OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2017.08 2017-07-14T17:31:03+00:00 2017-07-14T17:31:03+00:00 Peter Korsgaard peter@korsgaard.com 2017-07-14T14:24:26+00:00 urn:sha1:544ac6bca09edabb587db42ccb3ae51df58a3a56 Fixes CVE-2017-10688 - n LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-05-22T13:38:09+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2017-05-22T10:13:53+00:00 urn:sha1:3301fbb516992db94e3481690074640d2db9773b Patch 0001 already included in this release: https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1 Patch 0002 already included in this release: https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Patch 0003 already included in this release: https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 Patch 0004 already included in this release: https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 Patch 0005 already included in this release: https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7 Patch 0006 already included in this release: https://github.com/vadz/libtiff/commit/48780b4fcc425cddc4ef8ffdf536f96a0d1b313b Patch 0007 already included in this release: https://github.com/vadz/libtiff/commit/d60332057b9575ada4f264489582b13e30137be1 Patch 0008 already included in this release: https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b Patch 0009 already included in this release: https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1 Patch 0010 already included in this release: https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122 Patch 0011 already included in this release: https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 Patch 0012 already included in this release: https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490 Patch 0013 already included in this release: https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-05-02T12:42:05+00:00 Adam Duskett Aduskett@gmail.com 2017-04-22T17:18:06+00:00 urn:sha1:168be5c2dbfdd8e37bf87fff321d3bf45e0bb948 The check-package script when ran gives warnings on ordering issues on all of these Config files. This patch cleans up all warnings related to the ordering in the Config files for packages starting with the letter t in the package directory. The appropriate ordering is: type, default, depends on, select, help See http://nightly.buildroot.org/#_config_files for more information. Signed-off-by: Adam Duskett <Adamduskett@outlook.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-27T12:12:24+00:00 Peter Korsgaard peter@korsgaard.com 2017-04-26T21:58:14+00:00 urn:sha1:030fe340af365b834c15142f862e0de6d5f95737 Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing the following security issues: CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-04-06T20:41:45+00:00 Ricardo Martincoski ricardo.martincoski@gmail.com 2017-04-04T22:50:14+00:00 urn:sha1:4ef04c476c79c7efe05b8befc35eb20997fcaaa4 Occurrences were searched using [1]: check-package --include-only TrailingBackslash $(find * -type f) and manually removed. [1] http://patchwork.ozlabs.org/patch/729669/ Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-11-21T20:16:48+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2016-11-21T10:13:50+00:00 urn:sha1:ebd63d405f3feaec2798cf950c91adbcd112f344 Fixed CVEs: - CVE-2016-3622 - CVE-2016-3623 - CVE-2016-5321 - CVE-2016-5323 - CVE-2016-5652 - CVE-2016-5875 - CVE-2014-8127 - CVE-2015-8665 - CVE-2015-8683 - CVE-2016-9273 - CVE-2016-9448 Release notes: http://www.simplesystems.org/libtiff/v4.0.7.html Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-11-18T13:48:56+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2016-11-18T11:46:02+00:00 urn:sha1:d149dae430d09dfb77d5a938e5581def5b866735 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-07-04T21:23:35+00:00 Yann E. MORIN yann.morin.1998@free.fr 2016-07-04T09:24:33+00:00 urn:sha1:e66ce8a30013ba1c4805f36c3e558bf3ac448dcc Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-05-05T06:11:18+00:00 Baruch Siach baruch@tkos.co.il 2016-05-03T12:00:15+00:00 urn:sha1:d8f86830b000481b9544fff67d3f69b9d2937299 The current linked website is not up to date, since the libtiff.org domain was apparently hijacked years ago. See http://www.asmail.be/msg0055472296.html. Correct this. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-04-15T18:24:05+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-04-05T23:31:23+00:00 urn:sha1:91b16fbbf9dbd997263d2e157e5503732418760b Add host variant to be used by host-gdk-pixbuf to update the loaders cache. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>