From d2df9632eb5e2fde8daa09496f35eb8996589938 Mon Sep 17 00:00:00 2001
From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
Date: Thu, 3 Jul 2025 09:12:52 +0800
Subject: [PATCH] [CVE] CVE-2025-26623

to #19323
add patch to fix CVE-2025-26623
Project: TC2024080204
Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
---
 1-bugfix-for-CVE-2025-26623.patch | 68 ++++++++++++++++++++++++++
 2-bugfix-for-CVE-2025-26623.patch | 79 +++++++++++++++++++++++++++++++
 exiv2.spec                        |  7 ++-
 3 files changed, 153 insertions(+), 1 deletion(-)
 create mode 100644 1-bugfix-for-CVE-2025-26623.patch
 create mode 100644 2-bugfix-for-CVE-2025-26623.patch

diff --git a/1-bugfix-for-CVE-2025-26623.patch b/1-bugfix-for-CVE-2025-26623.patch
new file mode 100644
index 0000000..abcb3ef
--- /dev/null
+++ b/1-bugfix-for-CVE-2025-26623.patch
@@ -0,0 +1,68 @@
+From 630487ffc5feda28aa62dc91eaeae8b0b7507851 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 19 Feb 2025 16:21:06 +0000
+Subject: [PATCH] Regression test for
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7
+
+(cherry picked from commit 9f8e1a57b6c6853947360d1187bc24d72056c97a)
+---
+ test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff  | Bin 0 -> 603 bytes
+ .../github/test_issue_ghsa_38h4_fx85_qcx7.py  |  22 ++++++++++++++++++
+ .../test_regression_allfiles.py               |   1 +
+ tests/suite.conf                              |   1 +
+ 4 files changed, 24 insertions(+)
+ create mode 100644 test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff
+ create mode 100644 tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
+
+diff --git a/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py b/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
+new file mode 100644
+index 0000000000..07082caf62
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
+@@ -0,0 +1,22 @@
++# -*- coding: utf-8 -*-
++
++from system_tests import CaseMeta, path
++
++
++class TiffSubIfd_use_after_free(metaclass=CaseMeta):
++    """
++    Regression test for the bug described in:
++    https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7
++    """
++
++    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7"
++
++    filename = path("$data_path/issue_ghsa_38h4_fx85_qcx7_poc.tiff")
++    commands = ["$exiv2 -q fi $filename"]
++    stdout = [""]
++    stderr = [
++        """Exiv2 exception in fixiso action for file $filename:
++$kerImageWriteFailed
++"""
++    ]
++    retval = [1]
+diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
+index eb7f7cef2d..53e8de44ae 100644
+--- a/tests/regression_tests/test_regression_allfiles.py
++++ b/tests/regression_tests/test_regression_allfiles.py
+@@ -120,6 +120,7 @@ def get_valid_files(data_dir):
+         "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",
+         "issue_ghsa_hrw9_ggg3_3r4r_poc.jpg",
+         "issue_ghsa_g9xm_7538_mq8w_poc.mov",
++        "issue_ghsa_38h4_fx85_qcx7_poc.tiff",
+         "pocIssue283.jpg",
+         "poc_1522.jp2",
+         "xmpsdk.xmp",
+diff --git a/tests/suite.conf b/tests/suite.conf
+index c2bf1741e8..249a97fa93 100644
+--- a/tests/suite.conf
++++ b/tests/suite.conf
+@@ -41,6 +41,7 @@ jpegparsetest: ${ENV:exiv2_path}/jpegparsetest
+ kerOffsetOutOfRange: Offset out of range
+ kerFailedToReadImageData: Failed to read image data
+ kerInputDataReadFailed: Failed to read input data
++kerImageWriteFailed: Failed to write image
+ kerCorruptedMetadata: corrupted image metadata
+ kerInvalidMalloc: invalid memory allocation request
+ kerInvalidTypeValue: invalid type in tiff structure
diff --git a/2-bugfix-for-CVE-2025-26623.patch b/2-bugfix-for-CVE-2025-26623.patch
new file mode 100644
index 0000000..7a14e49
--- /dev/null
+++ b/2-bugfix-for-CVE-2025-26623.patch
@@ -0,0 +1,79 @@
+From facce628f3622764e91a8161f89ade8cb34bc120 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Mon, 17 Feb 2025 16:34:40 -0800
+Subject: [PATCH] Revert "fix copy constructors"
+
+This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5.
+
+This commit is wrong and ends up resulting in use after frees because of
+C pointers. The proper solution is shared_ptr instead of C pointers but
+that's a lot more involved than reverting this.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+(cherry picked from commit ebff8b48820b96c786cfddbf0bebb395cb1317d7)
+---
+ src/tiffcomposite_int.cpp | 19 +++++++++++++++++++
+ src/tiffcomposite_int.hpp |  6 +++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
+index 95ce450c7d..3e6e93d5c5 100644
+--- a/src/tiffcomposite_int.cpp
++++ b/src/tiffcomposite_int.cpp
+@@ -127,6 +127,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) :
+     storage_(rhs.storage_) {
+ }
+ 
++TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) {
++}
++
++TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) {
++}
++
++TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) :
++    TiffEntryBase(rhs),
++    cfgSelFct_(rhs.cfgSelFct_),
++    arraySet_(rhs.arraySet_),
++    arrayCfg_(rhs.arrayCfg_),
++    arrayDef_(rhs.arrayDef_),
++    defSize_(rhs.defSize_),
++    setSize_(rhs.setSize_),
++    origData_(rhs.origData_),
++    origSize_(rhs.origSize_),
++    pRoot_(rhs.pRoot_) {
++}
++
+ TiffComponent::UniquePtr TiffComponent::clone() const {
+   return UniquePtr(doClone());
+ }
+diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp
+index 4506a4dca0..307e0bd9e3 100644
+--- a/src/tiffcomposite_int.hpp
++++ b/src/tiffcomposite_int.hpp
+@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffDirectory(const TiffDirectory&) = default;
++  TiffDirectory(const TiffDirectory& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
+@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffSubIfd(const TiffSubIfd&) = default;
++  TiffSubIfd(const TiffSubIfd& rhs);
+   TiffSubIfd& operator=(const TiffSubIfd&) = delete;
+   //@}
+ 
+@@ -1346,7 +1346,7 @@ class TiffBinaryArray : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffBinaryArray(const TiffBinaryArray&) = default;
++  TiffBinaryArray(const TiffBinaryArray& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
diff --git a/exiv2.spec b/exiv2.spec
index d041ee8..cad5dd0 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 Summary: Exif and Iptc metadata manipulation library
 Name:    exiv2
@@ -9,6 +9,8 @@ License: GPLv2+
 URL:     http://www.exiv2.org/
 Source0: https://github.com/Exiv2/exiv2/archive/refs/tags/v%{version}.tar.gz
 
+Patch1: 1-bugfix-for-CVE-2025-26623.patch
+Patch2: 2-bugfix-for-CVE-2025-26623.patch
 BuildRequires: cmake
 BuildRequires: expat-devel
 BuildRequires: gcc-c++
@@ -95,6 +97,9 @@ BuildArch: noarch
 
 
 %changelog
+* Thu Jul 03 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 0.28.2-2
+- Fix CVE-2025-26623
+
 * Wed Feb 14 2024 Funda Wang <fundawang@yeah.net> - 0.28.2-1
 - New version 0.28.2
 
-- 
Gitee