Re: [OE-core] [Master][PATCH] libtiff: Update to 4.0.7

2016-12-01 Thread Alexander Kanavin 

On 11/23/2016 05:32 PM, akuster808 wrote:

The never made into patchwork. is there a bug there ? is there an issue
on how I submitted?

- armin


On 11/21/2016 09:28 PM, Armin Kuster wrote:


I haven't actually seen the email with the patch at all on the mailing 
list, just your response to it. Can you resend?


Alex

--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [Master][PATCH] libtiff: Update to 4.0.7

2016-11-26 Thread akuster808 


On 11/23/2016 08:04 AM, Burton, Ross wrote:
> CCing Leo and Jose who have been working on this.
> 
> Ross
> 

Had to respin do to additional tiff patches in master just added. V2
will be out shortly.

- armin

> On 23 November 2016 at 15:32, akuster808  wrote:
> 
>> The never made into patchwork. is there a bug there ? is there an issue on
>> how I submitted?
>>
>> - armin
>>
>>
>> On 11/21/2016 09:28 PM, Armin Kuster wrote:
>>
>>> Major changes:
>>> The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and
>>> ycbcr are completely removed from the distribution, used for demos.
>>>
>>> CVEs fixed:
>>> CVE-2016-9297
>>> CVE-2016-9448
>>> CVE-2016-9273
>>> CVE-2014-8127
>>> CVE-2016-3658
>>> CVE-2016-5875
>>> CVE-2016-5652
>>> CVE-2016-3632
>>>
>>> plus more that are not identified in the changelog.
>>>
>>> removed patches integrated into update.
>>> more info: http://libtiff.maptools.org/v4.0.7.html
>>>
>>> Signed-off-by: Armin Kuster 
>>> ---
>>>   .../libtiff/files/CVE-2015-8665_8683.patch | 137
>>> ---
>>>   .../libtiff/files/CVE-2015-8781.patch  | 195
>>> -
>>>   .../libtiff/files/CVE-2015-8784.patch  |  73 
>>>   .../libtiff/files/CVE-2016-3186.patch  |  24 ---
>>>   .../libtiff/files/CVE-2016-3622.patch  | 129 --
>>>   .../libtiff/files/CVE-2016-3623.patch  |  52 --
>>>   .../libtiff/files/CVE-2016-3945.patch  | 118 -
>>>   .../libtiff/files/CVE-2016-3990.patch  |  66 ---
>>>   .../libtiff/files/CVE-2016-3991.patch  | 147
>>> 
>>>   .../libtiff/files/CVE-2016-5321.patch  |  49 --
>>>   .../libtiff/files/CVE-2016-5323.patch  | 107 ---
>>>   .../libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb}   |  15 +-
>>>   12 files changed, 2 insertions(+), 1110 deletions(-)
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2015-8665_8683.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2015-8781.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2015-8784.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3186.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3622.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3623.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3945.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3990.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-3991.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-5321.patch
>>>   delete mode 100644 meta/recipes-multimedia/libtif
>>> f/files/CVE-2016-5323.patch
>>>   rename meta/recipes-multimedia/libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb}
>>> (74%)
>>>
>>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
>>> b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
>>> deleted file mode 100644
>>> index 39c5059..000
>>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
>>> +++ /dev/null
>>> @@ -1,137 +0,0 @@
>>> -From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
>>> -From: erouault 
>>> -Date: Sat, 26 Dec 2015 17:32:03 +
>>> -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
>>> - TIFFRGBAImage interface in case of unsupported values of
>>> - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
>>> - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
>>> - limingxing and CVE-2015-8683 reported by zzf of Alibaba.
>>> -
>>> -Upstream-Status: Backport
>>> -CVE: CVE-2015-8665
>>> -CVE: CVE-2015-8683
>>> -https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334
>>> 592760fbb7938f15eb55
>>> -
>>> -Signed-off-by: Armin Kuster 
>>> -
>>> 
>>> - ChangeLog  |  8 
>>> - libtiff/tif_getimage.c | 35 ++-
>>> - 2 files changed, 30 insertions(+), 13 deletions(-)
>>> -
>>> -Index: tiff-4.0.6/libtiff/tif_getimage.c
>>> -===
>>>  tiff-4.0.6.orig/libtiff/tif_getimage.c
>>> -+++ tiff-4.0.6/libtiff/tif_getimage.c
>>> -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
>>> -   "Planarconfiguration",
>>> td->td_planarconfig);
>>> -   return (0);
>>> -   }
>>> --  if( td->td_samplesperpixel != 3 )
>>> -+  if( td->td_samplesperpixel != 3 || colorchannels
>>> != 3 )
>>> - {
>>> - sprintf(emsg,
>>> --"Sorry, can not handle image with

Re: [OE-core] [Master][PATCH] libtiff: Update to 4.0.7

2016-11-23 Thread akuster808 
The never made into patchwork. is there a bug there ? is there an issue 
on how I submitted?


- armin


On 11/21/2016 09:28 PM, Armin Kuster wrote:

Major changes:
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are 
completely removed from the distribution, used for demos.

CVEs fixed:
CVE-2016-9297
CVE-2016-9448
CVE-2016-9273
CVE-2014-8127
CVE-2016-3658
CVE-2016-5875
CVE-2016-5652
CVE-2016-3632

plus more that are not identified in the changelog.

removed patches integrated into update.
more info: http://libtiff.maptools.org/v4.0.7.html

Signed-off-by: Armin Kuster 
---
  .../libtiff/files/CVE-2015-8665_8683.patch | 137 ---
  .../libtiff/files/CVE-2015-8781.patch  | 195 -
  .../libtiff/files/CVE-2015-8784.patch  |  73 
  .../libtiff/files/CVE-2016-3186.patch  |  24 ---
  .../libtiff/files/CVE-2016-3622.patch  | 129 --
  .../libtiff/files/CVE-2016-3623.patch  |  52 --
  .../libtiff/files/CVE-2016-3945.patch  | 118 -
  .../libtiff/files/CVE-2016-3990.patch  |  66 ---
  .../libtiff/files/CVE-2016-3991.patch  | 147 
  .../libtiff/files/CVE-2016-5321.patch  |  49 --
  .../libtiff/files/CVE-2016-5323.patch  | 107 ---
  .../libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb}   |  15 +-
  12 files changed, 2 insertions(+), 1110 deletions(-)
  delete mode 100644 
meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
  delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
  rename meta/recipes-multimedia/libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} (74%)

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
deleted file mode 100644
index 39c5059..000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
-From: erouault 
-Date: Sat, 26 Dec 2015 17:32:03 +
-Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
- TIFFRGBAImage interface in case of unsupported values of
- SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
- TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
- limingxing and CVE-2015-8683 reported by zzf of Alibaba.
-
-Upstream-Status: Backport
-CVE: CVE-2015-8665
-CVE: CVE-2015-8683
-https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
-
-Signed-off-by: Armin Kuster 
-

- ChangeLog  |  8 
- libtiff/tif_getimage.c | 35 ++-
- 2 files changed, 30 insertions(+), 13 deletions(-)
-
-Index: tiff-4.0.6/libtiff/tif_getimage.c
-===
 tiff-4.0.6.orig/libtiff/tif_getimage.c
-+++ tiff-4.0.6/libtiff/tif_getimage.c
-@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
-   "Planarconfiguration", td->td_planarconfig);
-   return (0);
-   }
--  if( td->td_samplesperpixel != 3 )
-+  if( td->td_samplesperpixel != 3 || colorchannels != 3 )
- {
- sprintf(emsg,
--"Sorry, can not handle image with %s=%d",
--"Samples/pixel", td->td_samplesperpixel);
-+"Sorry, can not handle image with %s=%d, %s=%d",
-+"Samples/pixel", td->td_samplesperpixel,
-+"colorchannels", colorchannels);
- return 0;
- }
-   break;
-   case PHOTOMETRIC_CIELAB:
--if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
-+if( td->td_samplesperpixel != 3 || colorchannels != 3 || 
td->td_bitspersample != 8 )
- {
- sprintf(emsg,
--"Sorry, can not handle image with %s=%d and %s=%d",
-+"Sorry, can not