!85 [sync] PR-83: Fix CVE-2025-26623

From: @openeuler-sync-bot 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001

CVE-2022-3755.patch

@@ -1,28 +0,0 @@
-From 789ec5408f885709eef0a820416658b6e3882c0c Mon Sep 17 00:00:00 2001
-From: qz_cx <wangqingzheng@kylinos.cn>
-Date: Mon, 31 Oct 2022 15:13:45 +0800
-Subject: [PATCH] Credit to
- OSS-Fuzz:https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52382
-
-Avoid null pointer deref #2384
- Merged
-kevinbackhouse merged 2 commits into Exiv2
----
- src/quicktimevideo.cpp | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/quicktimevideo.cpp b/src/quicktimevideo.cpp
-index 335d884..ef1a6e5 100644
---- a/src/quicktimevideo.cpp
-+++ b/src/quicktimevideo.cpp
-@@ -915,6 +915,7 @@ namespace Exiv2 {
-             }
- 
-             else if(equalsQTimeTag(buf, "CMbo") || equalsQTimeTag(buf, "Cmbo")) {
-+		enforce(tv, Exiv2::ErrorCode::kerCorruptedMetadata);
-                 io_->read(buf.pData_, 2);
-                 buf.pData_[2] = '\0' ;
-                 tv_internal = find(cameraByteOrderTags, Exiv2::toString( buf.pData_));
--- 
-2.33.0
-

CVE-2022-3756.patch

@@ -1,30 +0,0 @@
-From be374cc6cd51906eaacc7a4f77c9ac37ea7c69c7 Mon Sep 17 00:00:00 2001
-From: qz_cx <wangqingzheng@kylinos.cn>
-Date: Mon, 31 Oct 2022 14:29:31 +0800
-Subject: [PATCH] Avoid potential integer overflow.
-
-Merge pull request #2347 from kevinbackhouse/quicktimevideo-size-calc
-
-Avoid potential integer overflow in QuickTimeVideo::userDataDecoder
-@kevinbackhouse
-kevinbackhouse committed on 7 Sep
----
- src/quicktimevideo.cpp | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/quicktimevideo.cpp b/src/quicktimevideo.cpp
-index 335d884..9b80947 100644
---- a/src/quicktimevideo.cpp
-+++ b/src/quicktimevideo.cpp
-@@ -895,7 +895,7 @@ namespace Exiv2 {
- 
-             tv = find(userDataReferencetags, Exiv2::toString( buf.pData_));
- 
--            if(size == 0 || (size - 12) <= 0)
-+	    if (size <= 12)
-                 break;
- 
-             else if(equalsQTimeTag(buf, "DcMD")  || equalsQTimeTag(buf, "NCDT"))
--- 
-2.33.0
-

CVE-2025-26623.patch

@@ -0,0 +1,80 @@
+From ebff8b48820b96c786cfddbf0bebb395cb1317d7 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Mon, 17 Feb 2025 16:34:40 -0800
+Subject: [PATCH] Revert "fix copy constructors"
+
+Origin: https://github.com/Exiv2/exiv2/commit/ebff8b48820b96c786cfddbf0bebb395cb1317d7
+
+This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5.
+
+This commit is wrong and ends up resulting in use after frees because of
+C pointers. The proper solution is shared_ptr instead of C pointers but
+that's a lot more involved than reverting this.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+---
+ src/tiffcomposite_int.cpp | 19 +++++++++++++++++++
+ src/tiffcomposite_int.hpp |  6 +++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
+index 07c9a6c843..f4bb5037bd 100644
+--- a/src/tiffcomposite_int.cpp
++++ b/src/tiffcomposite_int.cpp
+@@ -124,6 +124,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) :
+     storage_(rhs.storage_) {
+ }
+ 
++TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) {
++}
++
++TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) {
++}
++
++TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) :
++    TiffEntryBase(rhs),
++    cfgSelFct_(rhs.cfgSelFct_),
++    arraySet_(rhs.arraySet_),
++    arrayCfg_(rhs.arrayCfg_),
++    arrayDef_(rhs.arrayDef_),
++    defSize_(rhs.defSize_),
++    setSize_(rhs.setSize_),
++    origData_(rhs.origData_),
++    origSize_(rhs.origSize_),
++    pRoot_(rhs.pRoot_) {
++}
++
+ TiffComponent::UniquePtr TiffComponent::clone() const {
+   return UniquePtr(doClone());
+ }
+diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp
+index 0e28aba912..01d5109a59 100644
+--- a/src/tiffcomposite_int.hpp
++++ b/src/tiffcomposite_int.hpp
+@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffDirectory(const TiffDirectory&) = default;
++  TiffDirectory(const TiffDirectory& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
+@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffSubIfd(const TiffSubIfd&) = default;
++  TiffSubIfd(const TiffSubIfd& rhs);
+   TiffSubIfd& operator=(const TiffSubIfd&) = delete;
+   //@}
+ 
+@@ -1334,7 +1334,7 @@ class TiffBinaryArray : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffBinaryArray(const TiffBinaryArray&) = default;
++  TiffBinaryArray(const TiffBinaryArray& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators

backport-CVE-2024-39695.patch

@@ -0,0 +1,54 @@
+From 3a28346db5ae1735a8728fe3491b0aecc1dbf387 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Thu, 4 Jul 2024 00:04:32 +0100
+Subject: [PATCH] Credit to OSS-Fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68210 Use readOrThrow()
+ to detect premature EOF.
+
+(cherry picked from commit fc1fe453a246cb8e188bbc226b48b339d5f81580)
+---
+ src/asfvideo.cpp | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/asfvideo.cpp b/src/asfvideo.cpp
+index ab1ad4a591..1cec3854c9 100644
+--- a/src/asfvideo.cpp
++++ b/src/asfvideo.cpp
+@@ -238,7 +238,7 @@ void AsfVideo::readMetadata() {
+ 
+ AsfVideo::HeaderReader::HeaderReader(const BasicIo::UniquePtr& io) : IdBuf_(GUID) {
+   if (io->size() >= io->tell() + GUID + QWORD) {
+-    IdBuf_ = io->read(GUID);
++    io->readOrThrow(IdBuf_.data(), IdBuf_.size(), Exiv2::ErrorCode::kerCorruptedMetadata);
+ 
+     size_ = readQWORDTag(io);
+     if (size_ >= GUID + QWORD)
+@@ -296,7 +296,7 @@ void AsfVideo::decodeBlock() {
+ 
+ void AsfVideo::decodeHeader() {
+   DataBuf nbHeadersBuf(DWORD + 1);
+-  io_->read(nbHeadersBuf.data(), DWORD);
++  io_->readOrThrow(nbHeadersBuf.data(), DWORD, Exiv2::ErrorCode::kerCorruptedMetadata);
+ 
+   uint32_t nb_headers = Exiv2::getULong(nbHeadersBuf.data(), littleEndian);
+   Internal::enforce(nb_headers < std::numeric_limits<uint32_t>::max(), Exiv2::ErrorCode::kerCorruptedMetadata);
+@@ -358,7 +358,8 @@ void AsfVideo::DegradableJPEGMedia() {
+ }
+ 
+ void AsfVideo::streamProperties() {
+-  DataBuf streamTypedBuf = io_->read(GUID);
++  DataBuf streamTypedBuf(GUID);
++  io_->readOrThrow(streamTypedBuf.data(), streamTypedBuf.size(), Exiv2::ErrorCode::kerCorruptedMetadata);
+ 
+   enum class streamTypeInfo { Audio = 1, Video = 2 };
+   auto stream = static_cast<streamTypeInfo>(0);
+@@ -476,7 +477,8 @@ void AsfVideo::contentDescription() {
+ }  // AsfVideo::extendedContentDescription
+ 
+ void AsfVideo::fileProperties() {
+-  DataBuf FileIddBuf = io_->read(GUID);
++  DataBuf FileIddBuf(GUID);
++  io_->readOrThrow(FileIddBuf.data(), FileIddBuf.size(), Exiv2::ErrorCode::kerCorruptedMetadata);
+   xmpData()["Xmp.video.FileID"] = GUIDTag(FileIddBuf.data()).to_string();
+   xmpData()["Xmp.video.FileLength"] = readQWORDTag(io_);
+   xmpData()["Xmp.video.CreationDate"] = readQWORDTag(io_);

exiv2.spec

@@ -1,18 +1,19 @@
 Name:    exiv2
-Version: 0.27.5
+Version: 0.28.2
-Release: 4
+Release: 3
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
-Source0: https://github.com/Exiv2/exiv2/archive/refs/tags/v%{version}.tar.gz
+Source0: https://github.com/Exiv2/exiv2/archive/v%{version}/%{name}-%{version}.tar.gz
-Patch0001:  CVE-2022-3755.patch
+# https://github.com/Exiv2/exiv2/commit/3a28346db5ae1735a8728fe3491b0aecc1dbf387
-Patch0002:  CVE-2022-3756.patch
+Patch3000: backport-CVE-2024-39695.patch
+Patch3001: CVE-2025-26623.patch
 
-Provides: exiv2-libs
+Provides: exiv2-libs = %{version}-%{release} 
-Obsoletes: exiv2-libs
+Obsoletes: exiv2-libs < %{version}-%{release} 
 
-BuildRequires: cmake expat-devel gcc-c++ gettext pkgconfig
+BuildRequires: cmake expat-devel gcc-c++ gettext pkgconfig brotli-devel
-BuildRequires: doxygen graphviz libxslt zlib-devel chrpath
+BuildRequires: doxygen graphviz libxslt zlib-devel chrpath inih-devel
 
 %description
 Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata.
@@ -45,7 +46,7 @@ make doc
 %install
 %make_install
 %find_lang exiv2 --with-man
-chrpath -d %{buildroot}%{_libdir}/libexiv2.so.0.27.5
+chrpath -d %{buildroot}%{_libdir}/libexiv2.so.0.28.2
 chrpath -d %{buildroot}%{_bindir}/%{name}
 
 
@@ -60,10 +61,8 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %doc doc/ChangeLog
 %license COPYING
 %{_bindir}/exiv2
-%{_libdir}/libexiv2.so.27*
+%{_libdir}/libexiv2.so.28*
 %{_libdir}/libexiv2.so.%{version}
-%exclude %{_libdir}/pkgconfig/exiv2.lsm
-%exclude %{_libdir}/libxmp.a
 
 %files devel
 %defattr(-,root,root)
@@ -71,7 +70,6 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_libdir}/libexiv2.so
 %{_includedir}/exiv2/
 %{_libdir}/cmake/exiv2/
-%{_libdir}/libexiv2-xmp.a
 
 %files help
 %defattr(-,root,root)
@@ -79,6 +77,21 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_pkgdocdir}/
 
 %changelog
+* Mon Feb 24 2025 wangkai <13474090681@163.com> - 0.28.2-3
+- Fix CVE-2025-26623
+
+* Tue Jul 09 2024 yaoxin <yao_xin001@hoperun.com> - 0.28.2-2
+- Fix CVE-2024-39695
+
+* Sat Feb 17 2024 yaoxin <yao_xin001@hoperun.com> - 0.28.2-1
+- Upgrade to 0.28.2 for fix CVE-2024-25112 and CVE-2024-24826
+
+* Thu Nov 09 2023 yaoxin <yao_xin001@hoperun.com> - 0.28.1-1
+- Upgrade to 0.28.1 for fix CVE-2023-44398
+
+* Sat Sep 2 2023 liyanan <thistleslyn@163.com> - 0.28.0-1
+- Upgrade to version 0.28.0
+
 * Thu Mar 2 2023 liyanan <liyanan32@h-partners.com> - 0.27.5-4
 - Remove rpath