mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-30 03:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity
59,675 Commits 38 Branches 624 Tags
b5eaa833ba00a13c4f7dd3d2c057c4976bfae22e
Commit Graph

76 Commits

Author SHA1 Message Date
Purushottam Choudhary
df471272ae tiff: fix for CVE-2022-22844 
Backport patch from:
03047a2695

(From OE-Core rev: 68b59e37d25ead5aaf68d24c6a55b7d1864203fa)

Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2022-03-02 00:21:36 +00:00
akash hadke
a59a11eb56 tiff: Add fix for CVE-2020-35521 and CVE-2020-35522 
Added fix for CVE-2020-35521 and CVE-2020-35522
Link: b5a935d96b.patch

Added below support patches for CVE-2020-35521 and CVE-2020-35522

1. 001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: 02875964eb.patch

2. 002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: ca70b5e702.patch

(From OE-Core rev: 03a65159093e0b2df4bc867c873b5c43721b9a9c)

Signed-off-by: akash hadke <akash.hadke@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2021-06-03 16:30:55 +01:00
Richard Purdie
8f2798ddbf tiff: Exclude CVE-2015-7313 from cve-check 
Some fix upstream addresses the issue, it isn't clear which change this was. Our
current version doesn't have issues with the test image though so we can exclude.

(From OE-Core rev: 256f6be93eed82c7db8a76b1038e105331c0009f)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3874da694ae1d9de06dd003bd80705205e2b033b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2021-05-20 12:36:41 +01:00
Lee Chee Yang
5471428610 tiff: fix CVE-2020-35523 CVE-2020-35524 
(From OE-Core rev: 84239e11227bc0b0e2e6d3b2faa7a9ee63025dd1)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2021-05-20 12:36:41 +01:00
Meh Mbeh Ida Delphine
afc8d49fcd recipes-multimedia: Add missing HOMEPAGE and DESCRIPTION for recipes. 
Fixes: [YOCTO #13471]

(From OE-Core rev: 70d05a262924979403d5c70ba8dc5a5f65dfcac3)

Signed-off-by: Ida Delphine <idadelm@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 312994268bb68a012a61c99e1c3697e8de60a2ce)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2021-03-18 21:20:24 +00:00
Alexander Kanavin
f931a332d1 tiff: update to 4.1.0 
Drop backported patches.

(From OE-Core rev: e5ecf2604e5b8c957eb3bae21fb3c9b2b1b7e12f)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-11-21 23:08:19 +00:00
Joe Slater
6df6e5d3ba libtiff: fix CVE-2019-17546 
Apply unmodified patch from upstream.

(From OE-Core rev: 844e7aa217f5ecf46766a07d46f9d7f083668e8e)

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-31 16:09:35 +00:00
Trevor Gamblin
c855f55a7d tiff: fix CVE-2019-14973 
CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2019-14973
Upstream merge: https://gitlab.com/libtiff/libtiff/commit/2218055c

(From OE-Core rev: b57304c1afb73a698a1c40a017d433e4d81a8df2)

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-02 10:09:47 +01:00
Ross Burton
8e63ec13b4 tiff: fix CVE-2019-7663 
(From OE-Core rev: d06d6910d1ec9374bb15e02809e64e81198731b6)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-16 13:53:17 +01:00
Ross Burton
d3e9a9b2a0 tiff: fix CVE-2019-6128 
(From OE-Core rev: 7293e417dd9bdd04fe0fec177a76c9286234ed46)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-16 13:53:16 +01:00
Ross Burton
63731c5d5f tiff: remove redundant patch 
The patching to make the new libtool work (from 2008) is no longer needed.

(From OE-Core rev: 4210fafa851d011023f5a58ed3887148168f861c)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-16 13:53:16 +01:00
Alexander Kanavin
691e306994 tiff: update to 4.0.10 
(From OE-Core rev: 92a2e6dc73085ccb5482986c6b61d40992fb4f50)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-11-23 23:35:18 +00:00
Joe Slater
205d75ddb3 libtiff: fix CVE-2017-17095 
Backport fix from gitlab.com/libtiff/libtiff.
nvd.nist.gov does not yet reference this patch.

(From OE-Core rev: f72c8af3f2c1ec9e4d9ffcf0cc6e7fdf572b21b9)

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-10-04 14:21:41 +01:00
Joe Slater
8a2b440f87 tiff: security fix CVE-2018-7456 
NULL pointer use as described at nvd.nist.gov/vuln/detail/CVE-2018-7456.

(From OE-Core rev: 122da5cec495fc8ddfd880327e7c3ed0dc70e04f)

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-07-26 13:16:40 +01:00
Joe Slater
d85feee51c tiff: security fix CVE-2018-8905 
Buffer overflow described at nvd.nits.gov/vuln/detail/CVE-2018-8905.

(From OE-Core rev: 3f6f2a0619b4e243e6a9e52cee2cdd625ebf6769)

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-07-26 13:16:40 +01:00
Joe Slater
90a06269df tiff: security fix CVE-2018-10963 
Denial of service described at https://nvd.nist.gov/vuln/detail/CVE-2018-10963.

(From OE-Core rev: d19a9b41d3b2dcba3b102a8289b7787b4b131e96)

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-07-18 10:18:42 +01:00
Yi Zhao
7a80996355 tiff: Security fixes 
Fix CVE-2017-99935, CVE-2017-18013, CVE-2018-5784

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-9935
https://nvd.nist.gov/vuln/detail/CVE-2017-18013
https://nvd.nist.gov/vuln/detail/CVE-2018-5784

Patches from:
CVE-2017-9935:
3dd8f6a357
CVE-2017-18013:
c6f41df7b5
CVE-2018-5784:
473851d211

(From OE-Core rev: 798b6b4b3ce370264d036e555185a99ce3aa97b7)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-03-25 09:40:41 +01:00
Zhang Xiao
5ae4806529 tiff: Fix multilib header conflict - tiffconf.h 
Header file conflict between 32-bit and 64-bit versions.

(From OE-Core rev: 53f320797765b5f184a83cd065f9b5e454ee14e3)

Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-03-15 06:27:19 -07:00
Ross Burton
1caae443ee libtiff: refresh patches 
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.

Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450).  This is obviously bad.

We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.

(From OE-Core rev: 8d4dd42cf39ac33e2479cb4f9f833701d68cea62)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-03-11 06:27:01 -07:00
Ross Burton
e53eebb49d libtiff: refresh patches 
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.

Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450).  This is obviously bad.

We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.

(From OE-Core rev: 65155f3719051aae2a2e716c719b78ee7ca1bb29)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-03-09 09:17:02 -08:00
Huang Qiyu
975591a8d6 tiff: 4.0.8 -> 4.0.9 
1.Upgrade tiff from 4.0.8 to 4.0.9.
2.Delete CVE-2017-10688.patch, CVE-2017-11335.patch, CVE-2017-13726.patch, CVE-2017-13727.patch, CVE-2017-9147.patch, CVE-2017-9936.patch, since it is integrated upstream.

(From OE-Core rev: df894b523d74f8fd723d1c8fb03f55e46c6af0f5)

Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2018-01-19 12:37:14 +00:00
Yi Zhao
89c81eedca tiff: Security fix CVE-2017-13726 and CVE-2017-13727 
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-13726
https://nvd.nist.gov/vuln/detail/CVE-2017-13727

Patches from:
CVE-2017-13726:
f91ca83a21

CVE-2017-13727:
b6af137bf9

(From OE-Core rev: 8dc9d74b7e6816f59eb61dcda6a93c0753a5e4ab)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2017-09-22 17:15:30 +01:00
Yi Zhao
1a73074d75 tiff: Security fixes 
Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-9147
https://nvd.nist.gov/vuln/detail/CVE-2017-9936
https://nvd.nist.gov/vuln/detail/CVE-2017-10668
https://nvd.nist.gov/vuln/detail/CVE-2017-11335

Patches from:
CVE-2017-9147:
4d4fa0b68a
CVE-2017-9936:
fe8d716595
CVE-2017-10688:
6173a57d39
CVE-2017-11355:
69bfeec247

(From OE-Core rev: 5c89539edb17d01ffe82a1b2e7d092816003ecf3)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2017-08-23 08:47:03 +01:00
Fan Xin
68e25dfade libtiff: Upgrade to 4.0.8 
1. Upgrade libtiff from 4.0.7 to 4.0.8

2. Delete the following patch file due to CVE-2017-5225 has been fixed in 4.0.8
     libtiff-CVE-2017-5225.patch

(From OE-Core rev: 825927e85933322e6f195f0d937359017a9a9b97)

Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2017-06-09 17:12:14 +01:00
Li Zhou
49f6a9e794 libtiff: Security Advisory - libtiff - CVE-2017-5225 
Libtiff is vulnerable to a heap buffer overflow in the tools/tiffcp
resulting in DoS or code execution via a crafted BitsPerSample value.

Porting patch from <https://github.com/vadz/libtiff/commit/
5c080298d59efa53264d7248bbe3a04660db6ef7> to solve CVE-2017-5225.

(From OE-Core rev: 434990304bdfb70441b399ff8998dbe3fe1b1e1f)

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2017-01-31 14:43:01 +00:00
Armin Kuster
a63b53841b libtiff: Update to 4.0.7 
Major changes:
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos.

CVEs fixed:
CVE-2016-9297
CVE-2016-9448
CVE-2016-9273
CVE-2014-8127
CVE-2016-3658
CVE-2016-5875
CVE-2016-5652
CVE-2016-3632

plus more that are not identified in the changelog.

removed patches integrated into update.
more info: http://libtiff.maptools.org/v4.0.7.html

(From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-12-13 22:55:21 +00:00
Ross Burton
d54fb89bed tiff: set CVE_PRODUCT 
This is 'libtiff' in NVD.

(From OE-Core rev: 0c8d1523f3ad0ada2d1b8f9abffbc2b898a744ca)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-12-13 22:55:19 +00:00
Mingli Yu
416e4d33fa tiff: Fix several CVE issues 
Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and
CVE-2016-9537

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9533
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9534
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9536
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9537

Patch from:
83a4b92815 (diff-c8b4b355f9b5c06d585b23138e1c185f)

(From OE-Core rev: f75ecefee21ef89b147fff9afae01a6f09c93198)

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-12-08 10:31:29 +00:00
Mingli Yu
b229874a88 tiff: Security fix CVE-2016-9538 
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow.

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9538

Patch from:
43c0b81a81 (diff-c8b4b355f9b5c06d585b23138e1c185f)

(From OE-Core rev: 9af5d5ea882c853e4cb15006f990d3814eeea9ae)

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-12-08 10:31:29 +00:00
Mingli Yu
799e8b124f tiff: Security fix CVE-2016-9535 
* libtiff/tif_predict.h, libtiff/tif_predict.c:
Replace assertions by runtime checks to avoid assertions in debug mode,
or buffer overflows in release mode. Can happen when dealing with
unusual tile size like YCbCr with subsampling.

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535

Patch from:
3ca657a879
6a984bf790

(From OE-Core rev: 61d3feb9cad9f61f6551b43f4f19bfa33cadd275)

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-12-08 10:31:29 +00:00
Ross Burton
8f706df62d tiff: set CVE NAME 
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-12-08 10:31:29 +00:00
Zhixiong Chi
2c4116d3cb tiff: Security fix CVE-2016-9539 
tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in
readContigTilesIntoBuffer(). Reported as MSVR 35092.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9539

Patch from:
ae9365db1b

(From OE-Core rev: 58bf0a237ca28459eb8c3afa030c0054f5bc1f16)

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-11-30 15:48:08 +00:00
Zhixiong Chi
8a1dfae55b tiff: Security fix CVE-2016-9540 
tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled
images with odd tile width versus image width. Reported as MSVR 35103,
aka "cpStripToTile heap-buffer-overflow."

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9540

Patch from:
5ad9d8016f

(From OE-Core rev: cc97dc66006c7892473e3b4790d05e12445bb927)

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-11-30 15:48:08 +00:00
Yi Zhao
075b333e3d tiff: Security fix CVE-2016-3632 
CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in
LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of
service (out-of-bounds write) or execute arbitrary code via a crafted
TIFF image.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632
http://bugzilla.maptools.org/show_bug.cgi?id=2549
https://bugzilla.redhat.com/show_bug.cgi?id=1325095

The patch is from RHEL7.

(From OE-Core rev: 9206c86239717718be840a32724fd1c190929370)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-11-23 11:10:15 +00:00
Zhixiong Chi
bfbed355df tiff: Security fix CVE-2016-3658 
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool
allows remote attackers to cause a denial of service (out-of-bounds read) via vectors
involving the ma variable.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658
http://bugzilla.maptools.org/show_bug.cgi?id=2546

Patch from:
45c68450be

(From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a)

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-11-23 11:10:12 +00:00
Yi Zhao
3a6612a811 tiff: Security fix CVE-2016-3622 
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the
tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (divide-by-zero error) via a crafted TIFF
image.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622
http://www.openwall.com/lists/oss-security/2016/04/07/4

Patch from:
92d966a5fc

(From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-11-06 23:35:33 +00:00
Yi Zhao
28c8e12e30 tiff: Security fix CVE-2016-3623 
CVE-2016-3623 libtiff: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier
allows remote attackers to cause a denial of service (divide-by-zero) by
setting the (1) v or (2) h parameter to 0.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623
http://bugzilla.maptools.org/show_bug.cgi?id=2569

Patch from:
bd024f0701

(From OE-Core rev: d66824eee47b7513b919ea04bdf41dc48a9d85e9)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-11-06 23:35:33 +00:00
Yi Zhao
799dbe5c08 tiff: Security fix CVE-2016-3991 
CVE-2016-3991 libtiff: Heap-based buffer overflow in the loadImage
function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote
attackers to cause a denial of service (out-of-bounds write) or execute
arbitrary code via a crafted TIFF image with zero tiles.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3991
http://bugzilla.maptools.org/show_bug.cgi?id=2543

Patch from:
e596d4e27c

(From OE-Core rev: d31267438a654ecb396aefced201f52164171055)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-11-06 23:35:33 +00:00
Yi Zhao
8a73e838ef tiff: Security fix CVE-2016-3990 
CVE-2016-3990 libtiff: Heap-based buffer overflow in the
horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and
earlier allows remote attackers to cause a denial of service (crash) or
execute arbitrary code via a crafted TIFF image to tiffcp.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3990
http://bugzilla.maptools.org/show_bug.cgi?id=2544

Patch from:
6a4dbb07cc

(From OE-Core rev: c6492563037bcdf7f9cc50c8639f7b6ace261e62)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-11-06 23:35:33 +00:00
Yi Zhao
4db0424120 tiff: Security fix CVE-2016-3945 
CVE-2016-3945 libtiff: Multiple integer overflows in the (1)
cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in
LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote
attackers to cause a denial of service (crash) or execute arbitrary code
via a crafted TIFF image, which triggers an out-of-bounds write.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945
http://bugzilla.maptools.org/show_bug.cgi?id=2545

Patch from:
7c39352ccd

(From OE-Core rev: 04b9405c7e980d7655c2fd601aeeae89c0d83131)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-11-06 23:35:32 +00:00
Jussi Kukkonen
25468b58a5 tiff: Update download URL 
remotesensing.org domain has been taken over by someone unrelated.
There does not seem to be an up-to-date tiff homepage, but
osgeo.org is a reliable download site.

(From OE-Core rev: f544e1d10e9dc0f750efdb45a78ce9d5c9603070)

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-09-14 22:22:07 +01:00
Yi Zhao
9375b7effa tiff: Security fix CVE-2016-5323 
CVE-2016-5323 libtiff: a maliciously crafted TIFF file could cause the
application to crash when using tiffcrop command

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5323
http://bugzilla.maptools.org/show_bug.cgi?id=2559

Patch from:
2f79856097

(From OE-Core rev: 4ad1220e0a7f9ca9096860f4f9ae7017b36e29e4)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-08-17 10:35:39 +01:00
Yi Zhao
1b03beb80a tiff: Security fix CVE-2016-5321 
CVE-2016-5321 libtiff: a maliciously crafted TIFF file could cause the
application to crash when using tiffcrop command

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5321
http://bugzilla.maptools.org/show_bug.cgi?id=2558

Patch from:
d9783e4a14

(From OE-Core rev: 4a167cfb6ad79bbe2a2ff7f7b43c4a162ca42a4d)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-08-17 10:35:39 +01:00
Yi Zhao
b762eb937c tiff: Security fix CVE-2016-3186 
CVE-2016-3186 libtiff: buffer overflow in the readextension function in
gif2tiff.c allows remote attackers to cause a denial of service via a
crafted GIF file

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186
https://bugzilla.redhat.com/show_bug.cgi?id=1319503

Patch from:
https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff

(From OE-Core rev: 3d818fc862b1d85252443fefa2222262542a10ae)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-08-17 10:35:39 +01:00
Armin Kuster
ecb7e52649 tiff: Security fix CVE-2015-8784 
CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()

External Reference:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8784

(From OE-Core rev: 36097da9679ab2ce3c4044cd8ed64e5577e3f63e)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-08-17 10:35:39 +01:00
Armin Kuster
dc75fc92b5 tiff: Security fix CVE-2015-8781 
CVE-2015-8781 libtiff: out-of-bounds writes for invalid images

External Reference:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8781

(From OE-Core rev: 9e97ff5582fab9f157ecd970c7c3559265210131)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-08-17 10:35:39 +01:00
Armin Kuster
3f75a6478b tiff: Security fixes CVE-2015-8665 and CVE-2015-8683 
same fix for both CVE's

tiff <= 4.0.6

(From OE-Core rev: b7a38a45bf404b8f9b419bf7c054102d68cf2673)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-04-29 07:41:43 +01:00
Alexander Kanavin
f7a7796b37 tiff: update to 4.0.6 
(From OE-Core rev: 88a2a8f2f03faa19c1400a9badf16845ba217861)

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-28 09:25:15 +00:00
Alexander Kanavin
74bfa62f85 package_regex.inc: split entries which blacklist specific versions to their recipes 
(From OE-Core rev: 1eb9e190ef3bb1170b3eaabd9f7900e7ce176624)

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 10:20:52 +00:00
Randy MacLeod
e3b35f56a8 tiff: Update to 4.0.4 
Update tiff to latest version. None of the local CVE patches
are needed based on reviewing the ChangeLog so remove them.

(From OE-Core rev: 5c5d7c2ab0d32faca43ba360d5d42ecd2822c730)

Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-06-27 22:42:56 +01:00