From 7997befd2eda068e2b38a1f652a5de1e0fd0179e Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Mon, 24 Feb 2025 13:50:02 +0100
Subject: [PATCH] Fix CVE-2025-26623 exiv2: Use After Free

Resolves: RHEL-80106
---
 .gitignore                      |  1 +
 exiv2-CVE-2025-26623-test.patch | 68 ++++++++++++++++++++++++++++
 exiv2-CVE-2025-26623.patch      | 79 +++++++++++++++++++++++++++++++++
 exiv2-no-rpath.patch            | 13 ------
 exiv2.spec                      | 23 +++++++---
 sources                         |  1 +
 6 files changed, 167 insertions(+), 18 deletions(-)
 create mode 100644 exiv2-CVE-2025-26623-test.patch
 create mode 100644 exiv2-CVE-2025-26623.patch
 delete mode 100644 exiv2-no-rpath.patch

diff --git a/.gitignore b/.gitignore
index 432455e..53c17f2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@
 /exiv2-0.27.5-Source.tar.gz
 /exiv2-0.27.6-Source.tar.gz
 /exiv2-0.28.3.tar.gz
+/issue_ghsa_38h4_fx85_qcx7_poc.tiff
diff --git a/exiv2-CVE-2025-26623-test.patch b/exiv2-CVE-2025-26623-test.patch
new file mode 100644
index 0000000..abcb3ef
--- /dev/null
+++ b/exiv2-CVE-2025-26623-test.patch
@@ -0,0 +1,68 @@
+From 630487ffc5feda28aa62dc91eaeae8b0b7507851 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 19 Feb 2025 16:21:06 +0000
+Subject: [PATCH] Regression test for
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7
+
+(cherry picked from commit 9f8e1a57b6c6853947360d1187bc24d72056c97a)
+---
+ test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff  | Bin 0 -> 603 bytes
+ .../github/test_issue_ghsa_38h4_fx85_qcx7.py  |  22 ++++++++++++++++++
+ .../test_regression_allfiles.py               |   1 +
+ tests/suite.conf                              |   1 +
+ 4 files changed, 24 insertions(+)
+ create mode 100644 test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff
+ create mode 100644 tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
+
+diff --git a/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py b/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
+new file mode 100644
+index 0000000000..07082caf62
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
+@@ -0,0 +1,22 @@
++# -*- coding: utf-8 -*-
++
++from system_tests import CaseMeta, path
++
++
++class TiffSubIfd_use_after_free(metaclass=CaseMeta):
++    """
++    Regression test for the bug described in:
++    https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7
++    """
++
++    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7"
++
++    filename = path("$data_path/issue_ghsa_38h4_fx85_qcx7_poc.tiff")
++    commands = ["$exiv2 -q fi $filename"]
++    stdout = [""]
++    stderr = [
++        """Exiv2 exception in fixiso action for file $filename:
++$kerImageWriteFailed
++"""
++    ]
++    retval = [1]
+diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
+index eb7f7cef2d..53e8de44ae 100644
+--- a/tests/regression_tests/test_regression_allfiles.py
++++ b/tests/regression_tests/test_regression_allfiles.py
+@@ -120,6 +120,7 @@ def get_valid_files(data_dir):
+         "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",
+         "issue_ghsa_hrw9_ggg3_3r4r_poc.jpg",
+         "issue_ghsa_g9xm_7538_mq8w_poc.mov",
++        "issue_ghsa_38h4_fx85_qcx7_poc.tiff",
+         "pocIssue283.jpg",
+         "poc_1522.jp2",
+         "xmpsdk.xmp",
+diff --git a/tests/suite.conf b/tests/suite.conf
+index c2bf1741e8..249a97fa93 100644
+--- a/tests/suite.conf
++++ b/tests/suite.conf
+@@ -41,6 +41,7 @@ jpegparsetest: ${ENV:exiv2_path}/jpegparsetest
+ kerOffsetOutOfRange: Offset out of range
+ kerFailedToReadImageData: Failed to read image data
+ kerInputDataReadFailed: Failed to read input data
++kerImageWriteFailed: Failed to write image
+ kerCorruptedMetadata: corrupted image metadata
+ kerInvalidMalloc: invalid memory allocation request
+ kerInvalidTypeValue: invalid type in tiff structure
diff --git a/exiv2-CVE-2025-26623.patch b/exiv2-CVE-2025-26623.patch
new file mode 100644
index 0000000..7a14e49
--- /dev/null
+++ b/exiv2-CVE-2025-26623.patch
@@ -0,0 +1,79 @@
+From facce628f3622764e91a8161f89ade8cb34bc120 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Mon, 17 Feb 2025 16:34:40 -0800
+Subject: [PATCH] Revert "fix copy constructors"
+
+This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5.
+
+This commit is wrong and ends up resulting in use after frees because of
+C pointers. The proper solution is shared_ptr instead of C pointers but
+that's a lot more involved than reverting this.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+(cherry picked from commit ebff8b48820b96c786cfddbf0bebb395cb1317d7)
+---
+ src/tiffcomposite_int.cpp | 19 +++++++++++++++++++
+ src/tiffcomposite_int.hpp |  6 +++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
+index 95ce450c7d..3e6e93d5c5 100644
+--- a/src/tiffcomposite_int.cpp
++++ b/src/tiffcomposite_int.cpp
+@@ -127,6 +127,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) :
+     storage_(rhs.storage_) {
+ }
+ 
++TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) {
++}
++
++TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) {
++}
++
++TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) :
++    TiffEntryBase(rhs),
++    cfgSelFct_(rhs.cfgSelFct_),
++    arraySet_(rhs.arraySet_),
++    arrayCfg_(rhs.arrayCfg_),
++    arrayDef_(rhs.arrayDef_),
++    defSize_(rhs.defSize_),
++    setSize_(rhs.setSize_),
++    origData_(rhs.origData_),
++    origSize_(rhs.origSize_),
++    pRoot_(rhs.pRoot_) {
++}
++
+ TiffComponent::UniquePtr TiffComponent::clone() const {
+   return UniquePtr(doClone());
+ }
+diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp
+index 4506a4dca0..307e0bd9e3 100644
+--- a/src/tiffcomposite_int.hpp
++++ b/src/tiffcomposite_int.hpp
+@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffDirectory(const TiffDirectory&) = default;
++  TiffDirectory(const TiffDirectory& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
+@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffSubIfd(const TiffSubIfd&) = default;
++  TiffSubIfd(const TiffSubIfd& rhs);
+   TiffSubIfd& operator=(const TiffSubIfd&) = delete;
+   //@}
+ 
+@@ -1346,7 +1346,7 @@ class TiffBinaryArray : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffBinaryArray(const TiffBinaryArray&) = default;
++  TiffBinaryArray(const TiffBinaryArray& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
diff --git a/exiv2-no-rpath.patch b/exiv2-no-rpath.patch
deleted file mode 100644
index f97d106..0000000
--- a/exiv2-no-rpath.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/cmake/mainSetup.cmake b/cmake/mainSetup.cmake
-index 1ea9deb..36253d1 100644
---- a/cmake/mainSetup.cmake
-+++ b/cmake/mainSetup.cmake
-@@ -26,8 +26,6 @@ if (UNIX)
-     if (APPLE)
-         set(CMAKE_MACOSX_RPATH ON)
-         set(CMAKE_INSTALL_RPATH "@loader_path")
--    else()
--        join_paths(CMAKE_INSTALL_RPATH "$ORIGIN" ".." "${CMAKE_INSTALL_LIBDIR}")
-     endif()
- endif()
- 
diff --git a/exiv2.spec b/exiv2.spec
index 6da400f..b28ab17 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -1,6 +1,6 @@
 Name:           exiv2
 Version:        0.28.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Exif and Iptc metadata manipulation library
 
 # GPL-2.0-or-later: main library
@@ -15,12 +15,17 @@ License:        GPL-2.0-or-later AND BSD-3-Clause AND LicenseRef-Fedora-Public-D
 URL:            http://www.exiv2.org/
 VCS:            https://github.com/Exiv2/exiv2/
 %if 0%{?beta:1}
-Source:         %{vcs}/archive/v%{version}-%{beta}/%{name}-%{version}-%{beta}.tar.gz
+Source0:        %{vcs}/archive/v%{version}-%{beta}/%{name}-%{version}-%{beta}.tar.gz
 %else
-Source:         %{vcs}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source0:        %{vcs}/archive/v%{version}/%{name}-%{version}.tar.gz
 %endif
 
-Patch0:         exiv2-no-rpath.patch
+# POC files for upstream issues
+Source1:        issue_ghsa_38h4_fx85_qcx7_poc.tiff
+
+# CVE fixes
+Patch50:        exiv2-CVE-2025-26623.patch
+Patch51:        exiv2-CVE-2025-26623-test.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -97,13 +102,16 @@ API documentation for %{name}.
 %prep
 %autosetup -n %{name}-%{version}%{?beta:-%{beta}} -p1
 
+cp %{SOURCE1} test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff
 
 %build
 %cmake \
   -DCMAKE_INSTALL_DOCDIR="%{_pkgdocdir}" \
   -DEXIV2_BUILD_DOC:BOOL=ON \
   -DEXIV2_BUILD_SAMPLES:BOOL=OFF \
-  -DEXIV2_ENABLE_NLS:BOOL=ON
+  -DEXIV2_ENABLE_NLS:BOOL=ON \
+  -DCMAKE_SKIP_RPATH:BOOL=OFF
+
 %cmake_build
 %cmake_build --target doc
 
@@ -119,6 +127,7 @@ test "$(pkg-config --modversion exiv2)" = "%{version}"
 test "$(pkg-config --variable=libdir exiv2)" = "%{_libdir}"
 test -x %{buildroot}%{_libdir}/libexiv2.so
 
+%ctest --parallel 1
 
 %files -f exiv2.lang
 %license COPYING doc/COPYING-XMPSDK
@@ -145,6 +154,10 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 
 
 %changelog
+* Mon Feb 24 2025 Jan Grulich <jgrulich@redhat.com> - 0.28.3-4
+- Fix CVE-2025-26623 exiv2: Use After Free
+  Resolves: RHEL-80106
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.28.3-3
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018
diff --git a/sources b/sources
index f09226d..309961e 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (exiv2-0.28.3.tar.gz) = c8338a118feefa104d73932890c732247c884ab9ce1d170c43a22ab5884517a0e2a7fd1febde7705b8290fbbbc29e64738610404816e4db2b56a70fc444ca049
+SHA512 (issue_ghsa_38h4_fx85_qcx7_poc.tiff) = adaa541625873c88d58a5563e3d345f51252bc83ba487f004e54cd327b48fb2258e5d5cf27547f1da426d2b2a9a21d1f7d6378c877ac073477658fc4b300e5b9