summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia
Commit message (Collapse)AuthorAgeFilesLines
* libtiff: Security Advisory - libtiff - CVE-2017-5225Li Zhou2017-01-312-0/+93
| | | | | | | | | | | | | | Libtiff is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. Porting patch from <https://github.com/vadz/libtiff/commit/ 5c080298d59efa53264d7248bbe3a04660db6ef7> to solve CVE-2017-5225. (From OE-Core rev: 434990304bdfb70441b399ff8998dbe3fe1b1e1f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpng: Upgrade 1.6.26 -> 1.6.28Maxin B. John2017-01-261-4/+4
| | | | | | | | | | | | | This upgrade fixes the vulnerability: CVE-2016-10087 License file changes are due to updates in Package Version and Copyright date. ie: 'libpng version 1.6.28, January 5, 2017' (From OE-Core rev: 94bb606b9f21b7fe4c5d7e9ae3fda17da047ece5) Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-plugins-base: disable ivorbisRoss Burton2017-01-261-1/+1
| | | | | | | | | | Even old hardware these days doesn't really need fixed-integer Vorbis decoding by default, so disable Tremor out of the box. (From OE-Core rev: 958926dd51d5e18ef983280a6e3b50fc8f33eb12) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tremor: Use mirror tarball instead of svn urlRichard Purdie2017-01-231-1/+6
| | | | | | | | | | This is the only remaining svn url in OE-Core and building subversion-native for things like the url checker is wearing and slows down builds. Since this rarely changes, use the mirror tarball instead. (From OE-Core rev: 0be6f3b5a69a65107b49a90bee98815a5a7ac9d8) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* alsa-tools: 1.1.0 -> 1.1.3Tanu Kaskinen2017-01-232-78/+2
| | | | | | | | | | | | Drop 0001-Cus428Midi-Explicitly-cast-constant-to-char-type.patch, because the new release has an equivalent fix (and that's actually the only change in the new release). (From OE-Core rev: df748d5b9f1cc0166cb8de5d770e001171cc3926) Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* alsa-utils(-scripts): fix compile on build machines with python-docutils ↵Andreas Müller2017-01-231-0/+6
| | | | | | | | | | installed (From OE-Core rev: dca468b5977b9c2cb2268c32c92e8c41c586f172) Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* alsa-utils-scripts: update 1.1.2 -> 1.1.3Andreas Müller2017-01-231-0/+0
| | | | | | | | (From OE-Core rev: d421cbe8e323e398852404a0fe3e11283e3bb61e) Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* alsa-utils: update 1.1.2 -> 1.1.3Andreas Müller2017-01-231-2/+2
| | | | | | | | (From OE-Core rev: 307f4996eaad61c638cb69a04d0710c5db895ff9) Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* flac: 1.3.1 -> 1.3.2Tanu Kaskinen2017-01-231-6/+6
| | | | | | | | | | | | Changelog: https://xiph.org/flac/changelog.html The license checksum changes are due to simple copyright year updates. (From OE-Core rev: 2383cfd61e7be076b2079f159a3df1d237d28bb8) Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Switch to Recipe Specific SysrootsRichard Purdie2017-01-232-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is comparatively large and invasive. It does only do one thing, switching the system to build using recipe specific sysroots and where changes could be isolated from it, that has been done. With the current single sysroot approach, its possible for software to find things which aren't in their dependencies. This leads to a determinism problem and is a growing issue in several of the market segments where OE makes sense. The way to solve this problem for OE is to have seperate sysroots for each recipe and these will only contain the dependencies for that recipe. Its worth noting that this is not task specific sysroots and that OE's dependencies do vary enormously by task. This did result in some implementation challenges. There is nothing stopping the implementation of task specific sysroots at some later point based on this work but that as deemed a bridge too far right now. Implementation details: * Rather than installing the sysroot artefacts into a combined sysroots, they are now placed in TMPDIR/sysroot-components/PACKAGE_ARCH/PN. * WORKDIR/recipe-sysroot and WORKDIR/recipe-sysroot-native are built by hardlinking in files from the sysroot-component trees. These new directories are known as RECIPE_SYSROOT and RECIPE_SYSROOT_NATIVE. * This construction is primarily done by a new do_prepare_recipe_sysroot task which runs before do_configure and consists of a call to the extend_recipe_sysroot function. * Other tasks need things in the sysroot before/after this, e.g. do_patch needs quilt-native and do_package_write_deb needs dpkg-native. The code therefore inspects the dependencies for each task and adds extend_recipe_sysroot as a prefunc if it has populate_sysroot dependencies. * We have to do a search/replace 'fixme' operation on the files installed into the sysroot to change hardcoded paths into the correct ones. We create a fixmepath file in the component directory which lists the files which need this operation. * Some files have "postinstall" commands which need to run against them, e.g. gdk-pixbuf each time a new loader is added. These are handled by adding files in bindir with the name prefixed by "postinst-" and are run in each sysroot as its created if they're present. This did mean most sstate postinstalls have to be rewritten but there shouldn't be many of them. * Since a recipe can have multiple tasks and these tasks can run against each other at the same time we have to have a lock when we perform write operations against the sysroot. We also have to maintain manifests of what we install against a task checksum of the dependency. If the checksum changes, we remove its files and then add the new ones. * The autotools logic for filtering the view of m4 files is no longer needed (and was the model for the way extend_recipe_sysroot works). * For autotools, we used to build a combined m4 macros directory which had both the native and target m4 files. We can no longer do this so we use the target sysroot as the default and add the native sysroot as an extra backup include path. If we don't do this, we'd have to build target pkg-config before we could built anything using pkg-config for example (ditto gettext). Such dependencies would be painful so we haven't required that. * PKDDATA_DIR was moved out the sysroot and works as before using sstate to build a hybrid copy for each machine. The paths therefore changed, the behaviour did not. * The ccache class had to be reworked to function with rss. * The TCBOOTSTRAP sysroot for compiler bootstrap is no longer needed but the -initial data does have to be filtered out from the main recipe sysroots. Putting "-initial" in a normal recipe name therefore remains a bad idea. * The logic in insane needed tweaks to deal with the new path layout, as did the debug source file extraction code in package.bbclass. * The logic in sstate.bbclass had to be rewritten since it previously only performed search and replace on extracted sstate and we now need this to happen even if the compiled path was "correct". This in theory could cause a mild performance issue but since the sysroot data was the main data that needed this and we'd have to do it there regardless with rss, I've opted just to change the way the class for everything. The built output used to build the sstate output is now retained and installed rather than deleted. * The search and replace logic used in sstate objects also seemed weak/incorrect and didn't hold up against testing. This has been rewritten too. There are some assumptions made about paths, we save the 'proper' search and replace operations to fixmepath.cmd but then ignore this. What is here works but is a little hardcoded and an area for future improvement. * In order to work with eSDK we need a way to build something that looks like the old style sysroot. "bitbake build-sysroots" will construct such a sysroot based on everything in the components directory that matches the current MACHINE. It will allow transition of external tools and can built target or native variants or both. It also supports a clean task. I'd suggest not relying on this for anything other than transitional purposes though. To see XXX in that sysroot, you'd have to have built that in a previous bitbake invocation. * pseudo is run out of its components directory. This is fine as its statically linked. * The hacks for wayland to see allarch dependencies in the multilib case are no longer needed and can be dropped. * wic needed more extensive changes to work with rss and the fixes are in a separate commit series * Various oe-selftest tweaks were needed since tests did assume the location to binaries and the combined sysroot in several cases. * Most missing dependencies this work found have been sent out as separate patches as they were found but a few tweaks are still included here. * A late addition is that extend_recipe_sysroot became multilib aware and able to populate multilib sysroots. I had hoped not to have to add that complexity but the meta-environment recipe forced my hand. That implementation can probably be neater but this is on the list of things to cleanup later at this point. In summary, the impact people will likely see after this change: * Recipes may fail with missing dependencies, particularly native tools like gettext-native, glib-2.0-native and libxml2.0-native. Some hosts have these installed and will mask these errors * Any recipe/class using SSTATEPOSTINSTFUNCS will need that code rewriting into a postinst * There was a separate patch series dealing with roots postinst native dependency issues. Any postinst which expects native tools at rootfs time will need to mark that dependency with PACKAGE_WRITE_DEPS. There could well be other issues. This has been tested repeatedly against our autobuilders and oe-selftest and issues found have been fixed. We believe at least OE-Core is in good shape but that doesn't mean we've found all the issues. Also, the logging is a bit chatty at the moment. It does help if something goes wrong and goes to the task logfiles, not the console so I've intentionally left this like that for now. We can turn it down easily enough in due course. (From OE-Core rev: 809746f56df4b91af014bf6a3f28997d6698ac78) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sysprof/gst-player/pcmanfm: Add missing glib-2.0-native DEPENDSRichard Purdie2017-01-201-1/+1
| | | | | | | | These recipes use glib-2.0 NLS tools so we need to depend on glib-2.0-native. (From OE-Core rev: 3e521148bbec01ccd1818b0a26221ab6342a3299) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0: make libunwind detection deterministicRoss Burton2017-01-193-0/+26
| | | | | | | | | | Otherwise libunwind support will be based on the contents of the sysroot, which can cause problems. (From OE-Core rev: 14cb8fe36fcb2dc20830fb4ba63ed1302255b61b) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-plugins-good: fix qtdemux_parse_svq3_stsd_data() memory leakAndre McCurdy2017-01-192-0/+34
| | | | | | | | | | | | Backport from 1.11.1 https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=29433495d697e4dcb3bc50ff0e0d866acb949890 (From OE-Core rev: a41129815bc46460d145208113a8b75a92f3d19d) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-plugins-bad: Backport patches for improving live playbackKhem Raj2017-01-194-0/+1177
| | | | | | | | (From OE-Core rev: 23c37ffb25a41cd8b30a3fb56731fd6753478092) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* x264: for x32, disable asm and pass -mx32Christopher Larson2017-01-092-0/+54
| | | | | | | | | | | We should probably patch it to stop adding the -m argument to CFLAGS/LDFLAGS in the first place, since we pass it in via CC, but this will do for now. (From OE-Core rev: 5d2b0816a92965cdbbb2dca5d3009fbd5064b9ca) Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: disable asm for x32Christopher Larson2017-01-091-0/+2
| | | | | | | | | | | | This is the usual way this is handled in desktop distros (see debian, gentoo). I wasn't able to track down a patch to add proper x32 support to ffmpeg. There was, however, a libav patch series which may be worth investigating. (From OE-Core rev: 94bfdb0accab0a2638e3bea1271cb80596f38e00) Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-libav: disable asm for x32Christopher Larson2017-01-091-0/+4
| | | | | | | | | | | The included libav lacks support for x32, so disable the assembly optimizations. (From OE-Core rev: 7bac614503d0d9fda03b087501690e5f8262d966) Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: use require instead of include when file should existPaul Eggleton2017-01-0915-15/+16
| | | | | | | | | | | | If the file is expected to exist, then we should always be using require so that if it doesn't we get an error rather than some other more obscure failure later on. (From OE-Core rev: 603ae6eb487489e65da69c68e532cb767ccc1fc2) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer: Upgrade to 1.10.2Khem Raj2017-01-0512-40/+50
| | | | | | | | (From OE-Core rev: fcba432ed28d0249198de0b6b3d1b1c0a87c02a6) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-libav: Fix build on mips64Khem Raj2016-12-222-0/+33
| | | | | | | | (From OE-Core rev: 8a024cb82b1718be51bd3a625364539ba50ae4ae) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* x264: Fix build on mips architecturesKhem Raj2016-12-221-0/+1
| | | | | | | | | | | | | Disable asm to fix | You specified a pre-MSA CPU in your CFLAGS. | If you really want to run on such a CPU, configure with --disable-asm. (From OE-Core rev: 302124c1cc8353f4d0e13ab9ba9057d6b3862bde) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-plugins-bad: default to using eglNicolas Dechesne2016-12-171-1/+1
| | | | | | | | | | | | | | | With the current set of PACKAGECONFIG, we end up building with 'gles2' and neither 'opengl', nor 'egl'. As a result we are building -bad with neither 'glx' nor 'egl' platform support. So let's make sure that we at least have egl by default (since we default to 'gles2'). (From OE-Core rev: 4de8447c6536385ca134866682709efebf7d4e3d) (From OE-Core rev: a4111417b1b46cc852bf96a443b0edb0a525f346) Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: update to 3.2.2Alexander Kanavin2016-12-171-2/+2
| | | | | | | | | | (From OE-Core rev: b9b50814dfb40f8d124be736f7af9ed4d69bc6b3) (From OE-Core rev: 7c5462f5ff3303da8d7daa5f22827bd852987138) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: remove True option to getVar callsJoshua Lock2016-12-163-8/+8
| | | | | | | | | | | | | getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) (From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtiff: Update to 4.0.7Armin Kuster2016-12-1320-2221/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html (From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer-vaapi-1.0: check for "opengl" featureIsmo Puustinen2016-12-131-1/+3
| | | | | | | | | | | | | If "opengl" distro feature is not set, libva recipe is skipped. Since missing libva breaks gstreamer-vaapi-1.0 build, the same check has to be done in gstreamer-vaapi-1.0 recipe too. (From OE-Core rev: e87250d801622befa09ddba9ec8ecf7a4dcf902c) Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-vaapi: Import from meta-intelKhem Raj2016-12-133-0/+85
| | | | | | | | | | Update to 1.10.1 at the same time (From OE-Core rev: cf4d28d7d9820cc8f658670f766267d35133865f) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-rtsp-server: Add libcheck to depsKhem Raj2016-12-131-1/+1
| | | | | | | | (From OE-Core rev: 13164cc3c040eca3ffc0feb82ad707c363a57f07) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0-plugins-bad: Define and use WAYLAND_PROTOCOLS_SYSROOT_DIR for ↵Khem Raj2016-12-133-1/+39
| | | | | | | | | | | | | | | | | output of pkg-config When configure pokes for wayland-protocols isntallations it ended up using the ones from host, which is because it did not account for sysroot prefix Remove MACHINE from variable reference tracking to avoid unnessary rebuilds for different machine with same arch (From OE-Core rev: 0d349956417f00831025ccca5c8caa91f4771985) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer1.0: Upgrade to 1.10.1Khem Raj2016-12-1319-1622/+69
| | | | | | | | | | | | | | Remove backported patches and upstreamed ones Drop --disable-trace its no more in 1.10.x Add packageconfig option for kms, keep it disabled by default in bad plugins recipe (From OE-Core rev: 309e02b7313398a05e70915560882c880c7f7c76) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: set CVE_PRODUCTRoss Burton2016-12-131-1/+1
| | | | | | | | | This is 'libtiff' in NVD. (From OE-Core rev: 0c8d1523f3ad0ada2d1b8f9abffbc2b898a744ca) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: disable unsupported extensions on mips32r1Andreas Oberritter2016-12-081-0/+1
| | | | | | | | | | | | Warning: the `dsp' extension requires MIPS32 revision 2 or greater | Warning: the `dspr2' extension requires MIPS32 revision 2 or greater (From OE-Core rev: 6310833bfbbb3ed3852af0693fd68ea1fa7b054a) Signed-off-by: Andreas Oberritter <obi@opendreambox.org> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Fix several CVE issuesMingli Yu2016-12-082-0/+282
| | | | | | | | | | | | | | | | | | | | Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537 External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9533 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9534 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9536 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9537 Patch from: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-c8b4b355f9b5c06d585b23138e1c185f (From OE-Core rev: f75ecefee21ef89b147fff9afae01a6f09c93198) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-9538Mingli Yu2016-12-082-0/+68
| | | | | | | | | | | | | | | | | * tools/tiffcrop.c: fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9538 Patch from: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f (From OE-Core rev: 9af5d5ea882c853e4cb15006f990d3814eeea9ae) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-9535Mingli Yu2016-12-083-0/+492
| | | | | | | | | | | | | | | | | | | | * libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 (From OE-Core rev: 61d3feb9cad9f61f6551b43f4f19bfa33cadd275) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: set CVE NAMERoss Burton2016-12-081-0/+2
| | | | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: Add packageconfig for vdpau accelarationKhem Raj2016-12-071-0/+1
| | | | | | | | | | | | Fixes dangling dependency QA issue WARNING: ffmpeg-3.2.1-r0 do_package_qa: QA Issue: libavutil rdepends on libvdpau, but it isn't a build dependency, missing libvdpau in DEPENDS or PACKAGECONFIG? [build-deps] (From OE-Core rev: 0677c5b210ea563d6209f86c01f868111895f332) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: update to 3.2.1Alexander Kanavin2016-11-301-2/+2
| | | | | | | | (From OE-Core rev: ea3dc211c12c1408ba5c316236a20527aaa3acd9) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-9539Zhixiong Chi2016-11-302-0/+61
| | | | | | | | | | | | | | | | | tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9539 Patch from: https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 (From OE-Core rev: 58bf0a237ca28459eb8c3afa030c0054f5bc1f16) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-9540Zhixiong Chi2016-11-302-0/+61
| | | | | | | | | | | | | | | | | | tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9540 Patch from: https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 (From OE-Core rev: cc97dc66006c7892473e3b4790d05e12445bb927) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-3632Yi Zhao2016-11-232-0/+35
| | | | | | | | | | | | | | | | | | | | CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632 http://bugzilla.maptools.org/show_bug.cgi?id=2549 https://bugzilla.redhat.com/show_bug.cgi?id=1325095 The patch is from RHEL7. (From OE-Core rev: 9206c86239717718be840a32724fd1c190929370) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-3658Zhixiong Chi2016-11-232-0/+112
| | | | | | | | | | | | | | | | | | | The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658 http://bugzilla.maptools.org/show_bug.cgi?id=2546 Patch from: https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d (From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* x264: Update to latest on stable branchKhem Raj2016-11-152-18/+6
| | | | | | | | | | | | | - unexport AS variable - Switch URI to use github mirror for reliabality - Disable openCL code, its not used - TEXTRELs are fixed, therefore dont skip QA check (From OE-Core rev: 8f132ca02c0d8abe309b622cfeef5f21ecc0b242) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsamplerate0: clean up dependenciesTanu Kaskinen2016-11-062-3/+70
| | | | | | | | | | | | | | | | | | | | | The flac dependency was completely bogus. Flac isn't used at all. FFTW is only used by tests, so we don't need to provide a packageconfig for that. ALSA is only used by example code that isn't part of the packaged files, so even if ALSA is enabled, it doesn't affect the build result. Nevertheless, I prefer to disable it explicitly to be extra sure. --disable-alsa resulted in a warning about an unsupported configure option, although by some magic it seemed to actually work as expected. A patch is added to get rid of that warning. (From OE-Core rev: c7cb0ce17dc2ec3999f26d594e755c8fb9609cee) Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libsamplerate0: 0.1.8 -> 0.1.9Tanu Kaskinen2016-11-061-5/+5
| | | | | | | | | | | The license has changed to BSD as explained here: http://www.mega-nerd.com/SRC/license.html (From OE-Core rev: 053aac136cec74b0ac848337812546df847dc793) Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpng: Upgrade 1.6.24 -> 1.6.25Maxin B. John2016-11-061-4/+4
| | | | | | | | | | License file changes are due to updates in Version and Copyright date (From OE-Core rev: f231bd63ab82575b2ad6ccfd0a3f5da76b56a125) Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ffmpeg: update to 3.2Alexander Kanavin2016-11-061-4/+3
| | | | | | | | | | Drop faac package config as upstream ./configure doesn't have it anymore. (From OE-Core rev: a08b016c04a4e4eca78cd5ffae0226af4cb5226b) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-3622Yi Zhao2016-11-062-0/+130
| | | | | | | | | | | | | | | | | | | | CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622 http://www.openwall.com/lists/oss-security/2016/04/07/4 Patch from: https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 (From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-3623Yi Zhao2016-11-062-0/+53
| | | | | | | | | | | | | | | | | | | CVE-2016-3623 libtiff: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623 http://bugzilla.maptools.org/show_bug.cgi?id=2569 Patch from: https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b (From OE-Core rev: d66824eee47b7513b919ea04bdf41dc48a9d85e9) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2016-3991Yi Zhao2016-11-062-0/+148
| | | | | | | | | | | | | | | | | | | | CVE-2016-3991 libtiff: Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3991 http://bugzilla.maptools.org/show_bug.cgi?id=2543 Patch from: https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba (From OE-Core rev: d31267438a654ecb396aefced201f52164171055) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>