fc51d77..f90d2a5 100644
25--- a/camlibs/ptp2/ptp-pack.c
26+++ b/camlibs/ptp2/ptp-pack.c
27@@ -851,6 +851,7 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
28 break;
29 case PTP_DPFF_Enumeration: {
30 #define N dpd->FORM.Enum.NumberOfValues
31+ if (*poffset + sizeof(uint16_t) > dpdlen) goto outofmemory;
32 N = dtoh16o(data, *poffset);
33 dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0]));
34 if (!dpd->FORM.Enum.SupportedValue)
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch
deleted file mode 100644
index b00ac72772..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1From 585e8113b541469347d09c341c2e8b468b431adb Mon Sep 17 00:00:00 2001
2From: Marcus Meissner <marcus@jet.franken.de>
3Date: Sat, 11 Apr 2026 10:50:47 +0200
4Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20FormFlag=20OOB=20Read=20(C?=
5 =?UTF-8?q?WE-125)=20=E2=80=94=20MEDIUM?=
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10ptp_unpack_Sony_DPD() reads the FormFlag byte via dtoh8o(data, *poffset)
11without a prior bounds check. The standard ptp_unpack_DPD() at line
12686–687 correctly validates *offset + sizeof(uint8_t) > dpdlen before
13this same read, but the Sony variant omits this check.
14
15CVE-2026-40339
16
17Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
18
19CVE: CVE-2026-40339
20Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d]
21Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
22---
23 camlibs/ptp2/ptp-pack.c | 3 ++-
24 1 file changed, 2 insertions(+), 1 deletion(-)
25
26diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
27index f90d2a5..28648a5 100644
28--- a/camlibs/ptp2/ptp-pack.c
29+++ b/camlibs/ptp2/ptp-pack.c
30@@ -833,9 +833,10 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
31 code or the Data Type is a string (with two empty strings as
32 values). In both cases Form Flag should be set to 0x00 and FORM is
33 not present. */
34-
35 if (*poffset==PTP_dpd_Sony_DefaultValue)
36 return 1;
37+ if (*poffset + sizeof(uint8_t) > dpdlen)
38+ return 1;
39
40 dpd->FormFlag = dtoh8o(data, *poffset);
41 ptp_debug (params, "formflag 0x%04x", dpd->FormFlag);
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch
deleted file mode 100644
index a0852692b0..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch
+++ /dev/null
@@ -1,40 +0,0 @@
1From fd9f234df894caec6c65144b5a4f0264aadf0989 Mon Sep 17 00:00:00 2001
2From: Marcus Meissner <marcus@jet.franken.de>
3Date: Wed, 8 Apr 2026 16:01:48 +0200
4Subject: [PATCH] Fixed ObjectInfo Parser OOB Read
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9ptp_unpack_OI() validates len < PTP_oi_SequenceNumber (i.e., len < 48) but then accesses:
10
11 Offsets 48–51: dtoh32a(data + PTP_oi_SequenceNumber) at line 563 (4 bytes OOB)
12 Offset 52: data[PTP_oi_filenamelen] at line 547 (5 bytes OOB)
13 Offset 56: data[PTP_oi_filenamelen+4] at line 547 (9 bytes OOB)
14
15The Samsung Galaxy 64-bit objectsize detection heuristic reads up to 9 bytes beyond the validated boundary.
16
17 CVE-2026-40340
18
19Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
20
21CVE: CVE-2026-40340
22Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33]
23Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
24---
25 camlibs/ptp2/ptp-pack.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
29index 28648a5..9eba06f 100644
30--- a/camlibs/ptp2/ptp-pack.c
31+++ b/camlibs/ptp2/ptp-pack.c
32@@ -526,7 +526,7 @@ ptp_unpack_OI (PTPParams *params, const unsigned char* data, PTPObjectInfo *oi,
33 {
34 char *capture_date;
35
36- if (!data || len < PTP_oi_SequenceNumber)
37+ if (!data || len < PTP_oi_filenamelen + 5)
38 return;
39
40 oi->Filename = oi->Keywords = NULL;
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch
deleted file mode 100644
index b71792c185..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch
+++ /dev/null
@@ -1,69 +0,0 @@
1From 3674dbeafa5157a264ca5e562ffdbef159a2185f Mon Sep 17 00:00:00 2001
2From: Marcus Meissner <marcus@jet.franken.de>
3Date: Wed, 8 Apr 2026 15:28:52 +0200
4Subject: [PATCH] Fixed OOB read in ptp_unpack_EOS_FocusInfoEx
5
6Do not read out values before checking there is sufficient size
7
8CVE-2026-40341
9
10CVE: CVE-2026-40341
11Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/c385b34af260595dfbb5f9329526be5158985987]
12Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
13---
14 camlibs/ptp2/ptp-pack.c | 34 +++++++++++++++++++++++++---------
15 1 file changed, 25 insertions(+), 9 deletions(-)
16
17diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
18index 9eba06f..11428ab 100644
19--- a/camlibs/ptp2/ptp-pack.c
20+++ b/camlibs/ptp2/ptp-pack.c
21@@ -1629,23 +1629,39 @@ ptp_pack_EOS_ImageFormat (PTPParams* params, unsigned char* data, uint16_t value
22 static inline char*
23 ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint32_t datasize)
24 {
25- uint32_t size = dtoh32a( *data );
26- uint32_t halfsize = dtoh16a( (*data) + 4);
27- uint32_t version = dtoh16a( (*data) + 6);
28- uint32_t focus_points_in_struct = dtoh16a( (*data) + 8);
29- uint32_t focus_points_in_use = dtoh16a( (*data) + 10);
30- uint32_t sizeX = dtoh16a( (*data) + 12);
31- uint32_t sizeY = dtoh16a( (*data) + 14);
32- uint32_t size2X = dtoh16a( (*data) + 16);
33- uint32_t size2Y = dtoh16a( (*data) + 18);
34+ uint32_t size;
35+ uint32_t halfsize;
36+ uint32_t version;
37+ uint32_t focus_points_in_struct;
38+ uint32_t focus_points_in_use;
39+ uint32_t sizeX;
40+ uint32_t sizeY;
41+ uint32_t size2X;
42+ uint32_t size2Y;
43 uint32_t i;
44 uint32_t maxlen;
45 char *str, *p;
46
47+ if (datasize<4) {
48+ ptp_error(params, "FocusInfoEx has invalid size (%d)", datasize);
49+ return strdup("bad size 0");
50+ }
51+
52+ size = dtoh32a( *data );
53 if ((size > datasize) || (size < 20)) {
54 ptp_error(params, "FocusInfoEx has invalid size (%d) vs datasize (%d)", size, datasize);
55 return strdup("bad size 1");
56 }
57+
58+ halfsize = dtoh16a( (*data) + 4);
59+ version = dtoh16a( (*data) + 6);
60+ focus_points_in_struct = dtoh16a( (*data) + 8);
61+ focus_points_in_use = dtoh16a( (*data) + 10);
62+ sizeX = dtoh16a( (*data) + 12);
63+ sizeY = dtoh16a( (*data) + 14);
64+ size2X = dtoh16a( (*data) + 16);
65+ size2Y = dtoh16a( (*data) + 18);
66+
67 /* If data is zero-filled, then it is just a placeholder, so nothing
68 useful, but also not an error */
69 if (!focus_points_in_struct || !focus_points_in_use) {
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb
index 04c4786f84..fca158fe11 100644
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb
@@ -12,17 +12,8 @@ DEPENDS = "libtool jpeg virtual/libusb0 libexif zlib libxml2"
12SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ 12SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \
13 file://40-libgphoto2.rules \ 13 file://40-libgphoto2.rules \
14 file://0001-configure-Filter-out-buildpaths-from-CC.patch \ 14 file://0001-configure-Filter-out-buildpaths-from-CC.patch \
15 file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \
16 file://CVE-2026-40333.patch \
17 file://CVE-2026-40334.patch \
18 file://CVE-2026-40335.patch \
19 file://CVE-2026-40336.patch \
20 file://CVE-2026-40338.patch \
21 file://CVE-2026-40339.patch \
22 file://CVE-2026-40340.patch \
23 file://CVE-2026-40341.patch \
24 " 15 "
25SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" 16SRC_URI[libgphoto2.sha256sum] = "51993f5d9bfb6b4e5925cbbe5883085791bff6f81bcacb8ffe1b783ce76d586a"
26 17
27UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/" 18UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/"
28 19