diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-11-25 17:41:34 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-11-25 17:41:44 +0300 |
commit | 6dbb316ab9052d4dbf158377e1ffe36f205d5477 (patch) | |
tree | 721c5dfa7946f5188240620aa7d138f8a688e9f7 /poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch | |
parent | 8410d61f39efb52ffab1dc89efb05ca3ae837907 (diff) | |
download | openbmc-6dbb316ab9052d4dbf158377e1ffe36f205d5477.tar.xz |
poky: subtree update:a616ffebdc..9052e5b32a
Adrian Bunk (1):
bind: Whitelist CVE-2019-6470
Alexander Kanavin (13):
python: update to 2.7.17
tiff: update to 4.1.0
librepo: upgrade 1.10.6 -> 1.11.0
btrfs-tools: upgrade 5.3 -> 5.3.1
psmisc: update to 23.3
libxslt: update to 1.1.34
Revert "devtool/standard.py: Not filtering devtool workspace for devtool finish"
mpg123: upgrade 1.25.12 -> 1.25.13
vala: upgrade 0.46.3 -> 0.46.4
sysstat: upstream version check is working again
cairo: the component is dual licensed
selftest: check that 'devtool upgrade' correctly drops backported patches
runqemu: add options that enable virgl with the SDL frontend
Alistair Francis (1):
mesa: Upgrade to 19.2.4
Anuj Mittal (7):
boost: fix build for x32
rng-tools: upgrade 6.7 -> 6.8
harfbuzz: upgrade 2.6.1 -> 2.6.4
libsolv: upgrade 0.7.6 -> 0.7.8
sqlite3: upgrade 3.30.0 -> 3.30.1
stress-ng: upgrade 0.10.08 -> 0.10.10
glib-2.0: upgrade 2.62.1 -> 2.62.2
Armin Kuster (9):
oeqa/manual/bsp-hw: remove rpm -ivh test
oeqa/runtime/boot: add reboot test
oeqa/manual/bsp-hw: remove reboot test
oeqa/manual/bsp-hw: move storage tests to runtime
oeqa/manual/bsp-hw: remove usb and SDmicro tests
manual/bsd-hw: remove bash tests
oeqa/manual/compliance-test: remove crashme tests
oeqa/manual/compliance-test: move crashme to runtime
/oeqa/manual/compliance-test: remove obsolete test
Chee Yang Lee (2):
wic: rm with -r flag support
selftest/wic: test wic rm with -r flag
Denys Dmytriyenko (1):
distro_features_check: expand with MACHINE_FEATURES and COMBINED_FEATURES, rename
Kai Kang (1):
systemd: remove ${PN}-xorg-xinitrc
Khem Raj (1):
webkitgtk: Remove clang specific option
Paul Barker (1):
cdrtools-native: Don't set uid/gid during install
Paul Eggleton (1):
devtool: fix devtool upgrade with reproducible_builds class
Richard Purdie (10):
oeqa/devtool: Avoid unbound variable errors
recipetool/create: Fix to work with reproducible_builds
opkg: Add upstream fixes for empty packages
opkg-utils: Fix silent empty/broken opkg package creation
core-image-full-cmdline: Add less
bitbake: fetch2/clearcase: Fix warnings from python 3.8
bitbake: runqueue: Fix hash equivalence duplicate tasks running
sanity: Add check for tar older than 1.28
oeqa/selftest/sstatetests: Ensure we don't use hashequiv for sstatesigs tests
package_ipk: Remove pointless comment to trigger rebuild
Ross Burton (8):
cve-update-db-native: don't hardcode the database name
cve-update-db-native: add an index on the CVE ID column
cve-update-db-native: clean up proxy handling
cve-check: rewrite look to fix false negatives
cve-check: neaten get_cve_info
cve-check: fetch CVE data once at a time instead of in a single call
bitbake: tests: add test for the hashing functions
bitbake: utils: also use mmap for SHA256 and SHA1, for performance
Yi Zhao (1):
bitbake: contrib/vim/indent/bitbake.vim: move it to correct directory
Change-Id: I526155f21145180c764252a2ae5bfba33def10ff
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch')
-rw-r--r-- | poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch | 103 |
1 files changed, 0 insertions, 103 deletions
diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch deleted file mode 100644 index 04c541093..000000000 --- a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch +++ /dev/null @@ -1,103 +0,0 @@ -libtiff: fix CVE-2019-17546 - -Added after 4.0.10 release. - -CVE: CVE-2019-17546 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff] -Signed-off-by: Joe Slater <joe.slater@windriver.com> - -commit 4bb584a35f87af42d6cf09d15e9ce8909a839145 -Author: Even Rouault <even.rouault@spatialys.com> -Date: Thu Aug 15 15:05:28 2019 +0200 - - RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index c88b5fa..4da785d 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - fromskew = (w < imagewidth ? imagewidth - w : 0); - for (row = 0; row < h; row += nrow) - { -+ uint32 temp; - rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; - nrow = (row + rowstoread > h ? h - row : rowstoread); - nrowsub = nrow; - if ((nrowsub%subsamplingver)!=0) - nrowsub+=subsamplingver-nrowsub%subsamplingver; -+ temp = (row + img->row_offset)%rowsperstrip + nrowsub; -+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); -+ return 0; -+ } - if (_TIFFReadEncodedStripAndAllocBuffer(tif, - TIFFComputeStrip(tif,row+img->row_offset, 0), - (void**)(&buf), - maxstripsize, -- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) -+ temp * scanline)==(tmsize_t)(-1) - && (buf == NULL || img->stoponerr)) - { - ret = 0; -@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - fromskew = (w < imagewidth ? imagewidth - w : 0); - for (row = 0; row < h; row += nrow) - { -+ uint32 temp; - rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; - nrow = (row + rowstoread > h ? h - row : rowstoread); - offset_row = row + img->row_offset; -+ temp = (row + img->row_offset)%rowsperstrip + nrow; -+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); -+ return 0; -+ } - if( buf == NULL ) - { - if (_TIFFReadEncodedStripAndAllocBuffer( - tif, TIFFComputeStrip(tif, offset_row, 0), - (void**) &buf, bufsize, -- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ temp * scanline)==(tmsize_t)(-1) - && (buf == NULL || img->stoponerr)) - { - ret = 0; -@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - } - } - else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), -- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ p0, temp * scanline)==(tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; -@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - } - if (colorchannels > 1 - && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), -- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) -+ p1, temp * scanline) == (tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; -@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - } - if (colorchannels > 1 - && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), -- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) -+ p2, temp * scanline) == (tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; -@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - if (alpha) - { - if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), -- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) -+ pa, temp * scanline)==(tmsize_t)(-1) - && img->stoponerr) - { - ret = 0; |