[Buildroot] [git commit branch/2025.02.x] package/exiv2: security bump version to 0.28.7

Thomas Perale thomas.perale at mind.be
Thu Sep 11 15:43:24 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=b5f3d090f97824654851bf19e93511c1cf43e63b
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2025.02.x

Changelog:
https://exiv2.org/whatsnew.html
https://github.com/Exiv2/exiv2/blob/v0.28.7/doc/ChangeLog

Release notes of 0.28.0 with a long list of security-related fixes:
https://github.com/Exiv2/exiv2/issues/2406#issuecomment-1529139799

0.28.1 fixed CVE-2023-44398: https://github.com/Exiv2/exiv2/issues/2813

0.28.2 fixed CVE-2024-24826 & CVE-2024-25112:
https://github.com/Exiv2/exiv2/issues/2914

0.28.3 fixed CVE-2024-39695: https://github.com/Exiv2/exiv2/issues/3008

0.28.5 fixed CVE-2025-26623: https://github.com/Exiv2/exiv2/issues/3181

0.28.6 fixed
* [CVE-2025-54080](https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39)
* [CVE-2025-55304](https://github.com/Exiv2/exiv2/security/advisories/GHSA-m54q-mm9w-fp6g)

Please read https://github.com/Exiv2/exiv2/issues/2406 for the discussion
whether these CVEs are relevant and their status of backporting to the
0.27.x branch.

Removed patch which is included in this release.
Switch to github helper due to upstream not providing tarballs anymore.

Added optional support for inih:
https://github.com/Exiv2/exiv2/commit/43c9ec0f5095d92e2dd748c6c0b6f7ae4e6c73bf
and brotli:
https://github.com/Exiv2/exiv2/commit/557a5cebd52ced79d11080089d8e2874126fb038
both introduced in the 0.28.x branch.

Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit 5e99e8a38282dbd810450c4be0156ea77e4c6e04)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 ...001-add-BUILD_WITH_STACK_PROTECTOR-option.patch | 54 ----------------------
 package/exiv2/Config.in                            | 12 +++++
 package/exiv2/exiv2.hash                           |  2 +-
 package/exiv2/exiv2.mk                             | 19 ++++++--
 4 files changed, 29 insertions(+), 58 deletions(-)

diff --git a/package/exiv2/0001-add-BUILD_WITH_STACK_PROTECTOR-option.patch b/package/exiv2/0001-add-BUILD_WITH_STACK_PROTECTOR-option.patch
deleted file mode 100644
index 18684ebbfa..0000000000
--- a/package/exiv2/0001-add-BUILD_WITH_STACK_PROTECTOR-option.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 4bb57da5fb0bb0d7e747b9e325e9ec0876ffc1f9 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice at gmail.com>
-Date: Sat, 31 Jul 2021 16:36:50 +0200
-Subject: [PATCH] add BUILD_WITH_STACK_PROTECTOR option
-
-Add BUILD_WITH_STACK_PROTECTOR to avoid the following build failure with
-toolchains that don't support stack-protector:
-
-/home/buildroot/autobuild/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/mipsel-buildroot-linux-uclibc/9.3.0/../../../../mipsel-buildroot-linux-uclibc/bin/ld: utils.cpp:(.text._ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPcEEvT_S7_St20forward_iterator_tag[_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPcEEvT_S7_St20forward_iterator_tag]+0xd0): undefined reference to `__stack_chk_fail'
-
-Indeed, support for -fstack-protector-strong can't be detected through
-check_cxx_compiler_flag as some toolchains need to link with -lssp to
-enable SSP support
-
-Fixes:
- - http://autobuild.buildroot.org/results/ae4635899124c602c70d2b342a76f95c34aa4a3d
-
-Upstream: https://github.com/Exiv2/exiv2/commit/f31c0eba098889899d29b7b0da830aee2b62a7b8
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
----
- CMakeLists.txt            | 1 +
- cmake/compilerFlags.cmake | 4 ++--
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 6f0da06a..0746ee14 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -47,6 +47,7 @@ mark_as_advanced(
-     EXIV2_TEAM_USE_SANITIZERS
- )
- 
-+option( BUILD_WITH_STACK_PROTECTOR    "Build with stack protector"                            ON )
- option( BUILD_WITH_CCACHE             "Use ccache to speed up compilations"                   OFF )
- option( BUILD_WITH_COVERAGE           "Add compiler flags to generate coverage stats"         OFF )
- 
-diff --git a/cmake/compilerFlags.cmake b/cmake/compilerFlags.cmake
-index 35faf501..0a646e50 100644
---- a/cmake/compilerFlags.cmake
-+++ b/cmake/compilerFlags.cmake
-@@ -33,8 +33,8 @@ if ( MINGW OR UNIX OR MSYS ) # MINGW, Linux, APPLE, CYGWIN
-             endif()
-             if(HAS_FCF_PROTECTION)
-                 add_compile_options(-fcf-protection)
--            endif()
--            if(HAS_FSTACK_PROTECTOR_STRONG)
-+              endif()
-+	    if(BUILD_WITH_STACK_PROTECTOR AND HAS_FSTACK_PROTECTOR_STRONG)
-                 add_compile_options(-fstack-protector-strong)
-             endif()
-         endif()
--- 
-2.31.1
-
diff --git a/package/exiv2/Config.in b/package/exiv2/Config.in
index 8407c25b41..c65e484b2e 100644
--- a/package/exiv2/Config.in
+++ b/package/exiv2/Config.in
@@ -20,6 +20,18 @@ config BR2_PACKAGE_EXIV2
 
 if BR2_PACKAGE_EXIV2
 
+config BR2_PACKAGE_EXIV2_BROTLI
+	bool "Brotli support"
+	select BR2_PACKAGE_BROTLI
+	help
+	  Build with Brotli support for JPEG XL
+
+config BR2_PACKAGE_EXIV2_INIH
+	bool "Inih support"
+	select BR2_PACKAGE_INIH
+	help
+	  Build with inih support
+
 config BR2_PACKAGE_EXIV2_PNG
 	bool "PNG image support"
 	select BR2_PACKAGE_ZLIB
diff --git a/package/exiv2/exiv2.hash b/package/exiv2/exiv2.hash
index c871277801..1c85f2e1db 100644
--- a/package/exiv2/exiv2.hash
+++ b/package/exiv2/exiv2.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  4c192483a1125dc59a3d70b30d30d32edace9e14adf52802d2f853abf72db8a6  exiv2-0.27.6-Source.tar.gz
+sha256  5e292b02614dbc0cee40fe1116db2f42f63ef6b2ba430c77b614e17b8d61a638  exiv2-0.28.7.tar.gz
 sha256  a7ba75cb966aca374711e2af49e5f3aea6a4443a803440f5d93e73a5a1222f66  COPYING
diff --git a/package/exiv2/exiv2.mk b/package/exiv2/exiv2.mk
index 869f8e48dd..e5b55ecde7 100644
--- a/package/exiv2/exiv2.mk
+++ b/package/exiv2/exiv2.mk
@@ -4,9 +4,8 @@
 #
 ################################################################################
 
-EXIV2_VERSION = 0.27.6
-EXIV2_SOURCE = exiv2-$(EXIV2_VERSION)-Source.tar.gz
-EXIV2_SITE = https://github.com/Exiv2/exiv2/releases/download/v$(EXIV2_VERSION)
+EXIV2_VERSION = 0.28.7
+EXIV2_SITE = $(call github,Exiv2,exiv2,v$(EXIV2_VERSION))
 EXIV2_INSTALL_STAGING = YES
 EXIV2_LICENSE = GPL-2.0+
 EXIV2_LICENSE_FILES = COPYING
@@ -16,6 +15,20 @@ EXIV2_CONF_OPTS += \
 	-DBUILD_WITH_STACK_PROTECTOR=OFF \
 	-DEXIV2_BUILD_SAMPLES=OFF
 
+ifeq ($(BR2_PACKAGE_EXIV2_BROTLI),y)
+EXIV2_CONF_OPTS += -DEXIV2_ENABLE_BROTLI=ON
+EXIV2_DEPENDENCIES += brotli
+else
+EXIV2_CONF_OPTS += -DEXIV2_ENABLE_BROTLI=OFF
+endif
+
+ifeq ($(BR2_PACKAGE_EXIV2_INIH),y)
+EXIV2_CONF_OPTS += -DEXIV2_ENABLE_INIH=ON
+EXIV2_DEPENDENCIES += inih
+else
+EXIV2_CONF_OPTS += -DEXIV2_ENABLE_INIH=OFF
+endif
+
 ifeq ($(BR2_PACKAGE_EXIV2_LENSDATA),y)
 EXIV2_CONF_OPTS += -DEXIV2_ENABLE_LENSDATA=ON
 else

More information about the buildroot mailing list