Skip to content

Commit 395c8c7

Browse files
azurelinux-securityazurelinux-security
authored
[AutoPR- Security] Patch libexif for CVE-2026-40386, CVE-2026-40385 [MEDIUM] (#16635)
1 parent e98af8e commit 395c8c7

3 files changed

Lines changed: 83 additions & 1 deletion

File tree

SPECS/libexif/CVE-2026-40385.patch

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
From 4c475dc4c9020995382e342b24005330bcbcd1ef Mon Sep 17 00:00:00 2001
2+
From: Marcus Meissner <meissner@suse.de>
3+
Date: Fri, 3 Apr 2026 11:18:47 +0200
4+
Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes
5+
6+
The addition o2 = datao + exif_get_long(buf + o2, n->order)
7+
could have overflowed on systems with 32bit unsigned int size_t.
8+
9+
This could have caused out of bound reads of data, leading to
10+
misparsing of exif / crashes.
11+
12+
Reported-By: Kerwin <kerwinxia66001@gmail.com>
13+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
14+
Upstream-reference: https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58.patch
15+
---
16+
libexif/olympus/exif-mnote-data-olympus.c | 1 +
17+
1 file changed, 1 insertion(+)
18+
19+
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
20+
index 6067b9e..bdeb5a9 100644
21+
--- a/libexif/olympus/exif-mnote-data-olympus.c
22+
+++ b/libexif/olympus/exif-mnote-data-olympus.c
23+
@@ -382,6 +382,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
24+
o2 += 2;
25+
26+
/* Go to where the number of entries is. */
27+
+ if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2, n->order))) return;
28+
o2 = datao + exif_get_long (buf + o2, n->order);
29+
break;
30+
31+
--
32+
2.45.4
33+

SPECS/libexif/CVE-2026-40386.patch

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
From 4e39be50fea6fe55cc9d4dd719a947b4c8193c13 Mon Sep 17 00:00:00 2001
2+
From: Marcus Meissner <meissner@suse.de>
3+
Date: Thu, 2 Apr 2026 13:26:31 +0200
4+
Subject: [PATCH] fixed 2 unsigned integer underflows
5+
6+
this could cause crashes or data leaks.
7+
8+
Reported-by: Kerwin <kerwinxia66001@gmail.com>
9+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
10+
Upstream-reference: https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b.patch
11+
---
12+
libexif/fuji/exif-mnote-data-fuji.c | 2 +-
13+
libexif/olympus/exif-mnote-data-olympus.c | 2 +-
14+
2 files changed, 2 insertions(+), 2 deletions(-)
15+
16+
diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
17+
index e3af4e1..3f295d3 100644
18+
--- a/libexif/fuji/exif-mnote-data-fuji.c
19+
+++ b/libexif/fuji/exif-mnote-data-fuji.c
20+
@@ -68,7 +68,7 @@ exif_mnote_data_fuji_get_value (ExifMnoteData *d, unsigned int i, char *val, uns
21+
ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) d;
22+
23+
if (!d || !val) return NULL;
24+
- if (i > n->count -1) return NULL;
25+
+ if (i >= n->count) return NULL;
26+
/*
27+
exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataFuji",
28+
"Querying value for tag '%s'...",
29+
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
30+
index 3dbe1d3..6067b9e 100644
31+
--- a/libexif/olympus/exif-mnote-data-olympus.c
32+
+++ b/libexif/olympus/exif-mnote-data-olympus.c
33+
@@ -76,7 +76,7 @@ exif_mnote_data_olympus_get_value (ExifMnoteData *d, unsigned int i, char *val,
34+
ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) d;
35+
36+
if (!d || !val) return NULL;
37+
- if (i > n->count -1) return NULL;
38+
+ if (i >= n->count) return NULL;
39+
/*
40+
exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
41+
"Querying value for tag '%s'...",
42+
--
43+
2.45.4
44+

SPECS/libexif/libexif.spec

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,15 @@
11
Summary: Library for extracting extra information from image files
22
Name: libexif
33
Version: 0.6.24
4-
Release: 2%{?dist}
4+
Release: 3%{?dist}
55
License: LGPLv2+
66
Vendor: Microsoft Corporation
77
Distribution: Azure Linux
88
URL: https://libexif.github.io/
99
Source0: https://github.com/libexif/libexif/releases/download/v%{version}/%{name}-%{version}.tar.bz2
1010
Patch0: CVE-2026-32775.patch
11+
Patch1: CVE-2026-40385.patch
12+
Patch2: CVE-2026-40386.patch
1113
BuildRequires: doxygen
1214
BuildRequires: gcc
1315
BuildRequires: gettext-devel
@@ -71,6 +73,9 @@ iconv -f latin1 -t utf-8 < README > README.utf8; cp README.utf8 README
7173
%doc libexif-api.html
7274

7375
%changelog
76+
* Mon Apr 13 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.6.24-3
77+
- Patch for CVE-2026-40386, CVE-2026-40385
78+
7479
* Mon Mar 16 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.6.24-2
7580
- Patch for CVE-2026-32775
7681

0 commit comments

Comments
 (0)