OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2016.11 2016-11-29T21:36:00+00:00 2016-11-29T21:36:00+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2016-11-29T11:23:03+00:00 urn:sha1:97f8aa4005be8456af52cacd5cfb4b077e55b5fa Fixed CVEs: - CVE-2016-9387 - CVE-2016-9388 - CVE-2016-9389 - CVE-2016-9390 - CVE-2016-9391 - CVE-2016-9392 - CVE-2016-9393 - CVE-2016-9394 - CVE-2016-9395 - CVE-2016-9396 - CVE-2016-9397 - CVE-2016-9398 - CVE-2016-9399 - CVE-2016-9557 - CVE-2016-9560 Changes to jasper.mk: - Switched site method to GitHub. 1.900.31 is not released as a tarball in the official website. - Autoreconf necessary since there isn't any configure script. We need to generate it. Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-11-13T11:23:17+00:00 Baruch Siach baruch@tkos.co.il 2016-11-12T19:29:56+00:00 urn:sha1:4605967780e9ecd14fba8100618963247ba72442 The -pedantic-errors gcc option turns -pedantic warnings into errors. This mostly affects older gcc versions that default to the ISO90 C standard. Use the --disable-strict configure option to remove -pedantic-errors. Fixes: http://autobuild.buildroot.net/results/191/191f80779df1a9e6f832106e6c4bdf601e2a9893/ http://autobuild.buildroot.net/results/1fe/1febccc7215814490fa3c776b34bc367363afe39/ http://autobuild.buildroot.net/results/a6f/a6f9bfec3406fc21b130f1669e3534651b9c9596/ Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-11-11T14:07:43+00:00 Baruch Siach baruch@tkos.co.il 2016-11-10T17:54:39+00:00 urn:sha1:7a21e6e9e3095197267d11c0844e94d648d5f379 Fixes: CVE-2016-8693: Double free vulnerability in mem_close CVE-2016-8692: Divide by zero in jpc_dec_process_siz CVE-2016-8691: Divide by zero in jpc_dec_process_siz CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted BMP image CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip() CVE-2016-8886: memory allocation failure in jas_malloc CVE-2016-8887: Null pointer dereference in jp2_colr_destroy CVE-2016-8884, CVE-2016-8885: Null pointer dereference in bmp_getdata (incomplete fix for CVE-2016-8690) CVE-2016-8880: Heap buffer overflow in jpc_dec_cp_setfromcox() CVE-2016-8881: Heap buffer overflow in jpc_getuint16() CVE-2016-8882: Null pointer access in jpc_pi_destroy CVE-2016-8883: Assert in jpc_dec_tiledecode() Drop upstream patches. Change SITE to the official download location, since the current one does not have the updated version. Unfortunately, the official site only offers tar.gz. Fix license. It is "based on the MIT license", but not exactly the same (http://www.ece.uvic.ca/~frodo/jasper/; under "Legal Issues"). Drop autoreconf; the autotools version has been updated since commit 324ccec90d (jasper: autoreconf to fix rpath issue) that introduced it. Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-08-17T06:39:36+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-08-17T01:05:54+00:00 urn:sha1:61e069e164a3727b7c3a6e5ee88b3340bed0a57f Fixes: CVE-2016-2116 - Memory leak in jas_iccprof_createfrombuf causing memory consumption. CVE-2016-1577 - Double free vulnerability in jas_iccattrval_destroy. CVE-2016-1867 - out-of-bounds read in the jpc_pi_nextcprl() function. CVE-2015-5221 - Use-after-free and double-free flaws in Jasper JPEG-2000 library. CVE-2015-5203 - double free in jasper_image_stop_load() Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2015-07-16T20:36:36+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2015-07-15T18:28:23+00:00 urn:sha1:1a4bf69188360a76c6bc38183c3d0651a7297214 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> 2015-05-19T19:36:18+00:00 Max Filippov jcmvbkbc@gmail.com 2015-05-19T18:29:00+00:00 urn:sha1:71d9b0c1f06896f113b09e941aa84d979bff5710 xtensa gcc is not able to generate correct code when compiling with -O0 enabled by --enable-debug. Instead of disabling package build it with --disable-debug. Fixes: http://autobuild.buildroot.net/results/5d17055027055ffd33fcd28b208130afb26343c9/ Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2015-05-19T19:36:05+00:00 Max Filippov jcmvbkbc@gmail.com 2015-05-19T18:28:59+00:00 urn:sha1:4dcf9d14b5d6dc2f2e0f349756d17f8ffb99604e This drops architecture-specific ABI flags, which may be important. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2015-01-26T22:13:44+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2015-01-26T20:45:49+00:00 urn:sha1:ddfce0448d7e1bbce70d8b5b5924a0ac39df1e9e Fixes: CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot() CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2014-12-19T20:41:17+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2014-12-19T18:32:18+00:00 urn:sha1:b6e4e9de41c52cafbb7fe708333731ca0ddecaa4 Fixes: CVE-2014-8137 - double-free in jas_iccattrval_destroy() CVE-2014-8138 - heap overflow in jp2_decode() Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2014-12-10T20:24:04+00:00 Baruch Siach baruch@tkos.co.il 2014-12-10T18:57:23+00:00 urn:sha1:421b4d0dde756969e4fc2abecd293dd97dcc62f3 See http://www.ocert.org/advisories/ocert-2014-009.html for the details. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>