diff --git a/CVE-2025-26623.patch b/CVE-2025-26623.patch new file mode 100644 index 0000000000000000000000000000000000000000..17cad1892314348405faf68cd321c266d09d3f79 --- /dev/null +++ b/CVE-2025-26623.patch @@ -0,0 +1,80 @@ +From ebff8b48820b96c786cfddbf0bebb395cb1317d7 Mon Sep 17 00:00:00 2001 +From: Rosen Penev +Date: Mon, 17 Feb 2025 16:34:40 -0800 +Subject: [PATCH] Revert "fix copy constructors" + +Origin: https://github.com/Exiv2/exiv2/commit/ebff8b48820b96c786cfddbf0bebb395cb1317d7 + +This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5. + +This commit is wrong and ends up resulting in use after frees because of +C pointers. The proper solution is shared_ptr instead of C pointers but +that's a lot more involved than reverting this. + +Signed-off-by: Rosen Penev +--- + src/tiffcomposite_int.cpp | 19 +++++++++++++++++++ + src/tiffcomposite_int.hpp | 6 +++--- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp +index 07c9a6c843..f4bb5037bd 100644 +--- a/src/tiffcomposite_int.cpp ++++ b/src/tiffcomposite_int.cpp +@@ -124,6 +124,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) : + storage_(rhs.storage_) { + } + ++TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) { ++} ++ ++TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) { ++} ++ ++TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) : ++ TiffEntryBase(rhs), ++ cfgSelFct_(rhs.cfgSelFct_), ++ arraySet_(rhs.arraySet_), ++ arrayCfg_(rhs.arrayCfg_), ++ arrayDef_(rhs.arrayDef_), ++ defSize_(rhs.defSize_), ++ setSize_(rhs.setSize_), ++ origData_(rhs.origData_), ++ origSize_(rhs.origSize_), ++ pRoot_(rhs.pRoot_) { ++} ++ + TiffComponent::UniquePtr TiffComponent::clone() const { + return UniquePtr(doClone()); + } +diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp +index 0e28aba912..01d5109a59 100644 +--- a/src/tiffcomposite_int.hpp ++++ b/src/tiffcomposite_int.hpp +@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffDirectory(const TiffDirectory&) = default; ++ TiffDirectory(const TiffDirectory& rhs); + //@} + + //! @name Protected Manipulators +@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffSubIfd(const TiffSubIfd&) = default; ++ TiffSubIfd(const TiffSubIfd& rhs); + TiffSubIfd& operator=(const TiffSubIfd&) = delete; + //@} + +@@ -1334,7 +1334,7 @@ class TiffBinaryArray : public TiffEntryBase { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffBinaryArray(const TiffBinaryArray&) = default; ++ TiffBinaryArray(const TiffBinaryArray& rhs); + //@} + + //! @name Protected Manipulators diff --git a/exiv2.spec b/exiv2.spec index 741dfc48e134de7936a5795a515988faab7256f2..ad065af6028d9d53a16277849a9a11791923ef63 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -1,12 +1,13 @@ Name: exiv2 Version: 0.28.2 -Release: 2 +Release: 3 Summary: Exif, IPTC and XMP metadata and the ICC Profile License: GPLv2+ URL: http://www.exiv2.org/ Source0: https://github.com/Exiv2/exiv2/archive/v%{version}/%{name}-%{version}.tar.gz # https://github.com/Exiv2/exiv2/commit/3a28346db5ae1735a8728fe3491b0aecc1dbf387 Patch3000: backport-CVE-2024-39695.patch +Patch3001: CVE-2025-26623.patch Provides: exiv2-libs = %{version}-%{release} Obsoletes: exiv2-libs < %{version}-%{release} @@ -76,6 +77,9 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %{_pkgdocdir}/ %changelog +* Mon Feb 24 2025 wangkai <13474090681@163.com> - 0.28.2-3 +- Fix CVE-2025-26623 + * Tue Jul 09 2024 yaoxin - 0.28.2-2 - Fix CVE-2024-39695