diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch new file mode 100644 index 0000000000..b3074e2823 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch @@ -0,0 +1,82 @@ +From f338465efb49166c543dcc2fc52810370ea90475 Mon Sep 17 00:00:00 2001 +From: Rosen Penev +Date: Mon, 17 Feb 2025 16:34:40 -0800 +Subject: [PATCH] Revert "fix copy constructors" + +This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5. + +This commit is wrong and ends up resulting in use after frees because of +C pointers. The proper solution is shared_ptr instead of C pointers but +that's a lot more involved than reverting this. + +Signed-off-by: Rosen Penev + +CVE: CVE-2025-26623 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/3174/commits/638ff11ce7480000974b5c619eafcb8618e3b586] +Signed-off-by: Gyorgy Sarvari +--- + src/tiffcomposite_int.cpp | 19 +++++++++++++++++++ + src/tiffcomposite_int.hpp | 6 +++--- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp +index 95ce450c7..3e6e93d5c 100644 +--- a/src/tiffcomposite_int.cpp ++++ b/src/tiffcomposite_int.cpp +@@ -127,6 +127,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) : + storage_(rhs.storage_) { + } + ++TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) { ++} ++ ++TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) { ++} ++ ++TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) : ++ TiffEntryBase(rhs), ++ cfgSelFct_(rhs.cfgSelFct_), ++ arraySet_(rhs.arraySet_), ++ arrayCfg_(rhs.arrayCfg_), ++ arrayDef_(rhs.arrayDef_), ++ defSize_(rhs.defSize_), ++ setSize_(rhs.setSize_), ++ origData_(rhs.origData_), ++ origSize_(rhs.origSize_), ++ pRoot_(rhs.pRoot_) { ++} ++ + TiffComponent::UniquePtr TiffComponent::clone() const { + return UniquePtr(doClone()); + } +diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp +index 4506a4dca..307e0bd9e 100644 +--- a/src/tiffcomposite_int.hpp ++++ b/src/tiffcomposite_int.hpp +@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffDirectory(const TiffDirectory&) = default; ++ TiffDirectory(const TiffDirectory& rhs); + //@} + + //! @name Protected Manipulators +@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffSubIfd(const TiffSubIfd&) = default; ++ TiffSubIfd(const TiffSubIfd& rhs); + TiffSubIfd& operator=(const TiffSubIfd&) = delete; + //@} + +@@ -1346,7 +1346,7 @@ class TiffBinaryArray : public TiffEntryBase { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffBinaryArray(const TiffBinaryArray&) = default; ++ TiffBinaryArray(const TiffBinaryArray& rhs); + //@} + + //! @name Protected Manipulators diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb index 3e33ab7953..81e9954c1d 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb @@ -4,7 +4,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2" DEPENDS = "zlib expat brotli libinih" -SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x" +SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \ + file://0001-Revert-fix-copy-constructors.patch \ + " SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e" S = "${WORKDIR}/git"