[Buildroot] [PATCH] jasper: security bump to version 1.900.22

Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] jasper: security bump to version 1.900.22
Date: Fri, 11 Nov 2016 15:16:13 +0100	[thread overview]
Message-ID: <20161111151613.479ca977@free-electrons.com> (raw)
In-Reply-To: <3bcba6e589068f92853a6c7a7fb43f6b7c0c9968.1478800479.git.baruch@tkos.co.il>

Hello,

On Thu, 10 Nov 2016 19:54:39 +0200, Baruch Siach wrote:
> Fixes:
> CVE-2016-8693: Double free vulnerability in mem_close
> CVE-2016-8692: Divide by zero in jpc_dec_process_siz
> CVE-2016-8691: Divide by zero in jpc_dec_process_siz
> CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted
> BMP image
> CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
> CVE-2016-8886: memory allocation failure in jas_malloc
> CVE-2016-8887: Null pointer dereference in jp2_colr_destroy
> CVE-2016-8884, CVE-2016-8885: Null pointer dereference in bmp_getdata
> (incomplete fix for CVE-2016-8690)
> CVE-2016-8880: Heap buffer overflow in jpc_dec_cp_setfromcox()
> CVE-2016-8881: Heap buffer overflow in jpc_getuint16()
> CVE-2016-8882: Null pointer access in jpc_pi_destroy
> CVE-2016-8883: Assert in jpc_dec_tiledecode()
> 
> Drop upstream patches.
> 
> Change SITE to the official download location, since the current one does not
> have the updated version. Unfortunately, the official site only offers tar.gz.
> 
> Fix license. It is "based on the MIT license", but not exactly the same
> (http://www.ece.uvic.ca/~frodo/jasper/; under "Legal Issues").
> 
> Drop autoreconf; the autotools version has been updated since commit
> 324ccec90d (jasper: autoreconf to fix rpath issue) that introduced it.
> 
> Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> ---
>  package/jasper/0001-fix-CVE-2014-9029.patch   |  36 ---
>  package/jasper/0002-fix-CVE-2014-8138.patch   |  18 --
>  package/jasper/0003-fix-CVE-2014-8137-1.patch |  47 ----
>  package/jasper/0004-fix-CVE-2014-8137-2.patch |  18 --
>  package/jasper/0005-fix-CVE-2014-8157.patch   |  17 --
>  package/jasper/0006-fix-CVE-2014-8158.patch   | 334 --------------------------
>  package/jasper/0007-preserve-cflags.patch     |  27 ---
>  package/jasper/0008-fix-CVE-2016-2116.patch   |  18 --
>  package/jasper/0009-fix-CVE-2016-1577.patch   |  18 --
>  package/jasper/0010-fix-CVE-2016-1867.patch   |  16 --
>  package/jasper/0011-fix-CVE-2015-5221.patch   |  23 --
>  package/jasper/0012-fix-CVE-2015-5203.patch   | 187 --------------
>  package/jasper/jasper.hash                    |   2 +-
>  package/jasper/jasper.mk                      |   9 +-
>  14 files changed, 4 insertions(+), 766 deletions(-)
>  delete mode 100644 package/jasper/0001-fix-CVE-2014-9029.patch
>  delete mode 100644 package/jasper/0002-fix-CVE-2014-8138.patch
>  delete mode 100644 package/jasper/0003-fix-CVE-2014-8137-1.patch
>  delete mode 100644 package/jasper/0004-fix-CVE-2014-8137-2.patch
>  delete mode 100644 package/jasper/0005-fix-CVE-2014-8157.patch
>  delete mode 100644 package/jasper/0006-fix-CVE-2014-8158.patch
>  delete mode 100644 package/jasper/0007-preserve-cflags.patch
>  delete mode 100644 package/jasper/0008-fix-CVE-2016-2116.patch
>  delete mode 100644 package/jasper/0009-fix-CVE-2016-1577.patch
>  delete mode 100644 package/jasper/0010-fix-CVE-2016-1867.patch
>  delete mode 100644 package/jasper/0011-fix-CVE-2015-5221.patch
>  delete mode 100644 package/jasper/0012-fix-CVE-2015-5203.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

     prev parent reply	other threads:[~2016-11-11 14:16 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-10 17:54 [Buildroot] [PATCH] jasper: security bump to version 1.900.22 Baruch Siach
2016-11-11 14:16 ` Thomas Petazzoni [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161111151613.479ca977@free-electrons.com \
    --to=thomas.petazzoni@free-electrons.com \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox