summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch43
-rw-r--r--meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb1
2 files changed, 44 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch
new file mode 100644
index 0000000000..dfe832e6c8
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch
@@ -0,0 +1,43 @@
1From edcdf804662eb4340fdc371af4853d6579e969ab Mon Sep 17 00:00:00 2001
2From: Marcus Meissner <marcus@jet.franken.de>
3Date: Wed, 8 Apr 2026 15:07:38 +0200
4Subject: [PATCH] =?UTF-8?q?Fixed=20UINT128/INT128=20Unchecked=20Offset=20A?=
5 =?UTF-8?q?dvance=20(CWE-125)=20=E2=80=94=20MEDIUM?=
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Finding 5: UINT128/INT128 Unchecked Offset Advance (CWE-125) — MEDIUM
11
12In ptp_unpack_DPV(), the PTP_DTC_UINT128 and PTP_DTC_INT128 cases advance *offset += 16 without verifying 16 bytes remain. The entry check at line 609 only guarantees *offset < total (at least 1 byte available). After the unchecked advance, *offset can exceed total, and the CTVAL macro's bounds check (total - *offset < sizeof(target)) wraps due to unsigned arithmetic.
13
14CVE-2026-40335
15
16Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
17
18CVE: CVE-2026-40335
19Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/433bde9888d70aa726e32744cd751d7dbe94379a]
20Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
21---
22 camlibs/ptp2/ptp-pack.c | 4 ++++
23 1 file changed, 4 insertions(+)
24
25diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
26index 982b4f4..7fc120d 100644
27--- a/camlibs/ptp2/ptp-pack.c
28+++ b/camlibs/ptp2/ptp-pack.c
29@@ -614,10 +614,14 @@ ptp_unpack_DPV (
30 case PTP_DTC_UINT64: CTVAL(value->u64,dtoh64a); break;
31
32 case PTP_DTC_UINT128:
33+ if (total - *offset < 16)
34+ return 0;
35 *offset += 16;
36 /*fprintf(stderr,"unhandled unpack of uint128n");*/
37 break;
38 case PTP_DTC_INT128:
39+ if (total - *offset < 16)
40+ return 0;
41 *offset += 16;
42 /*fprintf(stderr,"unhandled unpack of int128n");*/
43 break;
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
index e8e56171a1..269731731b 100644
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
@@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \
15 file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \ 15 file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \
16 file://CVE-2026-40333.patch \ 16 file://CVE-2026-40333.patch \
17 file://CVE-2026-40334.patch \ 17 file://CVE-2026-40334.patch \
18 file://CVE-2026-40335.patch \
18 " 19 "
19SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" 20SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2"
20 21