From 0cfa79d8b8afa16e5fcb8d5d55b950b108c3ab95 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 24 Feb 2025 10:21:02 +0800 Subject: [PATCH] Fix CVE-2025-26623 --- CVE-2025-26623.patch | 80 ++++++++++++++++++++++++++++++++++++++++++++ exiv2.spec | 6 +++- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-26623.patch diff --git a/CVE-2025-26623.patch b/CVE-2025-26623.patch new file mode 100644 index 0000000..17cad18 --- /dev/null +++ b/CVE-2025-26623.patch @@ -0,0 +1,80 @@ +From ebff8b48820b96c786cfddbf0bebb395cb1317d7 Mon Sep 17 00:00:00 2001 +From: Rosen Penev +Date: Mon, 17 Feb 2025 16:34:40 -0800 +Subject: [PATCH] Revert "fix copy constructors" + +Origin: https://github.com/Exiv2/exiv2/commit/ebff8b48820b96c786cfddbf0bebb395cb1317d7 + +This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5. + +This commit is wrong and ends up resulting in use after frees because of +C pointers. The proper solution is shared_ptr instead of C pointers but +that's a lot more involved than reverting this. + +Signed-off-by: Rosen Penev +--- + src/tiffcomposite_int.cpp | 19 +++++++++++++++++++ + src/tiffcomposite_int.hpp | 6 +++--- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp +index 07c9a6c843..f4bb5037bd 100644 +--- a/src/tiffcomposite_int.cpp ++++ b/src/tiffcomposite_int.cpp +@@ -124,6 +124,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) : + storage_(rhs.storage_) { + } + ++TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) { ++} ++ ++TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) { ++} ++ ++TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) : ++ TiffEntryBase(rhs), ++ cfgSelFct_(rhs.cfgSelFct_), ++ arraySet_(rhs.arraySet_), ++ arrayCfg_(rhs.arrayCfg_), ++ arrayDef_(rhs.arrayDef_), ++ defSize_(rhs.defSize_), ++ setSize_(rhs.setSize_), ++ origData_(rhs.origData_), ++ origSize_(rhs.origSize_), ++ pRoot_(rhs.pRoot_) { ++} ++ + TiffComponent::UniquePtr TiffComponent::clone() const { + return UniquePtr(doClone()); + } +diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp +index 0e28aba912..01d5109a59 100644 +--- a/src/tiffcomposite_int.hpp ++++ b/src/tiffcomposite_int.hpp +@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffDirectory(const TiffDirectory&) = default; ++ TiffDirectory(const TiffDirectory& rhs); + //@} + + //! @name Protected Manipulators +@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffSubIfd(const TiffSubIfd&) = default; ++ TiffSubIfd(const TiffSubIfd& rhs); + TiffSubIfd& operator=(const TiffSubIfd&) = delete; + //@} + +@@ -1334,7 +1334,7 @@ class TiffBinaryArray : public TiffEntryBase { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffBinaryArray(const TiffBinaryArray&) = default; ++ TiffBinaryArray(const TiffBinaryArray& rhs); + //@} + + //! @name Protected Manipulators diff --git a/exiv2.spec b/exiv2.spec index dac501f..275ee7e 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -1,11 +1,12 @@ Name: exiv2 Version: 0.28.3 -Release: 1 +Release: 2 Summary: Exif, IPTC and XMP metadata and the ICC Profile License: GPL-2.0-or-later AND BSD-3-Clause URL: https://www.exiv2.org/ VCS: https://github.com/Exiv2/exiv2/ Source0: https://github.com/Exiv2/exiv2/archive/refs/tags/v%{version}.tar.gz +Patch3000: CVE-2025-26623.patch Provides: exiv2-libs = %{version}-%{release} Obsoletes: exiv2-libs < %{version}-%{release} @@ -63,6 +64,9 @@ This package provides head file,libraries for exiv2. %{_pkgdocdir}/ %changelog +* Mon Feb 24 2025 wangkai <13474090681@163.com> - 0.28.3-2 +- Fix CVE-2025-26623 + * Mon Sep 30 2024 Funda Wang - 0.28.3-1 - update to 0.28.3 -- Gitee