!85 [sync] PR-83: Fix CVE-2025-26623

From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001
2025-02-24 06:25:59 +00:00 · 2025-02-24 06:25:59 +00:00 · 3a6c9716e6
commit 3a6c9716e6
parent 1ad8667c42 3d62e894e3
2 changed files with 85 additions and 1 deletions
--- a/CVE-2025-26623.patch
+++ b/CVE-2025-26623.patch
@ -0,0 +1,80 @@
+From ebff8b48820b96c786cfddbf0bebb395cb1317d7 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Mon, 17 Feb 2025 16:34:40 -0800
+Subject: [PATCH] Revert "fix copy constructors"
+
+Origin: https://github.com/Exiv2/exiv2/commit/ebff8b48820b96c786cfddbf0bebb395cb1317d7
+
+This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5.
+
+This commit is wrong and ends up resulting in use after frees because of
+C pointers. The proper solution is shared_ptr instead of C pointers but
+that's a lot more involved than reverting this.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+---
+ src/tiffcomposite_int.cpp | 19 +++++++++++++++++++
+ src/tiffcomposite_int.hpp |  6 +++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
+index 07c9a6c843..f4bb5037bd 100644
+--- a/src/tiffcomposite_int.cpp
+++ b/src/tiffcomposite_int.cpp
+@@ -124,6 +124,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) :
+     storage_(rhs.storage_) {
+ }
+ 
+TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) {
+}
+
+TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) {
+}
+
+TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) :
+    TiffEntryBase(rhs),
+    cfgSelFct_(rhs.cfgSelFct_),
+    arraySet_(rhs.arraySet_),
+    arrayCfg_(rhs.arrayCfg_),
+    arrayDef_(rhs.arrayDef_),
+    defSize_(rhs.defSize_),
+    setSize_(rhs.setSize_),
+    origData_(rhs.origData_),
+    origSize_(rhs.origSize_),
+    pRoot_(rhs.pRoot_) {
+}
+
+ TiffComponent::UniquePtr TiffComponent::clone() const {
+   return UniquePtr(doClone());
+ }
+diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp
+index 0e28aba912..01d5109a59 100644
+--- a/src/tiffcomposite_int.hpp
+++ b/src/tiffcomposite_int.hpp
+@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffDirectory(const TiffDirectory&) = default;
+  TiffDirectory(const TiffDirectory& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
+@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffSubIfd(const TiffSubIfd&) = default;
+  TiffSubIfd(const TiffSubIfd& rhs);
+   TiffSubIfd& operator=(const TiffSubIfd&) = delete;
+   //@}
+ 
+@@ -1334,7 +1334,7 @@ class TiffBinaryArray : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffBinaryArray(const TiffBinaryArray&) = default;
+  TiffBinaryArray(const TiffBinaryArray& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
--- a/exiv2.spec
+++ b/exiv2.spec
@ -1,12 +1,13 @@
 Name:    exiv2
 Version: 0.28.2
-Release: 2
+Release: 3
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
 Source0: https://github.com/Exiv2/exiv2/archive/v%{version}/%{name}-%{version}.tar.gz
 # https://github.com/Exiv2/exiv2/commit/3a28346db5ae1735a8728fe3491b0aecc1dbf387
 Patch3000: backport-CVE-2024-39695.patch
+Patch3001: CVE-2025-26623.patch

 Provides: exiv2-libs = %{version}-%{release} 
 Obsoletes: exiv2-libs < %{version}-%{release} 
@ -76,6 +77,9 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_pkgdocdir}/

 %changelog
+* Mon Feb 24 2025 wangkai <13474090681@163.com> - 0.28.2-3
+- Fix CVE-2025-26623
+
 * Tue Jul 09 2024 yaoxin <yao_xin001@hoperun.com> - 0.28.2-2
 - Fix CVE-2024-39695