cve description:
Heap-based buffer overflow in the readgifimage function in the gif2tiff
tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a crafted height
and width values in a GIF image.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4243
(From OE-Core rev: a2a200a3951cecd7dd43dee360e0260051c97416)
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cve description:
Use-after-free vulnerability in the t2p_readwrite_pdf_image function
in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause
a denial of service (crash) or possible execute arbitrary code via a
crafted TIFF image.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4232
(From OE-Core rev: 60482e45677c467f55950ce0f825d6cb9c121c9c)
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted TIFF image
file.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
(From OE-Core rev: 66387677cbd85ba4a76a254942377621acd68249)
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libtiff now depends on lzma which can be obtained from xz and doesn't use lzo.
Previously, libtiff would detect and use lzma if it was present leading to
a number of race conditions including failures in things linking to libtiff
such as ghostscript since lzma could be removed while being rebuild leading
to failures in linking.
This patch corrects the dependency.
(From OE-Core rev: b6369ed4ea03fb5410f94c1ee646d488bf981987)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ensure that OpenGL and friends are disable with the
setting of ax_cv_check_gl_libgl = no.
(From OE-Core rev: 69e67ac74bda6de1243e35643ee4af8a25a5f32f)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Dont use autotools, it really not so autoconf like.
the configure script gets updated with every release of zlib
and we overwrite that. Instead use the upstream provided
configure
copyright year was changed in zlib.h which caused change in
LIC_FILE_CHECKSUM
fix.inverted.LFS.logic.patch is already applied upstream so drop it
Drop the configure.ac and Makefile.am scripts since we do not
autoreconf anymore and do not inherit autotools anymore
Bump PR for depending recipes so a rebuild it ensues so that
they dont depend on .la anymore
and add missing dependencies discovered during incremental
build
(From OE-Core rev: 50ad5230ea9e0982cdfda23fb9fcfccf89d28f29)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a quick audit of only the most obviously wrong licenses
found within OECore. These fixes fall into four areas:
- LICENSE field had incorrect format so that the parser choked
- LICENSE field has a license with no version
- LICENSE field was actually incorrect
- LICENSE field has an imaginary license that didn't exist
This fixes most of the LICENSE warnings thrown, along with my prior
commit adding additional licenses to common-licenses and additional
SPDXLICENSEMAP entries.
HOWEVER..... there is much to be done on the license front.
For a list of recipes with licenses that need obvious fixing see:
https://wiki.yoctoproject.org/wiki/License_Audit
That said, I would suggest another license audit as I've found
enough inconsistencies. A good suggestion is when in doubt, look at
how openSuse or Gentoo or Debian license the package.
(From OE-Core rev: 3083dd70b3a9fa01fcc3cf00373b05502505996e)
Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some place pnum=1 is used which is removed as well since
striplevel=1 is default
(From OE-Core rev: 4e108857e0d40105f7ecbc55e99bd6c367bb7386)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Having one monolithic packages directory makes it hard to find things
and is generally overwhelming. This commit splits it into several
logical sections roughly based on function, recipes.txt gives more
information about the classifications used.
The opportunity is also used to switch from "packages" to "recipes"
as used in OpenEmbedded as the term "packages" can be confusing to
people and has many different meanings.
Not all recipes have been classified yet, this is just a first pass
at separating things out. Some packages are moved to meta-extras as
they're no longer actively used or maintained.
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
Baogen Shang
Ming Liu
Saul Wold
Martin Jansa
Richard Purdie
Khem Raj
Elizabeth Flanagan
Dongxiao Xu
Qing He
Richard Purdie