Re: [OE-core] [Master][PATCH] libtiff: Update to 4.0.7
On 11/23/2016 05:32 PM, akuster808 wrote: The never made into patchwork. is there a bug there ? is there an issue on how I submitted? - armin On 11/21/2016 09:28 PM, Armin Kuster wrote: I haven't actually seen the email with the patch at all on the mailing list, just your response to it. Can you resend? Alex -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [Master][PATCH] libtiff: Update to 4.0.7
On 11/23/2016 08:04 AM, Burton, Ross wrote: > CCing Leo and Jose who have been working on this. > > Ross > Had to respin do to additional tiff patches in master just added. V2 will be out shortly. - armin > On 23 November 2016 at 15:32, akuster808 wrote: > >> The never made into patchwork. is there a bug there ? is there an issue on >> how I submitted? >> >> - armin >> >> >> On 11/21/2016 09:28 PM, Armin Kuster wrote: >> >>> Major changes: >>> The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and >>> ycbcr are completely removed from the distribution, used for demos. >>> >>> CVEs fixed: >>> CVE-2016-9297 >>> CVE-2016-9448 >>> CVE-2016-9273 >>> CVE-2014-8127 >>> CVE-2016-3658 >>> CVE-2016-5875 >>> CVE-2016-5652 >>> CVE-2016-3632 >>> >>> plus more that are not identified in the changelog. >>> >>> removed patches integrated into update. >>> more info: http://libtiff.maptools.org/v4.0.7.html >>> >>> Signed-off-by: Armin Kuster >>> --- >>> .../libtiff/files/CVE-2015-8665_8683.patch | 137 >>> --- >>> .../libtiff/files/CVE-2015-8781.patch | 195 >>> - >>> .../libtiff/files/CVE-2015-8784.patch | 73 >>> .../libtiff/files/CVE-2016-3186.patch | 24 --- >>> .../libtiff/files/CVE-2016-3622.patch | 129 -- >>> .../libtiff/files/CVE-2016-3623.patch | 52 -- >>> .../libtiff/files/CVE-2016-3945.patch | 118 - >>> .../libtiff/files/CVE-2016-3990.patch | 66 --- >>> .../libtiff/files/CVE-2016-3991.patch | 147 >>> >>> .../libtiff/files/CVE-2016-5321.patch | 49 -- >>> .../libtiff/files/CVE-2016-5323.patch | 107 --- >>> .../libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} | 15 +- >>> 12 files changed, 2 insertions(+), 1110 deletions(-) >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2015-8665_8683.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2015-8781.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2015-8784.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2016-3186.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2016-3622.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2016-3623.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2016-3945.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2016-3990.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2016-3991.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2016-5321.patch >>> delete mode 100644 meta/recipes-multimedia/libtif >>> f/files/CVE-2016-5323.patch >>> rename meta/recipes-multimedia/libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} >>> (74%) >>> >>> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch >>> b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch >>> deleted file mode 100644 >>> index 39c5059..000 >>> --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch >>> +++ /dev/null >>> @@ -1,137 +0,0 @@ >>> -From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 >>> -From: erouault >>> -Date: Sat, 26 Dec 2015 17:32:03 + >>> -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in >>> - TIFFRGBAImage interface in case of unsupported values of >>> - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to >>> - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by >>> - limingxing and CVE-2015-8683 reported by zzf of Alibaba. >>> - >>> -Upstream-Status: Backport >>> -CVE: CVE-2015-8665 >>> -CVE: CVE-2015-8683 >>> -https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334 >>> 592760fbb7938f15eb55 >>> - >>> -Signed-off-by: Armin Kuster >>> - >>> >>> - ChangeLog | 8 >>> - libtiff/tif_getimage.c | 35 ++- >>> - 2 files changed, 30 insertions(+), 13 deletions(-) >>> - >>> -Index: tiff-4.0.6/libtiff/tif_getimage.c >>> -=== >>> tiff-4.0.6.orig/libtiff/tif_getimage.c >>> -+++ tiff-4.0.6/libtiff/tif_getimage.c >>> -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 >>> - "Planarconfiguration", >>> td->td_planarconfig); >>> - return (0); >>> - } >>> -- if( td->td_samplesperpixel != 3 ) >>> -+ if( td->td_samplesperpixel != 3 || colorchannels >>> != 3 ) >>> - { >>> - sprintf(emsg, >>> --"Sorry, can not handle image with %s=%d", >>> --"Samples/pixel", td->td_sample
Re: [OE-core] [Master][PATCH] libtiff: Update to 4.0.7
The never made into patchwork. is there a bug there ? is there an issue on how I submitted? - armin On 11/21/2016 09:28 PM, Armin Kuster wrote: Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html Signed-off-by: Armin Kuster --- .../libtiff/files/CVE-2015-8665_8683.patch | 137 --- .../libtiff/files/CVE-2015-8781.patch | 195 - .../libtiff/files/CVE-2015-8784.patch | 73 .../libtiff/files/CVE-2016-3186.patch | 24 --- .../libtiff/files/CVE-2016-3622.patch | 129 -- .../libtiff/files/CVE-2016-3623.patch | 52 -- .../libtiff/files/CVE-2016-3945.patch | 118 - .../libtiff/files/CVE-2016-3990.patch | 66 --- .../libtiff/files/CVE-2016-3991.patch | 147 .../libtiff/files/CVE-2016-5321.patch | 49 -- .../libtiff/files/CVE-2016-5323.patch | 107 --- .../libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} | 15 +- 12 files changed, 2 insertions(+), 1110 deletions(-) delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch rename meta/recipes-multimedia/libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} (74%) diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch deleted file mode 100644 index 39c5059..000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch +++ /dev/null @@ -1,137 +0,0 @@ -From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sat, 26 Dec 2015 17:32:03 + -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in - TIFFRGBAImage interface in case of unsupported values of - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by - limingxing and CVE-2015-8683 reported by zzf of Alibaba. - -Upstream-Status: Backport -CVE: CVE-2015-8665 -CVE: CVE-2015-8683 -https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 - -Signed-off-by: Armin Kuster - - ChangeLog | 8 - libtiff/tif_getimage.c | 35 ++- - 2 files changed, 30 insertions(+), 13 deletions(-) - -Index: tiff-4.0.6/libtiff/tif_getimage.c -=== tiff-4.0.6.orig/libtiff/tif_getimage.c -+++ tiff-4.0.6/libtiff/tif_getimage.c -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, --"Sorry, can not handle image with %s=%d", --"Samples/pixel", td->td_samplesperpixel); -+"Sorry, can not handle image with %s=%d, %s=%d", -+"Samples/pixel", td->td_samplesperpixel, -+"colorchannels", colorchannels); - return 0; - } - break; - case PHOTOMETRIC_CIELAB: --if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, --"Sorry, can not handle image with %s=%d and %s=%d", -+"Sorry, can not handle image with %s=%d, %s=%d and %s=%d"