tiff-native otherwise falsely detects webp if its installed on build
host. This ensures deterministic behavior regardless of host.
(From OE-Core rev: dafd8cf38d6414ca3102695b5a55a8fd2718e584)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 718c44f282310b2ca85877fed706460ccc1eebea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* so that they can be easily and cleanly applied with "git am"
* manually fix CVE-2022-2953.patch commit message not to use UTF-8
quotes and replace it with human readable text from original commit:
8fe3735942
(From OE-Core rev: 535c814259ec63916debb17a326fa328c4f6237b)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
While this does not happen with the tiff 4.3.0 release, it does happen with
the series of patches we have, so backport the two simple changes that
restrict the tiffcrop options to avoid the vulnerability.
CVE-2022-2953.patch was taken from upstream, and a small typo was fixed
for the CVE number. The other patch is included in tiff 4.4.0 but not
4.3.0, so add it as well.
(From OE-Core rev: cd94ed01214251027d1076b67cf65c3058f51dad)
Signed-off-by: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: https://gitlab.com/libtiff/libtiff
MR: 120544
Type: Security Fix
Disposition: Backport from 275735d035
ChangeID: 2f9df449974f5436c1690f3ace5d74b1ab4670c9
Description:
CVE-2022-34526 libtiff: A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit.
(From OE-Core rev: 4ad7470bc772e33e579947c894ed74a513fbcb39)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We never depended upon libjbig so this was never present. Add the
PACKAGECONFIG to make this explict.
CVE-2022-1210 is an issue in libjbig so we don't have a problem there,
mark as such.
(From OE-Core rev: 95f1c5d0bb7bc7cae2715d0c9b569fa369a64575)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 34e6a19f2430ee2fd0fec4bec1891e898a0d9766)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These issues only affect libtiff post-4.3.0 but before 4.4.0, caused by
3079627e and fixed by b4e79bfa.
(From OE-Core rev: 4eb0b7468383a1d0314b3bfd43ea37c95de464d9)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As far as I can tell, the patches being applied also fix CVE-2022-1056 so
mark as such.
(From OE-Core rev: 256d212fd1eb9b6d4b87c2c84b1ea2a3afdeb843)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some fix upstream addresses the issue, it isn't clear which change this was. Our
current version doesn't have issues with the test image though so we can exclude.
(From OE-Core rev: 3874da694ae1d9de06dd003bd80705205e2b033b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Doxygen in meta-oe has recently been extended for nativesdk. Doxygen is
often used together with mscgen which in turn depends indirectly on
tiff (via gd library).
(From OE-Core rev: 929cf038ec0f49e86d9ab0ec7e012320598ceb81)
Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patching to make the new libtool work (from 2008) is no longer needed.
(From OE-Core rev: 4210fafa851d011023f5a58ed3887148168f861c)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport fix from gitlab.com/libtiff/libtiff.
nvd.nist.gov does not yet reference this patch.
(From OE-Core rev: f72c8af3f2c1ec9e4d9ffcf0cc6e7fdf572b21b9)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: 8d4dd42cf39ac33e2479cb4f9f833701d68cea62)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: 65155f3719051aae2a2e716c719b78ee7ca1bb29)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1.Upgrade tiff from 4.0.8 to 4.0.9.
2.Delete CVE-2017-10688.patch, CVE-2017-11335.patch, CVE-2017-13726.patch, CVE-2017-13727.patch, CVE-2017-9147.patch, CVE-2017-9936.patch, since it is integrated upstream.
(From OE-Core rev: df894b523d74f8fd723d1c8fb03f55e46c6af0f5)
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1. Upgrade libtiff from 4.0.7 to 4.0.8
2. Delete the following patch file due to CVE-2017-5225 has been fixed in 4.0.8
libtiff-CVE-2017-5225.patch
(From OE-Core rev: 825927e85933322e6f195f0d937359017a9a9b97)
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Libtiff is vulnerable to a heap buffer overflow in the tools/tiffcp
resulting in DoS or code execution via a crafted BitsPerSample value.
Porting patch from <https://github.com/vadz/libtiff/commit/
5c080298d59efa53264d7248bbe3a04660db6ef7> to solve CVE-2017-5225.
(From OE-Core rev: 434990304bdfb70441b399ff8998dbe3fe1b1e1f)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Major changes:
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos.
CVEs fixed:
CVE-2016-9297
CVE-2016-9448
CVE-2016-9273
CVE-2014-8127
CVE-2016-3658
CVE-2016-5875
CVE-2016-5652
CVE-2016-3632
plus more that are not identified in the changelog.
removed patches integrated into update.
more info: http://libtiff.maptools.org/v4.0.7.html
(From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
