| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following security issues:
CVE-2017-6362: Double-free in gdImagePngPtr()
CVE-2017-7890: Buffer over-read into uninitialized memory
Drop patches no more needed:
0001-gdlib-config.patch: @LIBICONV@ is nowadays correct AC_SUBST'ed by
configure
0002-gd_bmp-fix-build-with-uClibc.patch: upstream uses ceil() since
https://github.com/libgd/libgd/commit/6913dd3cd2a7c2914ad9622419f9343bfe956135
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
CVE-2016-9317 - gdImageCreate() doesn't check for oversized images and
as such is prone to DoS vulnerabilities.
CVE-2016-6912 - double-free in gdImageWebPtr()
(without CVE):
Potential unsigned underflow in gd_interpolation.c
DOS vulnerability in gdImageCreateFromGd2Ctx()
Signed Integer Overflow gd_io.c
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security related fixes:
This flaw is caused by loading data from external sources (file, custom ctx,
etc) and are hard to validate before calling libgd APIs:
- fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766)
- bug #248, fix Out-Of-Bounds Read in read_image_tga
- gd: Buffer over-read issue when parsing crafted TGA file (CVE-2016-6132)
Using application provided parameters, in these cases invalid data causes
the issues:
- Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207)
- fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128)
- improve color check for CropThreshold
The build system now enables -Wall and -Werror by default, so pass
--disable-werror to disable that. Notice that this issue has been fixed
upstream post-2.2.3:
https://github.com/libgd/libgd/issues/339
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
| |
[Peter: drop tools comment]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop upstreamed patches.
Drop autoreconf since it's no longer required.
Patch 0002-no-zlib.patch is no longer required, and is in fact harmful.
Update homepage URL.
Fixes:
CVE-2015-8874 - #215 Stack overflow with gdImageFillToBorder
CVE-2016-3074 - gd2: handle corrupt images better
CVE-2016-5767 - Integer Overflow in gdImagePaletteToTrueColor()
resulting in heap overflow
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since bumping libvpx to 1.4.0
http://git.buildroot.net/buildroot/commit/package/libvpx?id=7d9a0c4d3960bb470e993494ac350b1415b72442
building gd was broken.
This patch adds some upstream commits which switch the dependency from libvpx to webp.
Fixes
http://autobuild.buildroot.net/results/046/046dd505feb5e92bdee3d0993366be162da1223a/
http://autobuild.buildroot.net/results/617/61739df0009015451ba78a7ca335dcc0d0dedcc8/
http://autobuild.buildroot.net/results/526/526550e73581a91427b394d566d3389554ee90ed/
http://autobuild.buildroot.net/results/b89/b89d7e3a1fc9403984bcd6462b8fd8d1196f2095/
http://autobuild.buildroot.net/results/dfe/dfed2b62aad83cc960ba3c93b7f0a994f18ad22a/
http://autobuild.buildroot.net/results/a91/a919d2bcbbd573e7a5556fbcdea053d4d451dd50/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
| |
Needed to get reproducable builds and to reproduce this build error:
http://autobuild.buildroot.net/results/046/046dd505feb5e92bdee3d0993366be162da1223a/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
| |
Also add hash file.
Remove CVE patch since it's upstream.
Rename patches to new naming convention.
Kill some whitespace.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
This ensures reproducible builds.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First of two patches to fix
http://autobuild.buildroot.net/results/238/2386edb7f95920e84a35811a33f4333ee0a7a860/
gd links against libiconv if it is already built, depend on libiconv
to get reproducable builds.
readelf output without libiconv present:
$ output/host/opt/ext-toolchain/bfin-linux-uclibc/bin/bfin-linux-uclibc-readelf \
-a output/staging/usr/lib/libgd.a | grep iconv
15: 00000000 12 FUNC GLOBAL HIDDEN 1 _iconv_open
16: 0000000c 12 FUNC GLOBAL HIDDEN 1 _iconv
17: 00000018 12 FUNC GLOBAL HIDDEN 1 _iconv_close
readelf output with libiconv present:
$ output/host/opt/ext-toolchain/bfin-linux-uclibc/bin/bfin-linux-uclibc-readelf \
-a output/staging/usr/lib/libgd.a | grep iconv
000000e4 0000100a R_BFIN_PCREL24 00000000 _libiconv_open + 0
00000140 0000140a R_BFIN_PCREL24 00000000 _libiconv + 0
0000019a 0000160a R_BFIN_PCREL24 00000000 _libiconv_close + 0
16: 00000000 0 NOTYPE GLOBAL DEFAULT UND _libiconv_open
20: 00000000 0 NOTYPE GLOBAL DEFAULT UND _libiconv
22: 00000000 0 NOTYPE GLOBAL DEFAULT UND _libiconv_close
[Peter: also add to LIBS so it ends up in gdlib-config --libs output]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
| |
So gdlib-config --libs returns the full dependency chain (-lpng16 -lz -m)
when linking statically.
Fixes http://autobuild.buildroot.net/results/dac/dac3eb950c7c27b2f09f001f9db9936f897721f9/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
| |
configure uses PKG_CHECK_MODULES, so it needs to depend on host-pkgconf.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
| |
gd forgets to link utilities with -pthread even though it uses pthreads,
causing linking errors with static linking.
Fixes http://autobuild.buildroot.net/results/156/1564b8de7785c1a756bead1a4160a2b6e2a2243e/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
| |
Fixes CVE-2014-2497 - NULL pointer dereference
Patch from upstream:
https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since the trailing slash is stripped from $($(PKG)_SITE) by pkg-generic.mk:
$(call DOWNLOAD,$($(PKG)_SITE:/=)/$($(PKG)_SOURCE))
so it is redundant.
This patch removes it from $(PKG)_SITE variable for BR consistency.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
| |
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
| |
Drop obsolete/applied patches. Refresh the rest, and add sequence numbers.
Add a patch fixing build against uClibc when UCLIBC_HAS_LONG_DOUBLE_MATH is
missing.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
| |
Fixes:
http://autobuild.buildroot.net/results/4b4/4b4272876385cc21dd06ee946d658b8f9e225d78/
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes the following whitespace problems in Config.in files:
- trailing whitespace
- spaces instead of tabs for indentation
- help text not indented with tab + 2 spaces
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
| |
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the <pkg>_CONFIG_SCRIPTS mechanism in all packages for which it
does all what the package was doing. A few packages, like libxslt, are
for now left out, since they need some additional fixup (for example a
fixup of includedir).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
| |
|
|
|
|
|
| |
Otherwise it will try to run freetype-config from the host to check
for availability.
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The gd package configure call 'libpng-config' to get the compiler
flags required to use the libpng. The configure correctly allow to
specify the path of the staging libpng-config by using the
ac_cv_path_LIBPNG_CONFIG but the configure.ac call simply
'libpng-config' instead of the specified one. The configure.ac is now
modified to call the specified libpng_config.
[Peter: explictly pass --without-png instead of auto detect]
Signed-off-by: Jean-Christian de Rivaz <jc@eclis.ch>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
| |
|
|
|
|
|
|
| |
Fixes
http://autobuild.buildroot.net/results/e3a2a81327877f9482341daff9623d759d1b2900/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
| |
|
|
|
|
| |
Fixes http://autobuild.buildroot.net/results/3309617d2d5e14c0713dbaf9185815d79293e33b
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
|
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
