Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=krogoth 2017-05-18T12:14:22+00:00 2017-05-18T12:14:22+00:00 Armin Kuster akuster808@gmail.com 2017-02-11T19:26:10+00:00 urn:sha1:6eb266a36580f86b31b13f67db327f680e4a7af5 ERROR: Task 944 (virtual:nativesdk:/home/akuster/oss/maint/poky/meta/recipes-multimedia/libpng/libpng_1.6.21.bb, do_checkuri) failed with exit code '1' ERROR: libpng12-1.2.56-r0 do_checkuri: Function failed: Fetcher failure for URL: 'http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz'. URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz doesn't work ERROR: Logfile of failure stored in: /home/akuster/oss/maint/poky/build/tmp/work/i586-poky-linux/libpng12/1.2.56-r0/temp/log.do_checkuri.14781 Log data follows: | DEBUG: Executing python function do_checkuri | DEBUG: Testing URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz | DEBUG: checkstatus() urlopen failed: HTTP Error 404: Not Found | DEBUG: Python function do_checkuri finished | ERROR: Function failed: Fetcher failure for URL: 'http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz'. URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz doesn't work SF now has a old releases dir which contains this tarball. It got dropped from Gentoo (From OE-Core rev: 30722ea82dd8e90c33d607e1a8847dabf16b4225) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T12:14:21+00:00 Mingli Yu Mingli.Yu@windriver.com 2016-12-07T08:01:12+00:00 urn:sha1:863bfa81afcb643cb1e22b1ba3cb765b8f24a51d * tools/tiffcrop.c: fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9538 Patch from: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f (From OE-Core rev: 9af5d5ea882c853e4cb15006f990d3814eeea9ae) (From OE-Core rev: 33cad1173f6d1b803b794a2ec57fe8a9ef19fb44) (From OE-Core rev: 5597998cf8b852bfe9b794d83314090a148bf78b) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T12:14:21+00:00 Mingli Yu Mingli.Yu@windriver.com 2016-12-07T08:01:11+00:00 urn:sha1:014af27dcbbaf5d8482a2cf063a5aa7eeba1a915 * libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 (From OE-Core rev: 61d3feb9cad9f61f6551b43f4f19bfa33cadd275) (From OE-Core rev: d55b4470c20f4a4b73b1e6f148a45d94649dfdb5) (From OE-Core rev: 3f22e42b981319b1aaa15871a90753060817c911) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T12:14:21+00:00 Zhixiong Chi zhixiong.chi@windriver.com 2016-11-28T09:52:13+00:00 urn:sha1:ca4703b6cf92a2e8c60660c1f0b779293f773d22 tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9539 Patch from: https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 (From OE-Core rev: 58bf0a237ca28459eb8c3afa030c0054f5bc1f16) (From OE-Core rev: 0933a11707a369c8eaefebd31e8eea634084d66e) (From OE-Core rev: d80b6e399e2c14b99c629b4548c7ec38e35fe93e) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T12:14:21+00:00 Zhixiong Chi zhixiong.chi@windriver.com 2016-11-28T08:12:04+00:00 urn:sha1:98e368e4b603db35859fd3da649d8eb89114a2cb tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9540 Patch from: https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 (From OE-Core rev: cc97dc66006c7892473e3b4790d05e12445bb927) (From OE-Core rev: ad2c4710ef15c35f6dd4e7642efbceb2cbf81736) (From OE-Core rev: 6f58c18016258c0a49b4d0ef50d170a1bbb671f4) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T12:14:21+00:00 Yi Zhao yi.zhao@windriver.com 2016-11-17T08:08:10+00:00 urn:sha1:3c61ee2f681c0fc2308935ee2fa75b1f037ad752 CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632 http://bugzilla.maptools.org/show_bug.cgi?id=2549 https://bugzilla.redhat.com/show_bug.cgi?id=1325095 The patch is from RHEL7. (From OE-Core rev: 9206c86239717718be840a32724fd1c190929370) (From OE-Core rev: 0c6928f4129e5b1e24fa2d42279353e9d15d39f0) (From OE-Core rev: f10cef0119c3bcf5b23a142f131a2d452ef2b837) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T12:14:21+00:00 Zhixiong Chi zhixiong.chi@windriver.com 2016-11-14T09:46:52+00:00 urn:sha1:ec00137169a4c23fb73a2b1b2f800fc96e25b2b6 The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658 http://bugzilla.maptools.org/show_bug.cgi?id=2546 Patch from: https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d (From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a) (From OE-Core rev: cc266584158c8dfc8583d21534665b6152a4f7ee) (From OE-Core rev: 7ba456a35e0e75e0e8b3d8f9530aab312775672d) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T12:14:21+00:00 Yi Zhao yi.zhao@windriver.com 2016-10-26T08:26:48+00:00 urn:sha1:0ed07f2658afe74ecfea9d8592c54f9931b82188 CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622 http://www.openwall.com/lists/oss-security/2016/04/07/4 Patch from: https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 (From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb) (From OE-Core rev: 928eadf8442cf87fb2d4159602bd732336d74bb7) (From OE-Core rev: e2eeb68f33e671d9520afda149f5aea27ab546bd) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T12:14:21+00:00 Yi Zhao yi.zhao@windriver.com 2016-10-26T08:26:47+00:00 urn:sha1:c33bac8883cbddf64948930ea340d1e2c2ee3985 CVE-2016-3623 libtiff: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623 http://bugzilla.maptools.org/show_bug.cgi?id=2569 Patch from: https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b (From OE-Core rev: d66824eee47b7513b919ea04bdf41dc48a9d85e9) (From OE-Core rev: f0e77ffa6bbc3adc61a2abd5dbc9228e830c055d) (From OE-Core rev: 4cb329454fec849ca0ea6106d78d1240c760bd11) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T12:14:21+00:00 Yi Zhao yi.zhao@windriver.com 2016-10-26T08:26:46+00:00 urn:sha1:c76d565ce25feb14abc7635508b516094f830168 CVE-2016-3991 libtiff: Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3991 http://bugzilla.maptools.org/show_bug.cgi?id=2543 Patch from: https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba (From OE-Core rev: d31267438a654ecb396aefced201f52164171055) (From OE-Core rev: cf58711f12425fc1c29ed1e3bf3919b3452aa2b2) (From OE-Core rev: a0115f89df6c082949796a75551ea43b35c39ccd) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>