CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in
LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of
service (out-of-bounds write) or execute arbitrary code via a crafted
TIFF image.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632http://bugzilla.maptools.org/show_bug.cgi?id=2549https://bugzilla.redhat.com/show_bug.cgi?id=1325095
The patch is from RHEL7.
(From OE-Core rev: 9206c86239717718be840a32724fd1c190929370)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool
allows remote attackers to cause a denial of service (out-of-bounds read) via vectors
involving the ma variable.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658http://bugzilla.maptools.org/show_bug.cgi?id=2546
Patch from:
45c68450be
(From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- unexport AS variable
- Switch URI to use github mirror for reliabality
- Disable openCL code, its not used
- TEXTRELs are fixed, therefore dont skip QA check
(From OE-Core rev: 8f132ca02c0d8abe309b622cfeef5f21ecc0b242)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The flac dependency was completely bogus. Flac isn't used at all.
FFTW is only used by tests, so we don't need to provide a packageconfig
for that.
ALSA is only used by example code that isn't part of the packaged files,
so even if ALSA is enabled, it doesn't affect the build result.
Nevertheless, I prefer to disable it explicitly to be extra sure.
--disable-alsa resulted in a warning about an unsupported configure
option, although by some magic it seemed to actually work as expected.
A patch is added to get rid of that warning.
(From OE-Core rev: c7cb0ce17dc2ec3999f26d594e755c8fb9609cee)
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The license has changed to BSD as explained here:
http://www.mega-nerd.com/SRC/license.html
(From OE-Core rev: 053aac136cec74b0ac848337812546df847dc793)
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License file changes are due to updates in Version and Copyright date
(From OE-Core rev: f231bd63ab82575b2ad6ccfd0a3f5da76b56a125)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop faac package config as upstream ./configure doesn't have it anymore.
(From OE-Core rev: a08b016c04a4e4eca78cd5ffae0226af4cb5226b)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the
tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (divide-by-zero error) via a crafted TIFF
image.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622http://www.openwall.com/lists/oss-security/2016/04/07/4
Patch from:
92d966a5fc
(From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3623 libtiff: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier
allows remote attackers to cause a denial of service (divide-by-zero) by
setting the (1) v or (2) h parameter to 0.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623http://bugzilla.maptools.org/show_bug.cgi?id=2569
Patch from:
bd024f0701
(From OE-Core rev: d66824eee47b7513b919ea04bdf41dc48a9d85e9)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3991 libtiff: Heap-based buffer overflow in the loadImage
function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote
attackers to cause a denial of service (out-of-bounds write) or execute
arbitrary code via a crafted TIFF image with zero tiles.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3991http://bugzilla.maptools.org/show_bug.cgi?id=2543
Patch from:
e596d4e27c
(From OE-Core rev: d31267438a654ecb396aefced201f52164171055)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3990 libtiff: Heap-based buffer overflow in the
horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and
earlier allows remote attackers to cause a denial of service (crash) or
execute arbitrary code via a crafted TIFF image to tiffcp.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3990http://bugzilla.maptools.org/show_bug.cgi?id=2544
Patch from:
6a4dbb07cc
(From OE-Core rev: c6492563037bcdf7f9cc50c8639f7b6ace261e62)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-3945 libtiff: Multiple integer overflows in the (1)
cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in
LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote
attackers to cause a denial of service (crash) or execute arbitrary code
via a crafted TIFF image, which triggers an out-of-bounds write.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945http://bugzilla.maptools.org/show_bug.cgi?id=2545
Patch from:
7c39352ccd
(From OE-Core rev: 04b9405c7e980d7655c2fd601aeeae89c0d83131)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
inc files are also used by plugins in other layers but they do
not use same srcrev for gst-common repo for various reasons e.g.
https://github.com/ndechesne/meta-qcom/blob/master/recipes-multimedia/gstreamer/gstreamer1.0-plugins-v4l2.bb
Currently, this patch is forced on these external packages too
and fails to patch cleanly in some cases. Therefore its
better to move this SRC_URI_append to the individual .bb files
(From OE-Core rev: a30d8244265f38fddefe438e035ea3bf6fb4447f)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
'xmlto' package feature is renamed to 'manpages' for consistency
with other manpage-enabled recipes.
(From OE-Core rev: 9d659a89d6c9b8feb3de0f15af665ac47f230850)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The directive mentioned in the comment was removed in:
commit 326c6802e49e5499e16cf141e1cdb0360fce14aa
Author: Riku Voipio <riku.voipio@linaro.org>
Date: Fri Feb 7 15:38:58 2014 +0200
alsa-lib: heavy pcm atomics cleanup
The following patch comes from the realization that at least ARM code
for atomics is quite broken and nobody has cared for a decade.
A quick dive shows that only snd_atomic_{read,write}_{begin,end}
appear to be used widely. These are implemented using wmb/rmb.
Only other use of atomic functions is in pcm_meter.c.
The #SND_PCM_TYPE_METER plugin type appears rarely, if ever, used.
I presume these days anyone who wants a meter/scope will do in pulseaudio
layer instead of alsa.
It would seem better fit to have pcm_meter in alsa-plugins instead
of alsa-lib, but I guess that would be an ABI break...
So instead, I'm proposing here
1. Removal of all hand-crafted atomics from iatomic.h apart from barriers,
which are used in snd_atomic_{read,write}_{begin,end}.
2. Using __sync_synchronize as the default fallback for barriers. This
has been available since gcc 4.1, so it shouldn't be a problem.
3. Defining the few atomics used by pcm_meter.c withing pcm_meter.c
itself, using gcc atomic builtins[1].
4. Since gcc atomic builtins are available only since gcc 4.7, add a check for
that in gcc configure.in, and don't build pcm meter plugin if using
older gcc.
The last point has the impact, that if there actually is someone who 1)
uses the meter plugin 2) wants to upgrade to 2014 alsa-lib 3) but
does not want to use a 2012+ gcc - that someone will be inconvenienced.
Finally remove the unneeded configure check for cpu type. We can
trust the gcc to set right flags for us.
[1] http://gcc.gnu.org/onlinedocs/gcc/_005f_005fatomic-Builtins.html
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(From OE-Core rev: dd442652afef1f83fc6c9651976cd3ba28c83c85)
Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts oe-core commit b79d1bf49b56a97216fb719ac19e4dd9022f15b4.
Now that xf86-video-intel is upgraded, visualizations can be enabled
by default.
(From OE-Core rev: c0a22a8d3e5d44ae3fba14a52582d39cfc600318)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
On some machines, visualizations in gst-player trigger a bug in
xvimagesink. Till we have a proper fix, disable the visualization
rather than downgrading the xvimagesink.
Fixes [YOCTO #10041]
(From OE-Core rev: b79d1bf49b56a97216fb719ac19e4dd9022f15b4)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This fixes following error:
,----
| src/libavutil/log.c:51:31: fatal error: valgrind/valgrind.h: No such file or directory
| #include <valgrind/valgrind.h>
`----
(From OE-Core rev: 262f8180c9037b7e82efe08ce3bb1880fee22ea8)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Tried by adding CFLAGS_append = " -fpic " to
the recipe. But that couldn't help resolve the
warning message:
x264/r2491+gitAUTOINC+c8a773ebfc-r0/packages-split/x264/usr/lib/libx264.so.144' has relocations in .text [textrel]
It was found that this warning is emitted because of the
assembly files in the source code. And it is not easy to
get rid of TEXTREL's which are coming from the assembly
source files.
Adding textrel to INSANE_SKIP resolves this issue.
This issue was observed in cyclone5 and imx6qsabresd BSP's.
So generalizing the patch.
(From OE-Core rev: 9470e0911838a6f5a23f01c6944906b69aa1317a)
Signed-off-by: Fahad Usman <fahad_usman@mentor.com>
Signed-off-by: Sujith Haridasan <Sujith_Haridasan@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The LICENSE file describes how the various pieces are licensed, so add it to the
checksum so we notice when it changes.
(From OE-Core rev: 3309007b423654c1b021d85205f81e68cbd84475)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Define PV in order to avoid package version being plain "git". Use the
version number found from configure.ac plus the git revision.
(From OE-Core rev: 9d4734412c45ef80195707900b1dfdf843f43228)
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 58d6cd369a3316a6ba313a2f1982bde5d47c0608)
Signed-off-by: Carlos Rafael Giani <dv@pseudoterminal.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reintroduces fixes and changes which were introduced in the original
gstreamer1.0-plugins-bad 1.8.1 upgrade commit.
* packageconfigs changed since GStreamer 1.6.3
(they often do between minor version increases like 1.6 -> 1.8)
* hls,tinyalsa packageconfigs moved into the .inc file
* vulkan packageconfig dropped since there are no vulkan libraries in OE
(libxcb alone is not enough)
* reintroduced glimagesink downrank patch (it was removed because it was
dangling before)
* fixed patch line numbers
(From OE-Core rev: ca3f9fbe21407685ed09c60bc4b991b5c6b448f4)
Signed-off-by: Carlos Rafael Giani <dv@pseudoterminal.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since gstreamer1.0-omx follows the GStreamer versioning style, inherit
upstream-version-is-even for checking the upstream version of the package.
(From OE-Core rev: d4c40d7fed89435dcf6c883343adeff37153f19e)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
remotesensing.org domain has been taken over by someone unrelated.
There does not seem to be an up-to-date tiff homepage, but
osgeo.org is a reliable download site.
(From OE-Core rev: f544e1d10e9dc0f750efdb45a78ce9d5c9603070)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A new mechanism to probe v4l2 M2M devices was implemented in gst 1.8 series, in
order to get such devices probed we now need to enable v4l2-probe compile option
which upstream decided to keep disabled by default (unfortunately), see [1].
With this feature disabled, it is not possible to get v4l2 M2M device to work in
Gstreamer which is a common use case on many embedded platforms. This patch
enables this new option as soon as v4l2 support is enabled in gstreamer -good.
[1] https://bugzilla.gnome.org/show_bug.cgi?id=758085
(From OE-Core rev: c1f08c04a95f6ec089d4a62d90119df01c94cd80)
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The gstreamer common module ships a copy of gtk-doc.m4 that will be used in
preference to our patched form, so delete it before configure is executed.
(From OE-Core rev: 50768af29ce8524f7bae387996aaed657a1ff80f)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
check support is no longer disabled by default because it is a requirement
of gtk-doc support in gstreamer.
(From OE-Core rev: 628a849ff14e165b8c00c6649d042225f5a35732)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add PACKAGECONFIG for ipv6 and control it based
on DISTRO_FEATURES.
(From OE-Core rev: de6b65a85cb3c3efa7a46b9fd9e1831ff6448c0c)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In commit 9c3a94aea1d (gstreamer1.0-plugins-bad: Move EGL requirement for
Wayland), --enable-egl was explicitely added to the wayland packageconfig. While
this is correct that enabling wayland requires egl, it should be possible to
enable egl without wayland, even when using X11. For example, glimagesink can be
used for GPU based color conversion using EGL/GLES.
As such, let's make egl and wayland two separate PACKAGECONFIG flags.
(From OE-Core rev: c1ab87caae92a58b1dfab7abc1a856fab102e3ed)
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The default of EXTRA_OEMAKE is already empty since commit:
OE-Core rev: aeb653861a0ec39ea7a014c0622980edcbf653fa
bitbake.conf: Remove unhelpful default value for EXTRA_OEMAKE
(From OE-Core rev: 408b1f1879e4b90c90f6d139b08d2b6f8e555655)
Signed-off-by: Stefan Müller-Klieser <s.mueller-klieser@phytec.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
http://www.alsa-project.org/main/index.php/Changes_v1.1.1_v1.1.2
The FFT code in alsabat changed from double precision to single
precision floating point numbers, which is why the fftw dependency
changed to fftwf.
(From OE-Core rev: 2b44e468d20a0256fba896562e2e7d1ae593a4c8)
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Updates in License files are due to changes in Copyright date
and Version.
Ensure all tools are packaged into $PN-tools.
(From OE-Core rev: e28b6042b1a81fe449b772b4698ad139edf46332)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This helps in compiling it with with toolchain coming from
a sstate server where its built using a different build time
sysroot.
Secondly, also helps compiling with non-gcc ( clang ) compiler
(From OE-Core rev: 25deaf1368cc0a99d7b5b3f2d08d7fead51296e2)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-5323 libtiff: a maliciously crafted TIFF file could cause the
application to crash when using tiffcrop command
External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5323http://bugzilla.maptools.org/show_bug.cgi?id=2559
Patch from:
2f79856097
(From OE-Core rev: 4ad1220e0a7f9ca9096860f4f9ae7017b36e29e4)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-5321 libtiff: a maliciously crafted TIFF file could cause the
application to crash when using tiffcrop command
External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5321http://bugzilla.maptools.org/show_bug.cgi?id=2558
Patch from:
d9783e4a14
(From OE-Core rev: 4a167cfb6ad79bbe2a2ff7f7b43c4a162ca42a4d)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
provide similar behaviour for Media Player's quit and close callback
functions.
[YOCTO #10045]
(From OE-Core rev: 5cf3ae34df0a39deead8b029353b41a60e48c24a)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yi Zhao
Zhixiong Chi
Khem Raj
Tanu Kaskinen
Maxin B. John
Alexander Kanavin
Andreas Müller
Jussi Kukkonen
Otavio Salvador
Fahad Usman
Ross Burton
Markus Lehtonen
Carlos Rafael Giani
Nicolas Dechesne
Joe Slater
Jackie Huang
Stefan Müller-Klieser
Armin Kuster