The code in these two functions is meant to be equivlanet in behaviour
but isn't. Add in code to ensure files that don't exist are handled
consistently by both functions. Users did report being able to generate
tracebacks otherwise.
(Bitbake rev: 51e913e178a02bb603ddf874669e3ce54f90bd5d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is the potential for sensitive information to leak through the urls
there and removing it brings this into the behavior of the other package
backends since filtering it is likely error prone.
Since ipks don't appear to be generated at all if we don't set this, set
the field to the recipe name used (basename only, no paths). This avoids
information leaking. We may want to drop the field if opkg can allow that
at a future point but the recipe name is a suitable identifier for now.
Reported-by: Andrej Valek <andrej.valek@siemens.com>
(From OE-Core rev: 1aa51cfb4b8d10f478b1a6a68c69a3e35342b1c0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The release was pushed from May to June for 2.1.3 (krogoth). Updated
all manual revision tables.
(From yocto-docs rev: 5ec75c194147fecf0bda8095e430cdd8e6f34b6b)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The Meson revision was locked down but the license list change wasn't actually
committed...
Also specify the exact path for recipetool to write to, for clarity.
(From OE-Core rev: cbd6a2de4d8bda44f1d53956acc49a4bef810e95)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Recent distros are enabling -pie by default; in case of grub
we need to turn it off.
(From OE-Core rev: aaff6c99dde3f1058bb3c4b320f27753c6c992ad)
(From OE-Core rev: 720ac6e2b46d4d78244033a2474a2716a7a08b03)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This doubles the amount of extra space that is provided for SMART and
RPM, as they consume more disk space during qa testing via testimage
[YOCTO #9800]
(From OE-Core rev: 2d636068d9d3a1ea2db3ace49462be13ba9ef125)
(From OE-Core rev: 1d35417502aa8bce9d65d15f29d9d7bee077b7cc)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The test_recipetool_create_github test fetches HEAD of the repository so
upstream changes can (and do) break the test. Avoid these problems by passing
the rev= argument in the URL to lock the checkout to the same version that is
fetched in the github_tarball test.
Also pass the commands to runCmd() as a list instead of a string, the semicolon
in the URL needs more quotes if the shell is involved and passing a list
bypasses the shell entirely.
(From OE-Core rev: b7a26dbca4d92b36aeb8b183e679701b5706adb0)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This test works fine with su, which is more likely to be installed in images
than sudo.
(From OE-Core rev: 59d10be745a1f7d31c68e4d5da9e1c3461b7d390)
(From OE-Core rev: 0c35ac4b1b78a0b1be8e50ced5502c1bf9d31774)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Building libunwind, then gcc-runtime causes build failures. This is hard
to fix since gcc-runtime wants the internal gcc unwind.h header but libunwind
wants to provide this. There are differences in include behaviour between gcc
and glibc which are by design.
This patch hacks around the issue by looking for a define used during gcc-runtime's
build and skipping to the internal header in that case. The patch is only enabled
on musl and is the best workaround I could come up with to unblock failing builds
on our autobuilder.
[YOCTO #10129]
(From OE-Core rev: 793b6e57d7cf4a093223b4cd34085a929a5c43c3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This test was backported and doesn't function quite the same way under
krogoth since some of the extended python license checking wasn't yet
added. This tweaks the output to match the expected result in krogoth.
(From OE-Core rev: fcb2fcae57df403f1fff4b9ddb6b2d52e41aea33)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This occasionally triggered autobuilder errors where the .gir file
appeared truncated to introspection tools.
(From OE-Core rev: 2154c1c803b7bd36a1401fa657e7fd8cb1060a70)
RP: backported from 2.12 to 2.10
(From OE-Core rev: cf06e8aa07c8b60a377b4716be5c72311be12f1c)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Gna! project announced that the download site from gna.org HTTP server
will soon be closing down. We have verified that the site is no longer
accessible without network proxy cache. We need to update SRC_URI to
point to new alternative (nwl.cc HTTP server) in order to avoid fetcher
issues in future.
[YOCTO #11575]
(From OE-Core rev: 0314442ec4cb280fd8ad2f9deb9b3ec8842f8c2a)
Signed-off-by: Chang Rebecca Swee Fun <rebecca.swee.fun.chang@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are issues with a change made to RTLD_NEXT behaviour in glibc 2.24
and that change was also backported to older glibc versions in some distros
like Fedora 23. This adds a workaround whilst the pseudo maintainer fixes
various issues properly.
(From OE-Core rev: 21c38a091c4a1917f62a942c4751b0fd11dce340)
(From OE-Core rev: 47f5c2a52f93e1984b0269c708ca5218b9fd41ec)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
"make alltests" is sensitive to the timestamps of the installed
files. Depending on the order in which cp copies files, .o and/or
executables may end up with time stamps older than the source files.
Running tests then triggers recompilation attempts, which typically
will fail because dev tools and files are not installed.
"cp -a" is not enough because the files also have to be newer than
the installed header files. Setting the file time stamps to
the current time explicitly after copying solves the problem because
do_install_ptest_base is guaranteed to run after do_install.
(From OE-Core rev: 101e2a5e0b7822ca3de3d3a73369405c05ab3c5b)
(From OE-Core rev: b309bfa265456cda7269ff67e9df5f5c05a9a5a5)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The openssl-c_rehash.sh script reports duplicate files and files which
don't contain a certificate or CRL by echoing a WARNING to stdout.
This warning gets picked up by the log checker during rootfs and results
in several warnings getting reported to the console during an image build.
To prevent the log from being overrun by warnings related to certificates
change these messages in openssl-c_rehash.sh to be prefixed with NOTE not
WARNING.
(From OE-Core rev: 88c25318db9f8091719b317bacd636b03d50a411)
(From OE-Core rev: c270ebf9235c5414de1bf80ff40253f5a98dca2a)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Debian and other generic distributions has moved the certificates for
sysconfdir (/etc/ssl) and made the libdir content to link for it.
This provides several advantages specially for read-only
rootfs. Another benefit is that it ensures foreign implementations
(e.g: BoringSSL, from Chromium, when running with OpenSSL backend for
the certificates) to find the content correctly.
(From OE-Core rev: 50d63fa346bbb05dafffc0cb55e21e1092272d95)
(From OE-Core rev: 735f4528b5046024f118658cda8ee340ff8aa082)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The PLD Linux distribution has ported the c_rehash[1] utility from Perl
to Shell-Script, allowing it to be shipped by default.
1. https://git.pld-linux.org/?p=packages/openssl.git;a=blob;f=openssl-c_rehash.sh;h=0ea22637ee6dbce845a9e2caf62540aaaf5d0761
The OpenSSL upstream intends[2] to convert the utility for C however
did not yet finished the conversion.
2. https://rt.openssl.org/Ticket/Display.html?id=2324
This patch adds this script and thus removed the Perl requirement for
it.
(From OE-Core rev: cb6150f1a779e356f120d5e45c91fda75789970a)
(From OE-Core rev: 9ae6e105bb689faf004f60bb4f9f0ea56e3b8fde)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Regarding the last commit about missing dependencies, another issue
was found. The problem was found, while ptest has been built with some
set extra settings. It means, when ptest is going to be built,
it is necessary to rebuild dependencies for test directory too.
(From OE-Core rev: 030142d0410bec85aeacfff6be27d5fed41ce808)
(From OE-Core rev: 28419a4e9ad9430e477c1eb7f2a2d1f328bcacaf)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Settings from EXTRA_OECONF like en/disable no-ssl3, are transferred
only into DEPFLAGS. It means that settings have no effect on output files.
DEPFLAGS will be transferred into output files with make depend command.
https://wiki.openssl.org/index.php/Compilation_and_Installation#Dependencies
(From OE-Core rev: e3c251427a305780d3257a011260bd978de273d5)
(From OE-Core rev: 11c388226399ec703f4f67ae7cf11c1e4e332710)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
MIPS64 target was being configured for linux-mips which defaults to
MIPS32. Doesn't cause any issue as far as I can see but it would be
wiser to use the correct target configuration.
Also add MIPS64le configuration which is missing.
(From OE-Core rev: 0afec72913bc31d315cba079da317e8b28755ded)
(From OE-Core rev: e2b2fbe05fe97a512265d9978011650415e1589a)
Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ERROR: Task 944 (virtual:nativesdk:/home/akuster/oss/maint/poky/meta/recipes-multimedia/libpng/libpng_1.6.21.bb, do_checkuri) failed with exit code '1'
ERROR: libpng12-1.2.56-r0 do_checkuri: Function failed: Fetcher failure for URL: 'http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz'. URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz doesn't work
ERROR: Logfile of failure stored in: /home/akuster/oss/maint/poky/build/tmp/work/i586-poky-linux/libpng12/1.2.56-r0/temp/log.do_checkuri.14781
Log data follows:
| DEBUG: Executing python function do_checkuri
| DEBUG: Testing URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz
| DEBUG: checkstatus() urlopen failed: HTTP Error 404: Not Found
| DEBUG: Python function do_checkuri finished
| ERROR: Function failed: Fetcher failure for URL: 'http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz'. URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz doesn't work
SF now has a old releases dir which contains this tarball. It got dropped from Gentoo
(From OE-Core rev: 30722ea82dd8e90c33d607e1a8847dabf16b4225)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream have removed the file from zlib.net as a new version has
been released, switch to fetching from the official sourceforge
mirror.
[YOCTO #10879]
(From OE-Core rev: bb99e4a620efd59556539c156cd98ea23aae74c8)
(From OE-Core rev: b7599330f1d629384e16a5fbeffc1a65c1555667)
(From OE-Core rev: d2522df5bf85875a896d3b7ddeb20b63af3f4470)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With enabled SSTATE_MIRRORS sstate code expects mirrors to
contain entries for all tasks, which is not the case for ext
installer as it uses reduced sstate cache.
Added do_package tasks to BB_SETSCENE_ENFORCE_WHITELIST to prevent
installer failing with ERROR: Sstate artifact unavailable
[YOCTO #10832]
(From OE-Core rev: 2ed46ada4b8e496493835e84b36f7e9c367f59d2)
(From OE-Core rev: eb2fc2cd9081a4533ed30fe81c9f491b06cc5ae1)
(From OE-Core rev: 6549641a65b8e67ed46400921f89acf395f13a80)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Mapped uninative sstate directories to make ext SDK installer to
use them when it's run on systems with gcc version different from
gcc version used to build installer.
[YOCTO #10832]
(From OE-Core rev: fb945c0fd2e66d70461e6cf2e602020eeabe32f7)
(From OE-Core rev: 31ce79200035584c26576afe043688132532bc8b)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in
LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of
service (out-of-bounds write) or execute arbitrary code via a crafted
TIFF image.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632http://bugzilla.maptools.org/show_bug.cgi?id=2549https://bugzilla.redhat.com/show_bug.cgi?id=1325095
The patch is from RHEL7.
(From OE-Core rev: 9206c86239717718be840a32724fd1c190929370)
(From OE-Core rev: 0c6928f4129e5b1e24fa2d42279353e9d15d39f0)
(From OE-Core rev: f10cef0119c3bcf5b23a142f131a2d452ef2b837)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool
allows remote attackers to cause a denial of service (out-of-bounds read) via vectors
involving the ma variable.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658http://bugzilla.maptools.org/show_bug.cgi?id=2546
Patch from:
45c68450be
(From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a)
(From OE-Core rev: cc266584158c8dfc8583d21534665b6152a4f7ee)
(From OE-Core rev: 7ba456a35e0e75e0e8b3d8f9530aab312775672d)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
hasPackage() was looking for the string provided as an RE substring in the
manifest, which resulted in a large number of false positives (i.e. libgtkfoo
would match "gtk+").
Rewrite the manifest loader to parse the files into a proper data structure,
change hasPackage to do full string matches, and add hasPackageMatch which does
RE substring matches.
(From OE-Core rev: b9409863af71899e02275439949e3f4cdfaf2d0f)
(From OE-Core rev: 990db70dac60541ef14977177fff4361e31c51eb)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Briefly: Cyprus split into two time zones on 2016-10-30, and Tonga
reintroduces DST on 2016-11-06.
Changes to future time stamps
Pacific/Tongatapu begins DST on 2016-11-06 at 02:00, ending on
2017-01-15 at 03:00. Assume future observances in Tonga will be
from the first Sunday in November through the third Sunday in
January, like Fiji. (Thanks to Pulu ʻAnau.) Switch to numeric
time zone abbreviations for this zone.
Changes to past and future time stamps
Northern Cyprus is now +03 year round, causing a split in Cyprus
time zones starting 2016-10-30 at 04:00. This creates a zone
Asia/Famagusta. (Thanks to Even Scharning and Matt Johnson.)
Antarctica/Casey switched from +08 to +11 on 2016-10-22.
(Thanks to Steffen Thorsen.)
Changes to past time stamps
Several corrections were made for pre-1975 time stamps in Italy.
These affect Europe/Malta, Europe/Rome, Europe/San_Marino, and
Europe/Vatican.
First, the 1893-11-01 00:00 transition in Italy used the new UT
offset (+01), not the old (+00:49:56). (Thanks to Michael
Deckers.)
Second, rules for daylight saving in Italy were changed to agree
with Italy's National Institute of Metrological Research (INRiM)
except for 1944, as follows (thanks to Pierpaolo Bernardi, Brian
Inglis, and Michael Deckers):
The 1916-06-03 transition was at 24:00, not 00:00.
The 1916-10-01, 1919-10-05, and 1920-09-19 transitions were at
00:00, not 01:00.
The 1917-09-30 and 1918-10-06 transitions were at 24:00, not
01:00.
The 1944-09-17 transition was at 03:00, not 01:00. This
particular change is taken from Italian law as INRiM's table,
(which says 02:00) appears to have a typo here. Also, keep the
1944-04-03 transition for Europe/Rome, as Rome was controlled by
Germany then.
The 1967-1970 and 1972-1974 fallback transitions were at 01:00,
not 00:00.
(From OE-Core rev: daf95f7fd9f7ab65685d7b764d8e50df8d00d308)
(From OE-Core rev: 989be1015d678ed6b11fde3bd153a92a42e8ec72)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes to code
The code should now be buildable on AmigaOS merely by setting the
appropriate Makefile variables. (From a patch by Carsten Larsen.)
(From OE-Core rev: d2b8c4ee535684f5d874082a7f76efbda1907ea5)
(From OE-Core rev: 866d48628393acc9ea95ba50453f34a192aaadc4)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the
tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (divide-by-zero error) via a crafted TIFF
image.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622http://www.openwall.com/lists/oss-security/2016/04/07/4
Patch from:
92d966a5fc
(From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb)
(From OE-Core rev: 928eadf8442cf87fb2d4159602bd732336d74bb7)
(From OE-Core rev: e2eeb68f33e671d9520afda149f5aea27ab546bd)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3623 libtiff: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier
allows remote attackers to cause a denial of service (divide-by-zero) by
setting the (1) v or (2) h parameter to 0.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623http://bugzilla.maptools.org/show_bug.cgi?id=2569
Patch from:
bd024f0701
(From OE-Core rev: d66824eee47b7513b919ea04bdf41dc48a9d85e9)
(From OE-Core rev: f0e77ffa6bbc3adc61a2abd5dbc9228e830c055d)
(From OE-Core rev: 4cb329454fec849ca0ea6106d78d1240c760bd11)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3991 libtiff: Heap-based buffer overflow in the loadImage
function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote
attackers to cause a denial of service (out-of-bounds write) or execute
arbitrary code via a crafted TIFF image with zero tiles.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3991http://bugzilla.maptools.org/show_bug.cgi?id=2543
Patch from:
e596d4e27c
(From OE-Core rev: d31267438a654ecb396aefced201f52164171055)
(From OE-Core rev: cf58711f12425fc1c29ed1e3bf3919b3452aa2b2)
(From OE-Core rev: a0115f89df6c082949796a75551ea43b35c39ccd)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3990 libtiff: Heap-based buffer overflow in the
horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and
earlier allows remote attackers to cause a denial of service (crash) or
execute arbitrary code via a crafted TIFF image to tiffcp.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3990http://bugzilla.maptools.org/show_bug.cgi?id=2544
Patch from:
6a4dbb07cc
(From OE-Core rev: c6492563037bcdf7f9cc50c8639f7b6ace261e62)
(From OE-Core rev: d7165cd738ac181fb29d2425e360f2734b0d1107)
(From OE-Core rev: 5e87d1d9e2861521b52216625a68649a44748ce3)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3945 libtiff: Multiple integer overflows in the (1)
cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in
LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote
attackers to cause a denial of service (crash) or execute arbitrary code
via a crafted TIFF image, which triggers an out-of-bounds write.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945http://bugzilla.maptools.org/show_bug.cgi?id=2545
Patch from:
7c39352ccd
(From OE-Core rev: 04b9405c7e980d7655c2fd601aeeae89c0d83131)
(From OE-Core rev: 3a4d2618c50aed282af335ef213c5bc0c9f0534e)
(From OE-Core rev: 0add1a3b19c4807afdfcd1c2ea6f4a382466adf7)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
