| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Set CVE_STATUS as none of the issues apply against the versions
used in the recipes.
(From OE-Core rev: cea8c8bf73e84133f566d1c2ca0637494f2d7afe)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2023-52355:
An out-of-memory flaw was found in libtiff that could be
triggered by passing a crafted tiff file to the
TIFFRasterScanlineSize64() API. This flaw allows a remote
attacker to cause a denial of service via a crafted input
with a size smaller than 379 KB.
Issue fixed by providing a documentation update.
CVE-2023-52356:
A segment fault (SEGV) flaw was found in libtiff that could
be triggered by passing a crafted tiff file to the
TIFFReadRGBATileExt() API. This flaw allows a remote attacker
to cause a heap-buffer overflow, leading to a denial of service.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52355
https://security-tracker.debian.org/tracker/CVE-2023-52355
https://gitlab.com/libtiff/libtiff/-/issues/621
https://gitlab.com/libtiff/libtiff/-/merge_requests/553
https://nvd.nist.gov/vuln/detail/CVE-2023-52356
https://gitlab.com/libtiff/libtiff/-/issues/622
https://gitlab.com/libtiff/libtiff/-/merge_requests/546
(From OE-Core rev: 831d7a2fffb3dec94571289292f0940bc7ecd70a)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2023-6228:
An issue was found in the tiffcp utility distributed by the
libtiff package where a crafted TIFF file on processing may
cause a heap-based buffer overflow leads to an application
crash.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-6228
https://gitlab.com/libtiff/libtiff/-/issues/606
(From OE-Core rev: 55735e0d75820d59e569a630679f9ac403c7fdbe)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: d115e17ad7775cf5bbfd402e98e61f362ac96efa)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 9e80f93ada4eae638350d86b8aa514203f757d43)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libtiff: potential integer overflow in raw2tiff.c
References:
https://bugzilla.redhat.com/show_bug.cgi?id=2235264
https://security-tracker.debian.org/tracker/CVE-2023-41175
https://gitlab.com/libtiff/libtiff/-/issues/592
(From OE-Core rev: 4ee806cbc12fbc830b09ba6222e96b1e5f24539f)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libtiff: integer overflow in tiffcp.c
References:
https://security-tracker.debian.org/tracker/CVE-2023-40745
https://gitlab.com/libtiff/libtiff/-/issues/591
https://bugzilla.redhat.com/show_bug.cgi?id=2235265
(From OE-Core rev: c3d4fbeb51278a04a6800c894c681733ad2259ca)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
(From OE-Core rev: 1634ed4048cf56788cd5c2c1bdc979b70afcdcd7)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Also remove old CVE_CHECK_IGNOREs which are no longer needed due to CPE
updates.
(From OE-Core rev: 2200fde7011c4206382150c2602b2eb17423d45e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Fixes a bug where a buffer was used after a potential reallocation.
(From OE-Core rev: 48b8945fa570edcdf1e19ed4a4ca81c4416f1a6a)
Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an issue in libtiff's LZWDecode function which could cause a null pointer dereference.
(From OE-Core rev: 7da5abf23232f61bf8009b4b8e97632768867e07)
Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Remove 0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
file from tiff as it was removed while upgrading tiff from
4.4.0 -> 4.5.0
(From OE-Core rev: c53abdb5ce9cdbfb0f9e48b64b800c45549d18a6)
Signed-off-by: Nikhil R <nikhilar2410@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Below patch fixes the CVE-2022-4645 as well.
0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-4645
(From OE-Core rev: 312393edf0aa5b2c515c08245d1c289ba79bad55)
Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: bf0cf66c10c95ddada595dd5a84b45235c09ebab)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The main reason for this is an issue with latest libtiff update that causes
gtk4-native configure to fail in finding libtiff (while it just builds
fine for target).
By comparing libtiff-4.pc for native and target it turned out, that
it links for native with zstd and libdeflate. Probably because those libs
were found on my host system.
Adding PACKAGECONFIGS for the libs prevents us from taking them from the host.
(From OE-Core rev: ca2e2035b9d81a230a1a63f51b1300418e9b9ca6)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
tiff-native otherwise falsely detects webp if its installed on build
host. This ensures deterministic behavior regardless of host.
(From OE-Core rev: 718c44f282310b2ca85877fed706460ccc1eebea)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop all CVE backports.
License-Update: formatting
(From OE-Core rev: 9a255a3b114686b04bf54560c7485552ec3b438c)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch contains a fix for CVE-2022-3970
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-3970
https://security-tracker.debian.org/tracker/CVE-2022-3970
Patch generated from :
https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
(From OE-Core rev: 668ff495ac44e5b6d9e1af15d3861b5c2b4dfcd1)
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
The CVE number in the patch is a typo. CVE-2022-2053 is not related to
libtiff. So fix it.
(From OE-Core rev: c9f76ef859b0b4edb83ac098816b625f52c78173)
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport fixes from upstream for the following CVEs:
- CVE-2022-3599
- CVE-2022-3597
- CVE-2022-3626
- CVE-2022-3627
- CVE-2022-3570
- CVE-2022-3598
(From OE-Core rev: 722bbb88777cc3c7d1c8273f1279fc18ba33e87c)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: aa018b5bec49c06e64a493a413f42558a17947cf)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: ade918f1e904ecab2c74358ca874c6b9594de2f0)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: a84538dbe760fed94cfe22a39b0a6f95c61c307d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Drop all CVE backports.
(From OE-Core rev: ec3897659a046e7e3f652cabd04e98bb56f1b261)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We never depended upon libjbig so this was never present. Add the
PACKAGECONFIG to make this explict.
CVE-2022-1210 is an issue in libjbig so we don't have a problem there,
mark as such.
(From OE-Core rev: 34e6a19f2430ee2fd0fec4bec1891e898a0d9766)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
These issues only affect libtiff post-4.3.0 but before 4.4.0, caused by
3079627e and fixed by b4e79bfa.
(From OE-Core rev: 49e93892a37d1a2af2b0a155117441e978385e4c)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
As far as I can tell, the patches being applied also fix CVE-2022-1056 so
mark as such.
(From OE-Core rev: 256d212fd1eb9b6d4b87c2c84b1ea2a3afdeb843)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport fixes for the following CVEs:
- CVE-2022-0865
- CVE-2022-0891
- CVE-2022-0907
- CVE-2022-0908
- CVE-2022-0909
- CVE-2022-0924
(From OE-Core rev: 2fe35de73cfa8de444d7ffb24246e8f87c36ee8d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
| |
(From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
| |
(From OE-Core rev: 6ae14b4ff7a655b48c6d99ac565d12bf8825414f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: daf2880b7431aa641e02ebba8cbca40d81389088)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Some fix upstream addresses the issue, it isn't clear which change this was. Our
current version doesn't have issues with the test image though so we can exclude.
(From OE-Core rev: 3874da694ae1d9de06dd003bd80705205e2b033b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 702c5c7973c77c51d5ce8de11e73c708c55927a3)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Fixes: [YOCTO #13471]
(From OE-Core rev: 312994268bb68a012a61c99e1c3697e8de60a2ce)
Signed-off-by: Ida Delphine <idadelm@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 9c2c01607929f9aed8d606ef4e049a435d8fe6f2)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Doxygen in meta-oe has recently been extended for nativesdk. Doxygen is
often used together with mscgen which in turn depends indirectly on
tiff (via gd library).
(From OE-Core rev: 929cf038ec0f49e86d9ab0ec7e012320598ceb81)
Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Drop backported patches.
(From OE-Core rev: e5ecf2604e5b8c957eb3bae21fb3c9b2b1b7e12f)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Apply unmodified patch from upstream.
(From OE-Core rev: 844e7aa217f5ecf46766a07d46f9d7f083668e8e)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2019-14973
Upstream merge: https://gitlab.com/libtiff/libtiff/commit/2218055c
(From OE-Core rev: b57304c1afb73a698a1c40a017d433e4d81a8df2)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: d06d6910d1ec9374bb15e02809e64e81198731b6)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 7293e417dd9bdd04fe0fec177a76c9286234ed46)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
The patching to make the new libtool work (from 2008) is no longer needed.
(From OE-Core rev: 4210fafa851d011023f5a58ed3887148168f861c)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 92a2e6dc73085ccb5482986c6b61d40992fb4f50)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Backport fix from gitlab.com/libtiff/libtiff.
nvd.nist.gov does not yet reference this patch.
(From OE-Core rev: f72c8af3f2c1ec9e4d9ffcf0cc6e7fdf572b21b9)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
NULL pointer use as described at nvd.nist.gov/vuln/detail/CVE-2018-7456.
(From OE-Core rev: 122da5cec495fc8ddfd880327e7c3ed0dc70e04f)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Buffer overflow described at nvd.nits.gov/vuln/detail/CVE-2018-8905.
(From OE-Core rev: 3f6f2a0619b4e243e6a9e52cee2cdd625ebf6769)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Denial of service described at https://nvd.nist.gov/vuln/detail/CVE-2018-10963.
(From OE-Core rev: d19a9b41d3b2dcba3b102a8289b7787b4b131e96)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix CVE-2017-99935, CVE-2017-18013, CVE-2018-5784
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-9935
https://nvd.nist.gov/vuln/detail/CVE-2017-18013
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
Patches from:
CVE-2017-9935:
https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
CVE-2017-18013:
https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
CVE-2018-5784:
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
(From OE-Core rev: 798b6b4b3ce370264d036e555185a99ce3aa97b7)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Header file conflict between 32-bit and 64-bit versions.
(From OE-Core rev: 53f320797765b5f184a83cd065f9b5e454ee14e3)
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|