Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in
info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
(From OE-Core rev: a2b4718b5db8f220c89d71fbea4e3418be20731e)
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
exists in the function mapping0_forward() in mapping0.c, which may lead
to DoS when operating on a crafted audio file with vorbis_analysis().
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
(From OE-Core rev: 300b5e921460f8ab1d4870014b343eddd00e77b1)
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I don't know how this made it in, but the backported patch most definitely
fails to apply:
ERROR: lame-3.99.5-r1 do_patch: Command Error: 'quilt --quiltrc /home/ak/development/poky/build-musl/tmp/work/core2-64-poky-linux-musl/lame/3.99.5-r1/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output:
Applying patch CVE-2017-13712.patch
patching file libmp3lame/id3tag.c
Hunk #1 succeeded at 195 with fuzz 1 (offset 1 line).
Hunk #11 succeeded at 1023 (offset 24 lines).
Hunk #12 FAILED at 1051.
The reason we have't seen it is that LICENSE_FLAGS_WHITELIST += " commercial"
needs to be in config to trigger this.
This reverts commit fd994b5bed.
(From OE-Core rev: 93aa9a5be30bbd6d9a39beb436a21bcfccceb9a7)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The failure is weird and difficult to diagnoze, so disable the
introspection for now:
qemu-mips64: error while loading shared libraries: .../recipe-sysroot/usr/lib/libgthread-2.0.so.0: ELF file data encoding not little-endian
Note that it shows up only for one specific library (gstaudio), and only
on mips64. Introspection data for other libraries is generated just fine.
(From OE-Core rev: bc6bb09150835c841cf27c88f388ac5796a317a2)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 4cfe09598c1ec1ffd108acdfd0f4cce1b8688895)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
sbc library itself is licensed under LGPLv2.1 or higher as mentioned in
sbc/sbc.h or any other file in sbc directory.
sbc test applications are licensed under GPLv2 or higher as mentioned in
src/sbcenc.c or any other file in src directory
Reported-by: Vladimir Koutny <vladimir.koutny@streamunlimited.com>
(From OE-Core rev: 39193c6b30d34fd4c07e1a36581a1bd94fd76b29)
Signed-off-by: Radek Dostál <radek.dostal@streamunlimited.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes
WARNING: gstreamer1.0-plugins-bad-1.12.2-r0 do_package_qa: QA Issue: libgstwayland-1.0 rdepends on libdrm, but it isn't a build dependency, missing libdrm in DEPENDS or PACKAGECONFIG? [build-deps]
WARNING: gstreamer1.0-plugins-bad-1.12.2-r0 do_package_qa: QA Issue: gstreamer1.0-plugins-bad-waylandsink rdepends on libdrm, but it isn't a build dependency, missing libdrm in DEPENDS or PACKAGECONFIG? [build-deps]
(From OE-Core rev: cb2c00c369e61b0e61298b0ad076e5bc8bc67bb9)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use ${nonarch_base_libdir}/udev instead. This avoids problems when
usrmerge is enabled in DISTRO_FEATURES and udev support is disabled.
(From OE-Core rev: 0a4372705a030ca54ed420cdfec33d46ab93499c)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a fix already merged upstream in master and 1.12 branch, it fixes 4K video
playback on any platform that uses v4l2 codecs, such as Dragonboard 820c.
(From OE-Core rev: b662944b28080dfb68833d4a81655262b04ada67)
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the patch to fix CVE-2017-8363:
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-8363
(From OE-Core rev: 9cc9956c5ed09f9016cb23bd763652e5ab55f3cd)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the patch to fix CVE-2017-8362:
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-8362
(From OE-Core rev: 0c8da3f6f85962196f2ad54fffd839239f5c2274)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the patch to fix two CVEs:
CVE-2017-8361:
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (buffer overflow and
application crash) or possibly have unspecified other impact via a
crafted audio file.
CVE-2017-8365:
The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote
attackers to cause a denial of service (buffer over-read and application
crash) via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-8361https://nvd.nist.gov/vuln/detail/CVE-2017-8365
(From OE-Core rev: d92877ade8fd4dd9b548c6b664bf4357a1f9428a)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This does not work as intended: enabling either of the alternatives
causes the other alternative to append a --disable-hls flag to
configure. Anyone needing openssl 1.0 should set it up manually
via EXTRA_OECONF_append or similar.
(From OE-Core rev: d2562cfe4517d85328e961f968db2c7cd3c6c6f2)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As we upgrade to libva 1.8.3, we can remove the workaround patch
which disables visualizations in gst-player:
1. 0001-gtk-play-Disable-visualizations.patch
Also remove the upstreamed patches:
1. filechooser.patch
2. Fix-pause-play.patch
3. Add-error-signal-emission-for-missing-plugins.patch
Fixes [YOCTO #11437]
(From OE-Core rev: 50f1902cb44724aa4b030e4e42b115231217acc9)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove backported patch:
1. vaapivideobufferpool-create-allocator-if-needed.patch
* Add PACKAGECONFIG_GL variable to make it possible for BSP layers to
customize what should be the default, EGL or GLX
* Set virtual/egl instead of virtual/mesa as egl dependency in case
platform specific drivers provide virtual/egl functionality
(From OE-Core rev: 42daac1ade210d873aa4761d89d2402fbe80f07b)
Signed-off-by: Carlos Rafael Giani <dv@pseudoterminal.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libmad plugin was removed in 1.12.0, since mad is GPLed,
unmaintained, and both gst-libav & the mpg123 plugin are
fully functional alternatives.
(From OE-Core rev: a963a2e38e246554b7083430710a2aba430df5e5)
Signed-off-by: Carlos Rafael Giani <dv@pseudoterminal.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove backported patches:
1. 0001-smoothstreaming-implement-adaptivedemux-s-get_live_s.patch
2. 0001-smoothstreaming-use-the-duration-from-the-list-of-fr.patch
3. 0001-mssdemux-improved-live-playback-support.patch
* Refreshed the following patches:
1. 0001-Makefile.am-don-t-hardcode-libtool-name-when-running.patch
Extended patch to include fix for libgstallocators
2. 0001-Prepend-PKG_CONFIG_SYSROOT_DIR-to-pkg-config-output.patch
Updated to apply to 1.12.2
3. gstreamer-gl.pc.in-don-t-append-GL_CFLAGS-to-CFLAGS.patch
Updated to apply to 1.12.2
* Removed license checks in tta directory as it doesn't exist anymore.
* In 1.12.0, old unsupported plugins were removed. As a result, the
list of unsupported plugins was removed.
(From OE-Core rev: 1fa8492e54dd71ce7d4d853e0cb7295c28fa5e76)
Signed-off-by: Carlos Rafael Giani <dv@pseudoterminal.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove backported patch:
1. 0001-v4l2object-Also-add-videometa-if-there-is-padding-to.patch
* Added RPROVIDES to handle the renamed plugins (oss4 is not enabled):
1. libgstpulse -> libgstpulseaudio
2. libgstsouphttpsrc -> libgstsoup
* Updated gstreamer1.0-meta-base to include this change:
1.gstsouphttpsrc plugin was renamed to gstsoup
(From OE-Core rev: 142d9e3d68147cdad18a3a60eaa22c33c418ffec)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Carlos Rafael Giani <dv@pseudoterminal.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Version 1.12 introduces support for libdw (provided by elfutils).
libdw adds source lines & numbers to backtraces. A new "dw"
packageconfig added for enabling/disabling this feature.
In addition, the old patch for deterministic unwind configuration
was replaced with one that also allows the same for the dw
configuration. This new patch was also submitted to bugzilla.
* Leftover docbook cruft was removed, meaning that the
"--disable-docbook" configure switch is gone.
(From OE-Core rev: a6c12ff35c97f4225a6b2f226ae4483d7bacdfb9)
Signed-off-by: Carlos Rafael Giani <dv@pseudoterminal.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It has not been ported to openssl 1.1 (and there's nothing in upstream git),
but it's possible to use nettle or gcrypt intead.
Also, provide a fallback option to use openssl 1.0 when necessary.
(From OE-Core rev: 624aed5d450664b0f0a36b14d658248202f864ed)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1.6.31 fixes pngpriv.h to work around failure to compile
arm/filter_neon.S.This bug was introduced in libpng-1.6.30beta01
No changes in License.The license checksums changed because of
update in Copyright dates in LICENSE and png.h files.
(From OE-Core rev: 8319dce16210ebe2d89cd1e0926ad937909bc9ea)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
MIRRORS needs to be pairs of values for the original URL to match and the
location find it on the mirror.
(From OE-Core rev: a649f3da630e8ca2d3ca58b610f3918720dd5229)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The Gentoo mirror also deletes old versions when they're not used, so revert
back to the canonical SourceForge site, adding /older-releases/ to MIRRORS to
handle new releases moving the version we want.
Original idea by Maxin B. John <maxin.john@intel.com>.
(From OE-Core rev: 791a3493c88c9c249f21f6d893b2061e1d8a0af6)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Previously, we had a gst-python recipe, but it supported only GStreamer
0.1. After GStreamer switched the Python bindings to use GObject
introspection, we were no longer able to build the bindings, and they
were dropped in this patch:
https://patchwork.openembedded.org/patch/93793/
However, at this point, we have a gobject-introspection class, so we can
use the bindings again, this time with GStreamer 1.0.
(From OE-Core rev: 6650bd1b9c770b01525356f9a1fabd758360ee8f)
Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
in config.log we can see:
WARNING: aarch64-linaro-linux-pkg-config not found, library detection may fail.
ffmpeg configure script is not looking for pkg-config at the rigt place since it
is assuming cross compilation. let's force its value in the recipe.
This patches 'fixes' library detection, so it also adds:
--disable-libxcb
--disable-libxcb-shm
--disable-libxcb-xfixes
--disable-libxcb-shape
Which were dangling configure options, which started to be enabled after the
pkg-config fix, so they need now to be explicitely disabled. Follow up patch
will enable these options when DISTRO_FEATURES has x11.
(From OE-Core rev: 3d5f11f0a1fd036e28a1d3f0c3169d8e21cc1358)
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Enabling sdl2 will bring ffplay applications, which can be handy when working
with ffmpeg.
(From OE-Core rev: 5c880eb08ec29e169b9f6b7d6f2e0598a0395d30)
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This adds a Vulkan video sink (using xcb and/or wayland).
Add a few patches to fix the build.
(From OE-Core rev: a80a0b3981d129a945ddd775690963cefa15376a)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
