summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff
Commit message (Collapse)AuthorAgeFilesLines
* libtiff: Fix for CVE-2023-6228Vijay Anusuri2024-01-212-0/+31
| | | | | | | | | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a] (From OE-Core rev: ff66998ef81dbc35465e30eec96ee9be51f5da80) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: backport Debian patch to fix CVE-2022-40090Vijay Anusuri2023-12-012-0/+549
| | | | | | | | | | | | | | import patch from ubuntu to fix CVE-2022-40090 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41] (From OE-Core rev: 999af9858676a0f5112ef3a9d9156be349f90cb4) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: backport Debian patch to fix CVE-2023-41175Vijay Anusuri2023-11-172-0/+68
| | | | | | | | | | | | Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] Reference: https://security-tracker.debian.org/tracker/CVE-2023-41175 (From OE-Core rev: ef66190f834fde453af431cc2aadebac82b7e5b5) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: Security fix for CVE-2023-40745Hitendra Prajapati2023-11-172-0/+35
| | | | | | | | | Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5 (From OE-Core rev: d282b85cf69ecfbce12224428c713cd0dc639ced) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: CVE patch correction for CVE-2023-3576Vijay Anusuri2023-11-173-3/+4
| | | | | | | | | | | | | - The commit [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] fixes CVE-2023-3576 - Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch - Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576 https://security-tracker.debian.org/tracker/CVE-2023-3618 (From OE-Core rev: 56088368bdd22a939b813c7aefd5ba475c6d4021) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libtiff: Add fix for tiffcrop CVE-2023-1916Marek Vasut2023-10-202-0/+92
| | | | | | | | | | | | | | | | | | | | | | | Add fix for tiffcrop tool CVE-2023-1916 [1]. A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. The tool is no longer part of newer libtiff distributions, hence the fix is rejected by upstream in [2]. The backport is still applicable to older versions of libtiff, pick the CVE fix from ubuntu 20.04 [3]. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-1916 [2] https://gitlab.com/libtiff/libtiff/-/merge_requests/535 [3] https://packages.ubuntu.com/source/focal-updates/tiff (From OE-Core rev: 28ad0fdd30f490612aca6cc96ee503e5f92360a8) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: CVE-2022-3599.patch also fix CVE-2022-4645 CVE-2023-30774Chee Yang Lee2023-08-271-1/+1
| | | | | | | | | | | The same patch also fix CVE-2022-4645 CVE-2023-30774 CVE-2022-4645 - https://gitlab.com/libtiff/libtiff/-/issues/277 CVE-2023-30774 - https://gitlab.com/libtiff/libtiff/-/issues/463 (From OE-Core rev: 8a4f312ef3751ecf8b3fe2ac719477c7d9c967d2) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: fix multiple CVEsHitendra Prajapati2023-08-165-0/+177
| | | | | | | | | | | | Backport fixes for: * CVE-2023-2908 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f * CVE-2023-3316 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536 * CVE-2023-3618 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37 && https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 (From OE-Core rev: 4929d08cefac9ae2ebbdf94ccdc51a0f67f28164) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: fix multiple CVEsHitendra Prajapati2023-08-165-0/+396
| | | | | | | | | | | | | Backport fixes for: * CVE-2023-25433 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44 * CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 * CVE-2023-26965 & CVE-2023-26966 - Upstream-Status: Backport from import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] (From OE-Core rev: 3d322227477f9e82fc22de6e896174d04513d72b) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: fix multiple CVEsChee Yang Lee2023-03-148-0/+1429
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | import patches from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz fix multiple CVEs: CVE-2022-3570 CVE-2022-3597 CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627 CVE-2022-3970 CVE-2022-48281 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 (From OE-Core rev: a6859c967e6e0079dd197fc36844b862938f4eed) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fixes CVE-2022-1354 and CVE-2022-1355Yi Zhao2022-09-163-0/+276
| | | | | | | | | | | | | | | | | | | | | | | | | | | | References: https://nvd.nist.gov/vuln/detail/CVE-2022-1354 https://security-tracker.debian.org/tracker/CVE-2022-1354 https://nvd.nist.gov/vuln/detail/CVE-2022-1355 https://security-tracker.debian.org/tracker/CVE-2022-1355 Patches from: CVE-2022-1354: https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798 CVE-2022-1355: https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2 (From OE-Core rev: 6c373c041f1dd45458866408d1ca16d47cacbd86) (From OE-Core rev: 8414d39f3f89cc1176bd55c9455ad942db8ea4b1) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Fix for CVE-2022-2867/8/9Virendra Thakur2022-09-162-0/+160
| | | | | | | | | | | Add Patch to fix CVE-2022-2867, CVE-2022-2868 CVE-2022-2869 (From OE-Core rev: 67df7488bf66183ffdb9f497f00ad291b79210d3) Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: CVE-2022-34526 A stack overflow was discoveredHitendra Prajapati2022-09-032-0/+30
| | | | | | | | | | | | | | | | Source: https://gitlab.com/libtiff/libtiff MR: 120545 Type: Security Fix Disposition: Backport from https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990 ChangeID: 4c781586f7aba27420a7adc0adc597cc68495387 Description: CVE-2022-34526 libtiff: A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit. (From OE-Core rev: 462d4a55a460c60a7b8c36fe3899e66f13835761) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libTiff: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 DoS from Divide By Zero ErrorHitendra Prajapati2022-08-082-0/+184
| | | | | | | | | | | | | | | | Source: https://gitlab.com/libtiff/libtiff MR: 119341 Type: Security Fix Disposition: Backport from https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab ChangeID: 6cea4937a34a618567a42cef8c41961ade2f3a07 Description: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 libTiff: DoS from Divide By Zero Error. (From OE-Core rev: 429c2c89b65b8e226d4e0d6f94d43300989c143e) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Add patches to fix multiple CVEsRanjitsinh Rathod2022-05-206-0/+267
| | | | | | | | | | | | | | | | Add patches to fix below CVE issues CVE-2022-0865 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 (From OE-Core rev: 7c71434832caf6a15f8fb884d028a8c1bf4090a9) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Fix CVE-2022-0891sana kazi2022-05-032-0/+218
| | | | | | | | | | | | | Fix CVE-2022-0891 for tiff Link: https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0891.patch/ (From OE-Core rev: 512a8b30c816d2c9d85af7d7a1850b0450f1b6f4) Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Add backports for two CVEs from upstreamsana kazi2022-03-113-0/+60
| | | | | | | | | | | | | Based on commit from master (From OE-Core rev: a5bb7cc568d5da3633f3854295b0ebe46a2dd863) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6ae14b4ff7a655b48c6d99ac565d12bf8825414f) Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: fix for CVE-2022-22844Purushottam Choudhary2022-03-022-0/+53
| | | | | | | | | | | | Backport patch from: https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64 (From OE-Core rev: 68b59e37d25ead5aaf68d24c6a55b7d1864203fa) Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Add fix for CVE-2020-35521 and CVE-2020-35522akash hadke2021-06-034-0/+297
| | | | | | | | | | | | | | | | | | | Added fix for CVE-2020-35521 and CVE-2020-35522 Link: https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch Added below support patches for CVE-2020-35521 and CVE-2020-35522 1. 001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch Link: https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch 2. 002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch Link: https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch (From OE-Core rev: 03a65159093e0b2df4bc867c873b5c43721b9a9c) Signed-off-by: akash hadke <akash.hadke@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Exclude CVE-2015-7313 from cve-checkRichard Purdie2021-05-201-0/+4
| | | | | | | | | | | | Some fix upstream addresses the issue, it isn't clear which change this was. Our current version doesn't have issues with the test image though so we can exclude. (From OE-Core rev: 256f6be93eed82c7db8a76b1038e105331c0009f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3874da694ae1d9de06dd003bd80705205e2b033b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: fix CVE-2020-35523 CVE-2020-35524Lee Chee Yang2021-05-204-0/+136
| | | | | | | | (From OE-Core rev: 84239e11227bc0b0e2e6d3b2faa7a9ee63025dd1) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* recipes-multimedia: Add missing HOMEPAGE and DESCRIPTION for recipes.Meh Mbeh Ida Delphine2021-03-181-0/+4
| | | | | | | | | | | | Fixes: [YOCTO #13471] (From OE-Core rev: 70d05a262924979403d5c70ba8dc5a5f65dfcac3) Signed-off-by: Ida Delphine <idadelm@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 312994268bb68a012a61c99e1c3697e8de60a2ce) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: update to 4.1.0Alexander Kanavin2019-11-215-654/+3
| | | | | | | | | Drop backported patches. (From OE-Core rev: e5ecf2604e5b8c957eb3bae21fb3c9b2b1b7e12f) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: fix CVE-2019-17546Joe Slater2019-10-312-0/+104
| | | | | | | | | | Apply unmodified patch from upstream. (From OE-Core rev: 844e7aa217f5ecf46766a07d46f9d7f083668e8e) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: fix CVE-2019-14973Trevor Gamblin2019-10-022-1/+418
| | | | | | | | | | | CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2019-14973 Upstream merge: https://gitlab.com/libtiff/libtiff/commit/2218055c (From OE-Core rev: b57304c1afb73a698a1c40a017d433e4d81a8df2) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: fix CVE-2019-7663Ross Burton2019-07-162-1/+79
| | | | | | | (From OE-Core rev: d06d6910d1ec9374bb15e02809e64e81198731b6) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: fix CVE-2019-6128Ross Burton2019-07-162-1/+54
| | | | | | | (From OE-Core rev: 7293e417dd9bdd04fe0fec177a76c9286234ed46) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: remove redundant patchRoss Burton2019-07-162-28/+1
| | | | | | | | | The patching to make the new libtool work (from 2008) is no longer needed. (From OE-Core rev: 4210fafa851d011023f5a58ed3887148168f861c) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: update to 4.0.10Alexander Kanavin2018-11-239-679/+16
| | | | | | | (From OE-Core rev: 92a2e6dc73085ccb5482986c6b61d40992fb4f50) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: fix CVE-2017-17095Joe Slater2018-10-042-0/+47
| | | | | | | | | | | Backport fix from gitlab.com/libtiff/libtiff. nvd.nist.gov does not yet reference this patch. (From OE-Core rev: f72c8af3f2c1ec9e4d9ffcf0cc6e7fdf572b21b9) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: security fix CVE-2018-7456Joe Slater2018-07-262-0/+179
| | | | | | | | | | NULL pointer use as described at nvd.nist.gov/vuln/detail/CVE-2018-7456. (From OE-Core rev: 122da5cec495fc8ddfd880327e7c3ed0dc70e04f) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: security fix CVE-2018-8905Joe Slater2018-07-262-0/+62
| | | | | | | | | | Buffer overflow described at nvd.nits.gov/vuln/detail/CVE-2018-8905. (From OE-Core rev: 3f6f2a0619b4e243e6a9e52cee2cdd625ebf6769) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: security fix CVE-2018-10963Joe Slater2018-07-182-0/+40
| | | | | | | | | | Denial of service described at https://nvd.nist.gov/vuln/detail/CVE-2018-10963. (From OE-Core rev: d19a9b41d3b2dcba3b102a8289b7787b4b131e96) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fixesYi Zhao2018-03-254-0/+340
| | | | | | | | | | | | | | | | | | | | | | | Fix CVE-2017-99935, CVE-2017-18013, CVE-2018-5784 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9935 https://nvd.nist.gov/vuln/detail/CVE-2017-18013 https://nvd.nist.gov/vuln/detail/CVE-2018-5784 Patches from: CVE-2017-9935: https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 CVE-2017-18013: https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 CVE-2018-5784: https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef (From OE-Core rev: 798b6b4b3ce370264d036e555185a99ce3aa97b7) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Fix multilib header conflict - tiffconf.hZhang Xiao2018-03-151-1/+5
| | | | | | | | | | Header file conflict between 32-bit and 64-bit versions. (From OE-Core rev: 53f320797765b5f184a83cd065f9b5e454ee14e3) Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: refresh patchesRoss Burton2018-03-111-4/+4
| | | | | | | | | | | | | | | | | | | | | The patch tool will apply patches by default with "fuzz", which is where if the hunk context isn't present but what is there is close enough, it will force the patch in. Whilst this is useful when there's just whitespace changes, when applied to source it is possible for a patch applied with fuzz to produce broken code which still compiles (see #10450). This is obviously bad. We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For that to be realistic the existing patches with fuzz need to be rebased and reviewed. (From OE-Core rev: 8d4dd42cf39ac33e2479cb4f9f833701d68cea62) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: refresh patchesRoss Burton2018-03-091-4/+4
| | | | | | | | | | | | | | | | | | | | | The patch tool will apply patches by default with "fuzz", which is where if the hunk context isn't present but what is there is close enough, it will force the patch in. Whilst this is useful when there's just whitespace changes, when applied to source it is possible for a patch applied with fuzz to produce broken code which still compiles (see #10450). This is obviously bad. We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For that to be realistic the existing patches with fuzz need to be rebased and reviewed. (From OE-Core rev: 65155f3719051aae2a2e716c719b78ee7ca1bb29) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: 4.0.8 -> 4.0.9Huang Qiyu2018-01-197-527/+2
| | | | | | | | | | | 1.Upgrade tiff from 4.0.8 to 4.0.9. 2.Delete CVE-2017-10688.patch, CVE-2017-11335.patch, CVE-2017-13726.patch, CVE-2017-13727.patch, CVE-2017-9147.patch, CVE-2017-9936.patch, since it is integrated upstream. (From OE-Core rev: df894b523d74f8fd723d1c8fb03f55e46c6af0f5) Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2017-13726 and CVE-2017-13727Yi Zhao2017-09-223-0/+121
| | | | | | | | | | | | | | | | | | | References: https://nvd.nist.gov/vuln/detail/CVE-2017-13726 https://nvd.nist.gov/vuln/detail/CVE-2017-13727 Patches from: CVE-2017-13726: https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e CVE-2017-13727: https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc (From OE-Core rev: 8dc9d74b7e6816f59eb61dcda6a93c0753a5e4ab) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fixesYi Zhao2017-08-235-0/+404
| | | | | | | | | | | | | | | | | | | | | | | | | Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9147 https://nvd.nist.gov/vuln/detail/CVE-2017-9936 https://nvd.nist.gov/vuln/detail/CVE-2017-10668 https://nvd.nist.gov/vuln/detail/CVE-2017-11335 Patches from: CVE-2017-9147: https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06 CVE-2017-9936: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-10688: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 CVE-2017-11355: https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556 (From OE-Core rev: 5c89539edb17d01ffe82a1b2e7d092816003ecf3) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: Upgrade to 4.0.8Fan Xin2017-06-092-95/+2
| | | | | | | | | | | | | 1. Upgrade libtiff from 4.0.7 to 4.0.8 2. Delete the following patch file due to CVE-2017-5225 has been fixed in 4.0.8 libtiff-CVE-2017-5225.patch (From OE-Core rev: 825927e85933322e6f195f0d937359017a9a9b97) Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: Security Advisory - libtiff - CVE-2017-5225Li Zhou2017-01-312-0/+93
| | | | | | | | | | | | | | Libtiff is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. Porting patch from <https://github.com/vadz/libtiff/commit/ 5c080298d59efa53264d7248bbe3a04660db6ef7> to solve CVE-2017-5225. (From OE-Core rev: 434990304bdfb70441b399ff8998dbe3fe1b1e1f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: Update to 4.0.7Armin Kuster2016-12-1320-2221/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html (From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: set CVE_PRODUCTRoss Burton2016-12-131-1/+1
| | | | | | | | | This is 'libtiff' in NVD. (From OE-Core rev: 0c8d1523f3ad0ada2d1b8f9abffbc2b898a744ca) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Fix several CVE issuesMingli Yu2016-12-082-0/+282
| | | | | | | | | | | | | | | | | | | | Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537 External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9533 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9534 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9536 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9537 Patch from: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-c8b4b355f9b5c06d585b23138e1c185f (From OE-Core rev: f75ecefee21ef89b147fff9afae01a6f09c93198) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-9538Mingli Yu2016-12-082-0/+68
| | | | | | | | | | | | | | | | | * tools/tiffcrop.c: fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9538 Patch from: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f (From OE-Core rev: 9af5d5ea882c853e4cb15006f990d3814eeea9ae) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-9535Mingli Yu2016-12-083-0/+492
| | | | | | | | | | | | | | | | | | | | * libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 (From OE-Core rev: 61d3feb9cad9f61f6551b43f4f19bfa33cadd275) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: set CVE NAMERoss Burton2016-12-081-0/+2
| | | | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-9539Zhixiong Chi2016-11-302-0/+61
| | | | | | | | | | | | | | | | | tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9539 Patch from: https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 (From OE-Core rev: 58bf0a237ca28459eb8c3afa030c0054f5bc1f16) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-9540Zhixiong Chi2016-11-302-0/+61
| | | | | | | | | | | | | | | | | | tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9540 Patch from: https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 (From OE-Core rev: cc97dc66006c7892473e3b4790d05e12445bb927) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-24 22:03:50 +0000