summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia
Commit message (Collapse)AuthorAgeFilesLines
* libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356Vijay Anusuri2024-04-056-0/+541
| | | | | | | | | | | | | | | | | | | | | | | import patches from ubuntu to fix CVE-2023-6277 CVE-2023-52356 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a & https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa & https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3 & https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a & https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] (From OE-Core rev: 15abae1f6a9861e28ce35b015cb3ddc434f9fca4) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libtiff: Fix for CVE-2023-6228Vijay Anusuri2024-01-212-0/+31
| | | | | | | | | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a] (From OE-Core rev: ff66998ef81dbc35465e30eec96ee9be51f5da80) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* flac: Backport fix for CVE-2021-0561Vijay Anusuri2023-12-292-0/+35
| | | | | | | | | Upstream-Status: Backport [https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be] (From OE-Core rev: 9b2cd2d5e0dac297b3a1779e6720e0ee2a3de168) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsndfile: fix CVE-2021-4156 heap out-of-bounds read in src/flac.c in ↵Vivek Kumbhar2023-12-212-0/+31
| | | | | | | | | | | flac_buffer_copy Upstream-Status: Backport from https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc (From OE-Core rev: d922a288f79834d8f1120a4454b97803290e5c36) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.cVivek Kumbhar2023-12-082-1/+48
| | | | | | | (From OE-Core rev: f9cc32ed3c67c8fe60debbc23b579e120038b2e9) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: backport Debian patch to fix CVE-2022-40090Vijay Anusuri2023-12-012-0/+549
| | | | | | | | | | | | | | import patch from ubuntu to fix CVE-2022-40090 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41] (From OE-Core rev: 999af9858676a0f5112ef3a9d9156be349f90cb4) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libwebp: Fix CVE-2023-4863Soumya Sambu2023-11-173-17/+66
| | | | | | | | | | | | | | | | | | | | Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863. CVE: CVE-2023-4863 References: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 https://security-tracker.debian.org/tracker/CVE-2023-4863 https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 (From OE-Core rev: b69bef1169cb33c153384be81845eaf903dc1570) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: backport Debian patch to fix CVE-2023-41175Vijay Anusuri2023-11-172-0/+68
| | | | | | | | | | | | Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] Reference: https://security-tracker.debian.org/tracker/CVE-2023-41175 (From OE-Core rev: ef66190f834fde453af431cc2aadebac82b7e5b5) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: Security fix for CVE-2023-40745Hitendra Prajapati2023-11-172-0/+35
| | | | | | | | | Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5 (From OE-Core rev: d282b85cf69ecfbce12224428c713cd0dc639ced) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: CVE patch correction for CVE-2023-3576Vijay Anusuri2023-11-173-3/+4
| | | | | | | | | | | | | - The commit [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] fixes CVE-2023-3576 - Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch - Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576 https://security-tracker.debian.org/tracker/CVE-2023-3618 (From OE-Core rev: 56088368bdd22a939b813c7aefd5ba475c6d4021) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libwebp: Update CVE ID CVE-2023-4863Pawan2023-10-201-1/+8
| | | | | | | | | | | | | | Notice that it references different CVE id: https://nvd.nist.gov/vuln/detail/CVE-2023-5129 which was marked as a rejected duplicate of: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 but it's the same issue. Hence update CVE ID CVE-2023-4863 to CVE-2023-5129.patch. (From OE-Core rev: 7dce529515baa843ba3e5c89b2ad605b9845c59b) Signed-off-by: Pawan <badganchipv@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libtiff: Add fix for tiffcrop CVE-2023-1916Marek Vasut2023-10-202-0/+92
| | | | | | | | | | | | | | | | | | | | | | | Add fix for tiffcrop tool CVE-2023-1916 [1]. A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. The tool is no longer part of newer libtiff distributions, hence the fix is rejected by upstream in [2]. The backport is still applicable to older versions of libtiff, pick the CVE fix from ubuntu 20.04 [3]. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-1916 [2] https://gitlab.com/libtiff/libtiff/-/merge_requests/535 [3] https://packages.ubuntu.com/source/focal-updates/tiff (From OE-Core rev: 28ad0fdd30f490612aca6cc96ee503e5f92360a8) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libwebp: Fix CVE-2023-5129Colin McAllister2023-10-042-0/+365
| | | | | | | | | Add patch from libwebp 1.1.0 to fix CVE-2023-5129. (From OE-Core rev: 2ab6568d35e3d68f77a73bf56eb2d38aa6ada236) Signed-off-by: Colin McAllister <colinmca242@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* flac: fix CVE-2020-22219Michael Opdenacker2023-09-292-0/+198
| | | | | | | | | | | | | Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder. (From OE-Core rev: 87d92cb3d20c2686caddaa29cd17e18850ad9484) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Tested-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: CVE-2022-3599.patch also fix CVE-2022-4645 CVE-2023-30774Chee Yang Lee2023-08-271-1/+1
| | | | | | | | | | | The same patch also fix CVE-2022-4645 CVE-2023-30774 CVE-2022-4645 - https://gitlab.com/libtiff/libtiff/-/issues/277 CVE-2023-30774 - https://gitlab.com/libtiff/libtiff/-/issues/463 (From OE-Core rev: 8a4f312ef3751ecf8b3fe2ac719477c7d9c967d2) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: fix multiple CVEsHitendra Prajapati2023-08-165-0/+177
| | | | | | | | | | | | Backport fixes for: * CVE-2023-2908 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f * CVE-2023-3316 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536 * CVE-2023-3618 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37 && https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 (From OE-Core rev: 4929d08cefac9ae2ebbdf94ccdc51a0f67f28164) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: fix multiple CVEsHitendra Prajapati2023-08-165-0/+396
| | | | | | | | | | | | | Backport fixes for: * CVE-2023-25433 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44 * CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 * CVE-2023-26965 & CVE-2023-26966 - Upstream-Status: Backport from import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] (From OE-Core rev: 3d322227477f9e82fc22de6e896174d04513d72b) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpng: Add ptest for libpngNikhil R2023-07-222-2/+42
| | | | | | | | | | | | | | | | | | | | | | | libpng is a platform-independent library which supports all PNG features. This ptest executes the below binaries, parses the png image and prints the image features. 1. pngfix - provides information about PNG image copyrights details. 2. pngtest - tests, optimizes and optionally fixes the zlib header in PNG files. 3. pngstest - verifies the integrity of PNG image by dumping chunk level information. 4. timepng - provides details about PNG image chunks. (From OE-Core rev: 843803bcc248b18cdefb29d610a1371e32e815ce) Signed-off-by: Nikhil R <nikhil.r@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libwebp: Fix CVE-2023-1999Nikhil R2023-06-172-0/+59
| | | | | | | | | | | Add patch to fix CVE-2023-1999 Link: https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129 (From OE-Core rev: c1f8a40b65d72c8fdd2f4ae77fa4e682184c8891) Signed-off-by: Nikhil R <nikhil.r@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: Fix CVE-2022-48434Nikhil R2023-06-132-0/+137
| | | | | | | | | | | | | | | | Add a patch to fix CVE-2022-48434 which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances Link: https://ubuntu.com/security/CVE-2022-48434 Link: https://nvd.nist.gov/vuln/detail/CVE-2022-48434 (From OE-Core rev: 51c8ffc49d03b231ce76fa00f923e5f3f833f6fc) Signed-off-by: Nikhil R <nikhilar2410@gmail.com> Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com Signed-off-by: Nikhil R <nikhilar2410@gmail.com> Signed-off-by: Nikhil R <nikhilar2410@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix for CVE-2022-3341Bhabu Bindu2023-04-192-0/+68
| | | | | | | | | | | | | | | | | | | avformat/nutdec: Add check for avformat_new_stream Check for failure of avformat_new_stream() and propagate the error code. Upstream-Status: Backport [https://git.yoctoproject.org/poky/commit/?h=kirkstone&id=bba70ce34115151362bfdc49a545ee708eb297ca] (From OE-Core rev: e17ddd0fafb562ed7ebe7708dac9bcef2d6cecc1) (From OE-Core rev: 0c68435a7c0ff1c417119dbd408e75443c09afcb) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bba70ce34115151362bfdc49a545ee708eb297ca) Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tiff: fix multiple CVEsChee Yang Lee2023-03-148-0/+1429
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | import patches from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz fix multiple CVEs: CVE-2022-3570 CVE-2022-3597 CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627 CVE-2022-3970 CVE-2022-48281 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 (From OE-Core rev: a6859c967e6e0079dd197fc36844b862938f4eed) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: Fix CVE-2022-3109Bhabu Bindu2023-02-132-0/+42
| | | | | | | | | | | | Add patch to fix CVE-2022-3109 Link: https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568 (From OE-Core rev: a626228a4be4c52c9d3f43eb1756c1defc22a5e4) Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-plugins-good: fix several CVEChee Yang Lee2022-09-166-0/+413
| | | | | | | | | | | | | | | | | | | backport fix for: CVE-2022-1920 CVE-2022-1921 CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 CVE-2022-2122 also set ignore at gstreamer1.0_1.16.3.bb (From OE-Core rev: c852d3e6742fe82b9f4ec84b077d6e1b0bfd021e) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fixes CVE-2022-1354 and CVE-2022-1355Yi Zhao2022-09-163-0/+276
| | | | | | | | | | | | | | | | | | | | | | | | | | | | References: https://nvd.nist.gov/vuln/detail/CVE-2022-1354 https://security-tracker.debian.org/tracker/CVE-2022-1354 https://nvd.nist.gov/vuln/detail/CVE-2022-1355 https://security-tracker.debian.org/tracker/CVE-2022-1355 Patches from: CVE-2022-1354: https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798 CVE-2022-1355: https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2 (From OE-Core rev: 6c373c041f1dd45458866408d1ca16d47cacbd86) (From OE-Core rev: 8414d39f3f89cc1176bd55c9455ad942db8ea4b1) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Fix for CVE-2022-2867/8/9Virendra Thakur2022-09-162-0/+160
| | | | | | | | | | | Add Patch to fix CVE-2022-2867, CVE-2022-2868 CVE-2022-2869 (From OE-Core rev: 67df7488bf66183ffdb9f497f00ad291b79210d3) Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: CVE-2022-34526 A stack overflow was discoveredHitendra Prajapati2022-09-032-0/+30
| | | | | | | | | | | | | | | | Source: https://gitlab.com/libtiff/libtiff MR: 120545 Type: Security Fix Disposition: Backport from https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990 ChangeID: 4c781586f7aba27420a7adc0adc597cc68495387 Description: CVE-2022-34526 libtiff: A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit. (From OE-Core rev: 462d4a55a460c60a7b8c36fe3899e66f13835761) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0: use the correct meson option for the capabilitiesJose Quaresma2022-08-181-1/+1
| | | | | | | | | | (From OE-Core rev: ac6ea1a96645d2a4dd54660256603f0b191bb4d3) Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit baeab0f51ecc19fb85101c4bd472f0650231d0de) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libTiff: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 DoS from Divide By Zero ErrorHitendra Prajapati2022-08-082-0/+184
| | | | | | | | | | | | | | | | Source: https://gitlab.com/libtiff/libtiff MR: 119341 Type: Security Fix Disposition: Backport from https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab ChangeID: 6cea4937a34a618567a42cef8c41961ade2f3a07 Description: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 libTiff: DoS from Divide By Zero Error. (From OE-Core rev: 429c2c89b65b8e226d4e0d6f94d43300989c143e) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* alsa-plugins: fix libavtp vs. avtp packageconfigMarcel Ziswiler2022-06-221-1/+1
| | | | | | | | | | | | | Fix PACKAGECONFIG to refer to libavtp instead of avtp as this is what the project and everything is really called everywhere. (From OE-Core rev: a1b73bc6ba90fb079e514e4eeda8e231a950b9f4) Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8824d91fe2063195014c38c134b97946d3b429c2) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: Fix for CVE-2022-1475Virendra Thakur2022-06-042-0/+37
| | | | | | | | | | Add patch to fix CVE-2022-1475 (From OE-Core rev: 2a97ba89f236b751b333622fbbc14180e9b72245) Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Add patches to fix multiple CVEsRanjitsinh Rathod2022-05-206-0/+267
| | | | | | | | | | | | | | | | Add patches to fix below CVE issues CVE-2022-0865 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 (From OE-Core rev: 7c71434832caf6a15f8fb884d028a8c1bf4090a9) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Fix CVE-2022-0891sana kazi2022-05-032-0/+218
| | | | | | | | | | | | | Fix CVE-2022-0891 for tiff Link: https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0891.patch/ (From OE-Core rev: 512a8b30c816d2c9d85af7d7a1850b0450f1b6f4) Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Add backports for two CVEs from upstreamsana kazi2022-03-113-0/+60
| | | | | | | | | | | | | Based on commit from master (From OE-Core rev: a5bb7cc568d5da3633f3854295b0ebe46a2dd863) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6ae14b4ff7a655b48c6d99ac565d12bf8825414f) Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: fix for CVE-2022-22844Purushottam Choudhary2022-03-022-0/+53
| | | | | | | | | | | | Backport patch from: https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64 (From OE-Core rev: 68b59e37d25ead5aaf68d24c6a55b7d1864203fa) Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* speex: fix CVE-2020-23903Kai Kang2022-01-252-1/+33
| | | | | | | | | | | | | | Backport patch to fix CVE-2020-23903. CVE: CVE-2020-23903 (From OE-Core rev: 6afe9d7d0381b593c0b1e434c48008c7fa62750c) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b8f56e5e9eef32c1e01742f913e205d93548de1f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0: fix failing ptestAnuj Mittal2021-12-302-0/+34
| | | | | | | | | | | | | | | | | | | Backport a patch to increase the timeout that might help with the intermittent seek test failure. [YOCTO #14194] [YOCTO #14669] (From OE-Core rev: a7dc7a35334ad634926a1386f4a56b27aad3ce68) (From OE-Core rev: a3fe157cfd965d46d7ba30df92a0e80b5ab24a1f) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 7b90027aac9fa41b3dc98765151d761df8dabb97) Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: Add explict branch to git SRC_URIs, handle github url changesSteve Sakoman2021-11-112-2/+2
| | | | | | | | | | | | | | | | | | | | This update was made with the convert-scruri.py script in scripts/contrib This script handles two emerging issues: 1. There is uncertainty about the default branch name in git going forward. To try and cover the different possible outcomes, add branch names to all git:// and gitsm:// SRC_URI entries. 2. Github are dropping support for git:// protocol fetching, so remap github urls as needed. For more details see: https://github.blog/2021-09-01-improving-git-protocol-security-github/ (From OE-Core rev: 827a805349f9732b2a5fa9184dc7922af36de327) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: Add fix for CVEsSaloni2021-10-233-1/+117
| | | | | | | | | | | | | | | Add fix for below CVE: CVE-2021-3566 Link: [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532] CVE-2021-38291 Link: [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1] (From OE-Core rev: 89df45b9e69a0d5c62a7e05156bc0d3fc85c77fd) Signed-off-by: Saloni Jain <jainsaloni0918@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsamplerate0: Set correct soname for 0.1.9Tom Pollard2021-10-072-0/+14
| | | | | | | | | | | | | Manually patch SHARED_VERSION_INFO, which was missed in the 0.1.9 release and later incorrectly fixed until 0.2.1 (From OE-Core rev: eb637a677dfed8680d680349e616a358795a7d56) Signed-off-by: Tom Pollard <tom.pollard@codethink.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cb2e8efd316d44b9b1453882114856e0eb7b3500) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsndfile: Security fix for CVE-2021-3246Armin Kuster2021-09-303-0/+82
| | | | | | | | | | | | | | | Source: https://github.com/libsndfile/libsndfile MR: 112098 Type: Security Fix Disposition: Backport from https://github.com/libsndfile/libsndfile/pull/713 ChangeID: 10d137de063b7a1e543ee96fbcf948945a452869 Description: (From OE-Core rev: f999bac187a935821f8580f3c5b1d08107ba9851) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer: ignore CVE-2021-3497, CVE-2021-3498, and CVE-2021-3522Steve Sakoman2021-08-101-0/+9
| | | | | | | | | | | CPE entries for gst-plugins-* are listed as gstreamer issues so we need to ignore the false hits for the CVEs we've patched in plugins recipes (From OE-Core rev: 55140153e66f13a2d8a673a48f6c21e293415e56) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Revert "gstreamer-plugins-base: ignore CVE-2021-3522 since it is fixed"Steve Sakoman2021-08-101-4/+0
| | | | | | | | Change is correct but should be in gstreamer recipe not gstreamer-plugins-base This reverts commit f32e90a7f8918aacda61ef6176eb1655742045b4. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Revert "gstreamer-plugins-good: ignore CVE-2021-3497/8 since they are fixed"Steve Sakoman2021-08-101-5/+0
| | | | | | | | Change is correct but should be in gstreamer recipe not gstreamer-plugins-good This reverts commit d853e2bde1ea083f8438e8d7a80f041196d2e38d. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer-plugins-good: ignore CVE-2021-3497/8 since they are fixedSteve Sakoman2021-07-201-0/+5
| | | | | | | | | | CPE entries for gst-plugins-good are listed as gstreamer issues so we need to ignore the false hits for the two CVEs we've patched (From OE-Core rev: d853e2bde1ea083f8438e8d7a80f041196d2e38d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer-plugins-base: ignore CVE-2021-3522 since it is fixedSteve Sakoman2021-07-201-0/+4
| | | | | | | | | | CPE entries for gst-plugins-base are listed as gstreamer issues so we need to ignore the false hit for the CVE we've patched (From OE-Core rev: f32e90a7f8918aacda61ef6176eb1655742045b4) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer-plugins-base: fix CVE-2021-3522Minjae Kim2021-07-102-0/+37
| | | | | | | | | | | Out-of-bounds read in ID3v2 tag parsing reference: https://gstreamer.freedesktop.org/security/sa-2021-0001.html (From OE-Core rev: 8cab9d3dd226e854d40e12df497456adc3d3f81d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer-plugins-good: fix CVE-2021-3497 CVE-2021-3498Lee Chee Yang2021-06-193-0/+253
| | | | | | | | (From OE-Core rev: 865ef7d3cdc6645720762153d87771c6c4da31cf) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Add fix for CVE-2020-35521 and CVE-2020-35522akash hadke2021-06-034-0/+297
| | | | | | | | | | | | | | | | | | | Added fix for CVE-2020-35521 and CVE-2020-35522 Link: https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch Added below support patches for CVE-2020-35521 and CVE-2020-35522 1. 001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch Link: https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch 2. 002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch Link: https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch (From OE-Core rev: 03a65159093e0b2df4bc867c873b5c43721b9a9c) Signed-off-by: akash hadke <akash.hadke@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Exclude CVE-2015-7313 from cve-checkRichard Purdie2021-05-201-0/+4
| | | | | | | | | | | | Some fix upstream addresses the issue, it isn't clear which change this was. Our current version doesn't have issues with the test image though so we can exclude. (From OE-Core rev: 256f6be93eed82c7db8a76b1038e105331c0009f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3874da694ae1d9de06dd003bd80705205e2b033b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-25 15:42:55 +0000