Backport several CVE fixes
It fixes CVE-2026-40386 and CVE-2026-40385. Resolves: RHEL-170254, RHEL-170235
This commit is contained in:
Jan Grulich
parent
72ef9822bb
commit
8f4c75d446
@ -0,0 +1,30 @@
|
||||
From 93003b93e50b3d259bd2227d8775b73a53c35d58 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Meissner <meissner@suse.de>
|
||||
Date: Fri, 3 Apr 2026 11:18:47 +0200
|
||||
Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes
|
||||
|
||||
The addition o2 = datao + exif_get_long(buf + o2, n->order)
|
||||
could have overflowed on systems with 32bit unsigned int size_t.
|
||||
|
||||
This could have caused out of bound reads of data, leading to
|
||||
misparsing of exif / crashes.
|
||||
|
||||
Reported-By: Kerwin <kerwinxia66001@gmail.com>
|
||||
---
|
||||
libexif/olympus/exif-mnote-data-olympus.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
|
||||
index 428f365..37f08ff 100644
|
||||
--- a/libexif/olympus/exif-mnote-data-olympus.c
|
||||
+++ b/libexif/olympus/exif-mnote-data-olympus.c
|
||||
@@ -386,6 +386,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
|
||||
o2 += 2;
|
||||
|
||||
/* Go to where the number of entries is. */
|
||||
+ if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2, n->order))) return;
|
||||
o2 = datao + exif_get_long (buf + o2, n->order);
|
||||
break;
|
||||
|
||||
--
|
||||
2.53.0
|
||||
41
fixed-2-unsigned-integer-underflows.patch
Normal file
41
fixed-2-unsigned-integer-underflows.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From dc6eac6e9655d14d0779d99e82d0f5f442d2f34b Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Meissner <meissner@suse.de>
|
||||
Date: Thu, 2 Apr 2026 13:26:31 +0200
|
||||
Subject: [PATCH] fixed 2 unsigned integer underflows
|
||||
|
||||
this could cause crashes or data leaks.
|
||||
|
||||
Reported-by: Kerwin <kerwinxia66001@gmail.com>
|
||||
---
|
||||
libexif/fuji/exif-mnote-data-fuji.c | 2 +-
|
||||
libexif/olympus/exif-mnote-data-olympus.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
|
||||
index c28c541..2dcb877 100644
|
||||
--- a/libexif/fuji/exif-mnote-data-fuji.c
|
||||
+++ b/libexif/fuji/exif-mnote-data-fuji.c
|
||||
@@ -70,7 +70,7 @@ exif_mnote_data_fuji_get_value (ExifMnoteData *d, unsigned int i, char *val, uns
|
||||
ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) d;
|
||||
|
||||
if (!d || !val) return NULL;
|
||||
- if (i > n->count -1) return NULL;
|
||||
+ if (i >= n->count) return NULL;
|
||||
/*
|
||||
exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataFuji",
|
||||
"Querying value for tag '%s'...",
|
||||
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
|
||||
index a57af17..428f365 100644
|
||||
--- a/libexif/olympus/exif-mnote-data-olympus.c
|
||||
+++ b/libexif/olympus/exif-mnote-data-olympus.c
|
||||
@@ -78,7 +78,7 @@ exif_mnote_data_olympus_get_value (ExifMnoteData *d, unsigned int i, char *val,
|
||||
ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) d;
|
||||
|
||||
if (!d || !val) return NULL;
|
||||
- if (i > n->count -1) return NULL;
|
||||
+ if (i >= n->count) return NULL;
|
||||
/*
|
||||
exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
|
||||
"Querying value for tag '%s'...",
|
||||
--
|
||||
2.53.0
|
||||
14
libexif.spec
14
libexif.spec
@ -1,7 +1,7 @@
|
||||
Summary: Library for extracting extra information from image files
|
||||
Name: libexif
|
||||
Version: 0.6.22
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: LGPLv2+
|
||||
URL: https://libexif.github.io/
|
||||
%global tarball_version %(echo %{version} | sed -e 's|\\.|_|g')
|
||||
@ -12,6 +12,13 @@ Patch0: CVE-2020-0181-CVE-2020-0198.patch
|
||||
# https://github.com/libexif/libexif/commit/9266d14b5ca4e29b970fa03272318e5f99386e06
|
||||
Patch1: CVE-2020-0452.patch
|
||||
|
||||
# CVE-2026-40386
|
||||
# https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b
|
||||
# CVE-2026-40385
|
||||
# https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58
|
||||
Patch: fixed-2-unsigned-integer-underflows.patch
|
||||
Patch: avoid-overflow-on-32bit-system-when-reading-nikon-makernotes.patch
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: doxygen
|
||||
@ -83,6 +90,11 @@ make check
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu May 07 2026 Jan Grulich <jgrulich@redhat.com> - 0.6.22-7
|
||||
- Fix integer underflow in MakerNote decoding (CVE-2026-40386)
|
||||
- Fix integer overflow in Nikon MakerNote handling (CVE-2026-40385)
|
||||
Resolves: RHEL-170254, RHEL-170235
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.6.22-6
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
Loading…
Reference in New Issue
Block a user