* [Buildroot] [git commit] icu: add upstream security fix for utf-8 handling
From: Peter Korsgaard @ 2017-04-27 12:12 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=0135204868e4888cf162755a90087b10b40093ed
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fixes:
CVE-2017-7867 - International Components for Unicode (ICU) for C/C++ before
2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
related to the utf8TextAccess function in common/utext.cpp and the
utext_setNativeIndex* function.
CVE-2017-7868 - International Components for Unicode (ICU) for C/C++ before
2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
related to the utf8TextAccess function in common/utext.cpp and the
utext_moveIndex32* function.
Upstream: http://bugs.icu-project.org/trac/changeset/39671
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...-utext-problems-with-handling-of-bad-utf8.patch | 173 +++++++++++++++++++++
1 file changed, 173 insertions(+)
diff --git a/package/icu/0006-utext-problems-with-handling-of-bad-utf8.patch b/package/icu/0006-utext-problems-with-handling-of-bad-utf8.patch
new file mode 100644
index 0000000..a4e51ae
--- /dev/null
+++ b/package/icu/0006-utext-problems-with-handling-of-bad-utf8.patch
@@ -0,0 +1,173 @@
+ticket:12888 UText, problems with handling of bad UTF-8
+
+Fixes:
+
+CVE-2017-7867 - International Components for Unicode (ICU) for C/C++ before
+2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
+related to the utf8TextAccess function in common/utext.cpp and the
+utext_setNativeIndex* function.
+
+CVE-2017-7868 - International Components for Unicode (ICU) for C/C++ before
+2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
+related to the utf8TextAccess function in common/utext.cpp and the
+utext_moveIndex32* function.
+
+Upstream: http://bugs.icu-project.org/trac/changeset/39671
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+
+Index: /trunk/icu4c/source/common/utext.cpp
+===================================================================
+--- icu4c/source/common/utext.cpp (revision 39670)
++++ icu4c/source/common/utext.cpp (revision 39671)
+@@ -848,7 +848,13 @@
+
+ // Chunk size.
+-// Must be less than 85, because of byte mapping from UChar indexes to native indexes.
+-// Worst case is three native bytes to one UChar. (Supplemenaries are 4 native bytes
+-// to two UChars.)
++// Must be less than 42 (256/6), because of byte mapping from UChar indexes to native indexes.
++// Worst case there are six UTF-8 bytes per UChar.
++// obsolete 6 byte form fd + 5 trails maps to fffd
++// obsolete 5 byte form fc + 4 trails maps to fffd
++// non-shortest 4 byte forms maps to fffd
++// normal supplementaries map to a pair of utf-16, two utf8 bytes per utf-16 unit
++// mapToUChars array size must allow for the worst case, 6.
++// This could be brought down to 4, by treating fd and fc as pure illegal,
++// rather than obsolete lead bytes. But that is not compatible with the utf-8 access macros.
+ //
+ enum { UTF8_TEXT_CHUNK_SIZE=32 };
+@@ -890,5 +896,5 @@
+ // one for a supplementary starting in the last normal position,
+ // and one for an entry for the buffer limit position.
+- uint8_t mapToUChars[UTF8_TEXT_CHUNK_SIZE*3+6]; // Map native offset from bufNativeStart to
++ uint8_t mapToUChars[UTF8_TEXT_CHUNK_SIZE*6+6]; // Map native offset from bufNativeStart to
+ // correspoding offset in filled part of buf.
+ int32_t align;
+@@ -1033,4 +1039,5 @@
+ u8b = (UTF8Buf *)ut->p; // the current buffer
+ mapIndex = ix - u8b->toUCharsMapStart;
++ U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
+ ut->chunkOffset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+ return TRUE;
+@@ -1299,4 +1306,8 @@
+ // If index is at the end, there is no character there to look at.
+ if (ix != ut->b) {
++ // Note: this function will only move the index back if it is on a trail byte
++ // and there is a preceding lead byte and the sequence from the lead
++ // through this trail could be part of a valid UTF-8 sequence
++ // Otherwise the index remains unchanged.
+ U8_SET_CP_START(s8, 0, ix);
+ }
+@@ -1312,5 +1323,8 @@
+ uint8_t *mapToNative = u8b->mapToNative;
+ uint8_t *mapToUChars = u8b->mapToUChars;
+- int32_t toUCharsMapStart = ix - (UTF8_TEXT_CHUNK_SIZE*3 + 1);
++ int32_t toUCharsMapStart = ix - sizeof(UTF8Buf::mapToUChars) + 1;
++ // Note that toUCharsMapStart can be negative. Happens when the remaining
++ // text from current position to the beginning is less than the buffer size.
++ // + 1 because mapToUChars must have a slot at the end for the bufNativeLimit entry.
+ int32_t destIx = UTF8_TEXT_CHUNK_SIZE+2; // Start in the overflow region
+ // at end of buffer to leave room
+@@ -1339,4 +1353,5 @@
+ // Special case ASCII range for speed.
+ buf[destIx] = (UChar)c;
++ U_ASSERT(toUCharsMapStart <= srcIx);
+ mapToUChars[srcIx - toUCharsMapStart] = (uint8_t)destIx;
+ mapToNative[destIx] = (uint8_t)(srcIx - toUCharsMapStart);
+@@ -1368,4 +1383,5 @@
+ mapToUChars[sIx-- - toUCharsMapStart] = (uint8_t)destIx;
+ } while (sIx >= srcIx);
++ U_ASSERT(toUCharsMapStart <= (srcIx+1));
+
+ // Set native indexing limit to be the current position.
+@@ -1542,4 +1558,5 @@
+ U_ASSERT(index<=ut->chunkNativeLimit);
+ int32_t mapIndex = index - u8b->toUCharsMapStart;
++ U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
+ int32_t offset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+ U_ASSERT(offset>=0 && offset<=ut->chunkLength);
+Index: /trunk/icu4c/source/test/intltest/utxttest.cpp
+===================================================================
+--- icu4c/source/test/intltest/utxttest.cpp (revision 39670)
++++ icu4c/source/test/intltest/utxttest.cpp (revision 39671)
+@@ -68,4 +68,6 @@
+ case 7: name = "Ticket12130";
+ if (exec) Ticket12130(); break;
++ case 8: name = "Ticket12888";
++ if (exec) Ticket12888(); break;
+ default: name = ""; break;
+ }
+@@ -1584,2 +1586,62 @@
+ utext_close(&ut);
+ }
++
++// Ticket 12888: bad handling of illegal utf-8 containing many instances of the archaic, now illegal,
++// six byte utf-8 forms. Original implementation had an assumption that
++// there would be at most three utf-8 bytes per UTF-16 code unit.
++// The five and six byte sequences map to a single replacement character.
++
++void UTextTest::Ticket12888() {
++ const char *badString =
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++ "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80";
++
++ UErrorCode status = U_ZERO_ERROR;
++ LocalUTextPointer ut(utext_openUTF8(NULL, badString, -1, &status));
++ TEST_SUCCESS(status);
++ for (;;) {
++ UChar32 c = utext_next32(ut.getAlias());
++ if (c == U_SENTINEL) {
++ break;
++ }
++ }
++ int32_t endIdx = utext_getNativeIndex(ut.getAlias());
++ if (endIdx != (int32_t)strlen(badString)) {
++ errln("%s:%d expected=%d, actual=%d", __FILE__, __LINE__, strlen(badString), endIdx);
++ return;
++ }
++
++ for (int32_t prevIndex = endIdx; prevIndex>0;) {
++ UChar32 c = utext_previous32(ut.getAlias());
++ int32_t currentIndex = utext_getNativeIndex(ut.getAlias());
++ if (c != 0xfffd) {
++ errln("%s:%d (expected, actual, index) = (%d, %d, %d)\n",
++ __FILE__, __LINE__, 0xfffd, c, currentIndex);
++ break;
++ }
++ if (currentIndex != prevIndex - 6) {
++ errln("%s:%d: wrong index. Expected, actual = %d, %d",
++ __FILE__, __LINE__, prevIndex - 6, currentIndex);
++ break;
++ }
++ prevIndex = currentIndex;
++ }
++}
+Index: /trunk/icu4c/source/test/intltest/utxttest.h
+===================================================================
+--- icu4c/source/test/intltest/utxttest.h (revision 39670)
++++ icu4c/source/test/intltest/utxttest.h (revision 39671)
+@@ -39,4 +39,5 @@
+ void Ticket10983();
+ void Ticket12130();
++ void Ticket12888();
+
+ private:
^ permalink raw reply related
* [Buildroot] [git commit] tiff: add upstream security fixes
From: Peter Korsgaard @ 2017-04-27 12:12 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=030fe340af365b834c15142f862e0de6d5f95737
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing
the following security issues:
CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (divide-by-zero error and application crash) via a crafted TIFF
image, related to libtiff/tif_read.c:351:22.
CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (divide-by-zero error and application crash) via a crafted TIFF
image, related to libtiff/tif_ojpeg.c:816:8.
CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (heap-based buffer over-read) or possibly have unspecified other
impact via a crafted TIFF image, related to "READ of size 512" and
libtiff/tif_unix.c:340:2.
CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (heap-based buffer over-read) or possibly have unspecified other
impact via a crafted TIFF image, related to "READ of size 8" and
libtiff/tif_read.c:523:22.
CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer
overflow in the tools/tiffcp resulting in DoS or code execution via a
crafted BitsPerSample value.
CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7
has a left-shift undefined behavior issue, which might allow remote
attackers to cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted image.
CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata
is properly initialized, which might allow remote attackers to obtain
sensitive information from process memory via a crafted image.
CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in
tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (memory leak) via a crafted image.
CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7
allows remote attackers to cause a denial of service (divide-by-zero error
and application crash) via a crafted image.
CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers
to cause a denial of service (divide-by-zero error and application crash)
via a crafted image.
CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit
type long" undefined behavior issue, which might allow remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact via a crafted image.
CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might
allow remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted image.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
..._read.c-libtiff-tiffiop.h-fix-uint32-over.patch | 46 +++++++++
..._ojpeg.c-make-OJPEGDecode-early-exit-in-c.patch | 53 ++++++++++
..._pixarlog.c-libtiff-tif_luv.c-fix-heap-ba.patch | 110 +++++++++++++++++++++
..._dirread.c-modify-ChopUpSingleUncompresse.patch | 107 ++++++++++++++++++++
...p.c-error-out-cleanly-in-cpContig2Separat.patch | 74 ++++++++++++++
..._getimage.c-add-explicit-uint32-cast-in-p.patch | 31 ++++++
...fiop.h-tif_unix.c-tif_win32.c-tif_vms.c-a.patch | 88 +++++++++++++++++
| 43 ++++++++
| 36 +++++++
..._jpeg.c-avoid-integer-division-by-zero-in.patch | 35 +++++++
..._dirread.c-avoid-division-by-floating-poi.patch | 47 +++++++++
..._jpeg.c-validate-BitsPerSample-in-JPEGSet.patch | 35 +++++++
..._read.c-avoid-potential-undefined-behavio.patch | 56 +++++++++++
13 files changed, 761 insertions(+)
diff --git a/package/tiff/0001-libtiff-tif_read.c-libtiff-tiffiop.h-fix-uint32-over.patch b/package/tiff/0001-libtiff-tif_read.c-libtiff-tiffiop.h-fix-uint32-over.patch
new file mode 100644
index 0000000..9df4577
--- /dev/null
+++ b/package/tiff/0001-libtiff-tif_read.c-libtiff-tiffiop.h-fix-uint32-over.patch
@@ -0,0 +1,46 @@
+From 438274f938e046d33cb0e1230b41da32ffe223e1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 2 Dec 2016 21:56:56 +0000
+Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow
+ in TIFFReadEncodedStrip() that caused an integer division by zero. Reported
+ by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
+
+Fixes CVE-2016-10266
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_read.c | 2 +-
+ libtiff/tiffiop.h | 4 ++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index c26c55f4..52bbf507 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ rowsperstrip=td->td_rowsperstrip;
+ if (rowsperstrip>td->td_imagelength)
+ rowsperstrip=td->td_imagelength;
+- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
++ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
+ stripinplane=(strip%stripsperplane);
+ plane=(uint16)(strip/stripsperplane);
+ rows=td->td_imagelength-stripinplane*rowsperstrip;
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index ffbb647b..cb59460a 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -250,6 +250,10 @@ struct tiff {
+ #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
+ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+ 0U)
++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
++#define TIFFhowmany_32_maxuint_compat(x, y) \
++ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
+ #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
+ #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
+ #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
+--
+2.11.0
+
diff --git a/package/tiff/0002-libtiff-tif_ojpeg.c-make-OJPEGDecode-early-exit-in-c.patch b/package/tiff/0002-libtiff-tif_ojpeg.c-make-OJPEGDecode-early-exit-in-c.patch
new file mode 100644
index 0000000..d99b900
--- /dev/null
+++ b/package/tiff/0002-libtiff-tif_ojpeg.c-make-OJPEGDecode-early-exit-in-c.patch
@@ -0,0 +1,53 @@
+From 43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 11:15:18 +0000
+Subject: [PATCH] * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case
+ of failure in OJPEGPreDecode(). This will avoid a divide by zero, and
+ potential other issues. Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2611
+
+Fixes CVE-2016-10267
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_ojpeg.c | 8 ++++++++
+ 1 files changed, 15 insertions(+)
+
+diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
+index 1ccc3f9b..f19e8fd0 100644
+--- a/libtiff/tif_ojpeg.c
++++ b/libtiff/tif_ojpeg.c
+@@ -244,6 +244,7 @@ typedef enum {
+
+ typedef struct {
+ TIFF* tif;
++ int decoder_ok;
+ #ifndef LIBJPEG_ENCAP_EXTERNAL
+ JMP_BUF exit_jmpbuf;
+ #endif
+@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s)
+ }
+ sp->write_curstrile++;
+ }
++ sp->decoder_ok = 1;
+ return(1);
+ }
+
+@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif)
+ static int
+ OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
+ {
++ static const char module[]="OJPEGDecode";
+ OJPEGState* sp=(OJPEGState*)tif->tif_data;
+ (void)s;
++ if( !sp->decoder_ok )
++ {
++ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
++ return 0;
++ }
+ if (sp->libjpeg_jpeg_query_style==0)
+ {
+ if (OJPEGDecodeRaw(tif,buf,cc)==0)
+--
+2.11.0
+
diff --git a/package/tiff/0003-libtiff-tif_pixarlog.c-libtiff-tif_luv.c-fix-heap-ba.patch b/package/tiff/0003-libtiff-tif_pixarlog.c-libtiff-tif_luv.c-fix-heap-ba.patch
new file mode 100644
index 0000000..290834e
--- /dev/null
+++ b/package/tiff/0003-libtiff-tif_pixarlog.c-libtiff-tif_luv.c-fix-heap-ba.patch
@@ -0,0 +1,110 @@
+From 1044b43637fa7f70fb19b93593777b78bd20da86 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 2 Dec 2016 23:05:51 +0000
+Subject: [PATCH] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based
+ buffer overflow on generation of PixarLog / LUV compressed files, with
+ ColorMap, TransferFunction attached and nasty plays with bitspersample. The
+ fix for LUV has not been tested, but suffers from the same kind of issue of
+ PixarLog. Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2604
+
+Fixes CVE-2016-10269
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_luv.c | 18 ++++++++++++++----
+ libtiff/tif_pixarlog.c | 17 +++++++++++++++--
+ 2 files changed, 39 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index f68a9b13..e6783db5 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -158,6 +158,7 @@
+ typedef struct logLuvState LogLuvState;
+
+ struct logLuvState {
++ int encoder_state; /* 1 if encoder correctly initialized */
+ int user_datafmt; /* user data format */
+ int encode_meth; /* encoding method */
+ int pixel_size; /* bytes per pixel */
+@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
+ td->td_photometric, "must be either LogLUV or LogL");
+ break;
+ }
++ sp->encoder_state = 1;
+ return (1);
+ notsupported:
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -1563,19 +1565,27 @@ notsupported:
+ static void
+ LogLuvClose(TIFF* tif)
+ {
++ LogLuvState* sp = (LogLuvState*) tif->tif_data;
+ TIFFDirectory *td = &tif->tif_dir;
+
++ assert(sp != 0);
+ /*
+ * For consistency, we always want to write out the same
+ * bitspersample and sampleformat for our TIFF file,
+ * regardless of the data format being used by the application.
+ * Since this routine is called after tags have been set but
+ * before they have been recorded in the file, we reset them here.
++ * Note: this is really a nasty approach. See PixarLogClose
+ */
+- td->td_samplesperpixel =
+- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+- td->td_bitspersample = 16;
+- td->td_sampleformat = SAMPLEFORMAT_INT;
++ if( sp->encoder_state )
++ {
++ /* See PixarLogClose. Might avoid issues with tags whose size depends
++ * on those below, but not completely sure this is enough. */
++ td->td_samplesperpixel =
++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
++ td->td_bitspersample = 16;
++ td->td_sampleformat = SAMPLEFORMAT_INT;
++ }
+ }
+
+ static void
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index d1246c3d..aa99bc92 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
+ static void
+ PixarLogClose(TIFF* tif)
+ {
++ PixarLogState* sp = (PixarLogState*) tif->tif_data;
+ TIFFDirectory *td = &tif->tif_dir;
+
++ assert(sp != 0);
+ /* In a really sneaky (and really incorrect, and untruthful, and
+ * troublesome, and error-prone) maneuver that completely goes against
+ * the spirit of TIFF, and breaks TIFF, on close, we covertly
+@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
+ * readers that don't know about PixarLog, or how to set
+ * the PIXARLOGDATFMT pseudo-tag.
+ */
+- td->td_bitspersample = 8;
+- td->td_sampleformat = SAMPLEFORMAT_UINT;
++
++ if (sp->state&PLSTATE_INIT) {
++ /* We test the state to avoid an issue such as in
++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604
++ * What appends in that case is that the bitspersample is 1 and
++ * a TransferFunction is set. The size of the TransferFunction
++ * depends on 1<<bitspersample. So if we increase it, an access
++ * out of the buffer will happen@directory flushing.
++ * Another option would be to clear those targs.
++ */
++ td->td_bitspersample = 8;
++ td->td_sampleformat = SAMPLEFORMAT_UINT;
++ }
+ }
+
+ static void
+--
+2.11.0
+
diff --git a/package/tiff/0004-libtiff-tif_dirread.c-modify-ChopUpSingleUncompresse.patch b/package/tiff/0004-libtiff-tif_dirread.c-modify-ChopUpSingleUncompresse.patch
new file mode 100644
index 0000000..a24d5d8
--- /dev/null
+++ b/package/tiff/0004-libtiff-tif_dirread.c-modify-ChopUpSingleUncompresse.patch
@@ -0,0 +1,107 @@
+From 9a72a69e035ee70ff5c41541c8c61cd97990d018 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 11:02:15 +0000
+Subject: [PATCH] * libtiff/tif_dirread.c: modify
+ ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
+ TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
+ the total size of data. Which is faulty is the total size of data is not
+ sufficient to fill the whole image, and thus results in reading outside of
+ the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
+ by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
+the above change is a better fix that makes it unnecessary.
+
+Fixes CVE-2016-10270
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_dirread.c | 22 ++++++++++------------
+ libtiff/tif_strip.c | 9 ---------
+ 2 files changed, 25 insertions(+), 21 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 3eec79c9..570d0c32 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ uint64 rowblockbytes;
+ uint64 stripbytes;
+ uint32 strip;
+- uint64 nstrips64;
+- uint32 nstrips32;
++ uint32 nstrips;
+ uint32 rowsperstrip;
+ uint64* newcounts;
+ uint64* newoffsets;
+@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ return;
+
+ /*
+- * never increase the number of strips in an image
++ * never increase the number of rows per strip
+ */
+ if (rowsperstrip >= td->td_rowsperstrip)
+ return;
+- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
+- return;
+- nstrips32 = (uint32)nstrips64;
++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
++ if( nstrips == 0 )
++ return;
+
+- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ "for chopped \"StripByteCounts\" array");
+- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ "for chopped \"StripOffsets\" array");
+ if (newcounts == NULL || newoffsets == NULL) {
+ /*
+@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ * Fill the strip information arrays with new bytecounts and offsets
+ * that reflect the broken-up format.
+ */
+- for (strip = 0; strip < nstrips32; strip++) {
++ for (strip = 0; strip < nstrips; strip++) {
+ if (stripbytes > bytecount)
+ stripbytes = bytecount;
+ newcounts[strip] = stripbytes;
+- newoffsets[strip] = offset;
++ newoffsets[strip] = stripbytes ? offset : 0;
+ offset += stripbytes;
+ bytecount -= stripbytes;
+ }
+ /*
+ * Replace old single strip info with multi-strip info.
+ */
+- td->td_stripsperimage = td->td_nstrips = nstrips32;
++ td->td_stripsperimage = td->td_nstrips = nstrips;
+ TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+
+ _TIFFfree(td->td_stripbytecount);
+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
+index 4c46ecf5..1676e47d 100644
+--- a/libtiff/tif_strip.c
++++ b/libtiff/tif_strip.c
+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
+ TIFFDirectory *td = &tif->tif_dir;
+ uint32 nstrips;
+
+- /* If the value was already computed and store in td_nstrips, then return it,
+- since ChopUpSingleUncompressedStrip might have altered and resized the
+- since the td_stripbytecount and td_stripoffset arrays to the new value
+- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+- tif_dirread.c ~line 3612.
+- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+- if( td->td_nstrips )
+- return td->td_nstrips;
+-
+ nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+ TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+ if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+--
+2.11.0
+
diff --git a/package/tiff/0005-tools-tiffcp.c-error-out-cleanly-in-cpContig2Separat.patch b/package/tiff/0005-tools-tiffcp.c-error-out-cleanly-in-cpContig2Separat.patch
new file mode 100644
index 0000000..c93be89
--- /dev/null
+++ b/package/tiff/0005-tools-tiffcp.c-error-out-cleanly-in-cpContig2Separat.patch
@@ -0,0 +1,74 @@
+From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 19:25:44 +0000
+Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
+ and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
+ overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+ http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+Fixes CVE-2017-5225
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ tools/tiffcp.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index bdf754c3..8bbcd52f 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -591,7 +591,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+- uint16 bitspersample, samplesperpixel = 1;
++ uint16 bitspersample = 1, samplesperpixel = 1;
+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ copyFunc cf;
+ uint32 width, length;
+@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpContig2SeparateByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpSeparate2ContigByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
+ uint32 w, l, tw, tl;
+ int bychunk;
+
+- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+ if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+ fprintf(stderr,
+ "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
+--
+2.11.0
+
diff --git a/package/tiff/0006-libtiff-tif_getimage.c-add-explicit-uint32-cast-in-p.patch b/package/tiff/0006-libtiff-tif_getimage.c-add-explicit-uint32-cast-in-p.patch
new file mode 100644
index 0000000..b3d8a40
--- /dev/null
+++ b/package/tiff/0006-libtiff-tif_getimage.c-add-explicit-uint32-cast-in-p.patch
@@ -0,0 +1,31 @@
+From 48780b4fcc425cddc4ef8ffdf536f96a0d1b313b Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 16:38:26 +0000
+Subject: [PATCH] libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
+ avoid UndefinedBehaviorSanitizer warning.
+ Patch by Nicol??s Pe??a.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
+
+Fixes CVE-2017-7592
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_getimage.c | 2 +-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index fed31f1f..2fa1775c 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -1302,7 +1302,7 @@ DECLAREContigPutFunc(putagreytile)
+ while (h-- > 0) {
+ for (x = w; x-- > 0;)
+ {
+- *cp++ = BWmap[*pp][0] & (*(pp+1) << 24 | ~A1);
++ *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1);
+ pp += samplesperpixel;
+ }
+ cp += toskew;
+--
+2.11.0
+
diff --git a/package/tiff/0007-libtiff-tiffiop.h-tif_unix.c-tif_win32.c-tif_vms.c-a.patch b/package/tiff/0007-libtiff-tiffiop.h-tif_unix.c-tif_win32.c-tif_vms.c-a.patch
new file mode 100644
index 0000000..ec45bbe
--- /dev/null
+++ b/package/tiff/0007-libtiff-tiffiop.h-tif_unix.c-tif_win32.c-tif_vms.c-a.patch
@@ -0,0 +1,88 @@
+From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 19:02:49 +0000
+Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+ _TIFFcalloc()
+
+* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+initialize tif_rawdata.
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+Fixes CVE-2017-7593
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_read.c | 4 +++-
+ libtiff/tif_unix.c | 8 ++++++++
+ libtiff/tif_win32.c | 8 ++++++++
+ libtiff/tiffio.h | 1 +
+ 4 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 277fdd69..4535ccb3 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -985,7 +985,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
+ "Invalid buffer size");
+ return (0);
+ }
+- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
++ /* Initialize to zero to avoid uninitialized buffers in case of */
++ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
++ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ tif->tif_flags |= TIFF_MYBUFFER;
+ }
+ if (tif->tif_rawdata == NULL) {
+diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c
+index 7c7bc961..89dd32e8 100644
+--- a/libtiff/tif_unix.c
++++ b/libtiff/tif_unix.c
+@@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s)
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c
+index d730b3ab..3e9001b7 100644
+--- a/libtiff/tif_win32.c
++++ b/libtiff/tif_win32.c
+@@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s)
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+diff --git a/libtiff/tiffio.h b/libtiff/tiffio.h
+index 732da17f..fbd9171f 100644
+--- a/libtiff/tiffio.h
++++ b/libtiff/tiffio.h
+@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void);
+ */
+
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+--
+2.11.0
+
--git a/package/tiff/0008-libtiff-tif_ojpeg.c-fix-leak-in-OJPEGReadHeaderInfoS.patch b/package/tiff/0008-libtiff-tif_ojpeg.c-fix-leak-in-OJPEGReadHeaderInfoS.patch
new file mode 100644
index 0000000..418a3d6
--- /dev/null
+++ b/package/tiff/0008-libtiff-tif_ojpeg.c-fix-leak-in-OJPEGReadHeaderInfoS.patch
@@ -0,0 +1,43 @@
+From 2ea32f7372b65c24b2816f11c04bf59b5090d05b Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Thu, 12 Jan 2017 19:23:20 +0000
+Subject: [PATCH] * libtiff/tif_ojpeg.c: fix leak in
+ OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable and
+ OJPEGReadHeaderInfoSecTablesAcTable
+
+Fixes CVE-2017-7594
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_ojpeg.c | 6 ++++++
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
+index b92f0ebd..5f6c684c 100644
+--- a/libtiff/tif_ojpeg.c
++++ b/libtiff/tif_ojpeg.c
+@@ -1790,7 +1790,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif)
+ TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);
+ p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
+ if (p!=64)
++ {
++ _TIFFfree(ob);
+ return(0);
++ }
+ sp->qtable[m]=ob;
+ sp->sof_tq[m]=m;
+ }
+@@ -1854,7 +1857,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif)
+ rb[sizeof(uint32)+5+n]=o[n];
+ p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+ if (p!=q)
++ {
++ _TIFFfree(rb);
+ return(0);
++ }
+ sp->dctable[m]=rb;
+ sp->sos_tda[m]=(m<<4);
+ }
+--
+2.11.0
+
diff --git a/package/tiff/0009-libtiff-tif_ojpeg.c-fix-leak-in-OJPEGReadHeaderInfoS.patch b/package/tiff/0009-libtiff-tif_ojpeg.c-fix-leak-in-OJPEGReadHeaderInfoS.patch
new file mode 100644
index 0000000..a1aae2d
--- /dev/null
+++ b/package/tiff/0009-libtiff-tif_ojpeg.c-fix-leak-in-OJPEGReadHeaderInfoS.patch
@@ -0,0 +1,36 @@
+From 8283e4d1b7e53340684d12932880cbcbaf23a8c1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Thu, 12 Jan 2017 17:43:25 +0000
+Subject: [PATCH] libtiff/tif_ojpeg.c: fix leak in
+ OJPEGReadHeaderInfoSecTablesAcTable when read fails.
+ Patch by Nicol??s Pe??a.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes CVE-2017-7594
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_ojpeg.c | 3 +++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
+index f19e8fd0..b92f0ebd 100644
+--- a/libtiff/tif_ojpeg.c
++++ b/libtiff/tif_ojpeg.c
+@@ -1918,7 +1918,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif)
+ rb[sizeof(uint32)+5+n]=o[n];
+ p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+ if (p!=q)
++ {
++ _TIFFfree(rb);
+ return(0);
++ }
+ sp->actable[m]=rb;
+ sp->sos_tda[m]=(sp->sos_tda[m]|m);
+ }
+--
+2.11.0
+
diff --git a/package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch b/package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch
new file mode 100644
index 0000000..862aae2
--- /dev/null
+++ b/package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch
@@ -0,0 +1,35 @@
+From 47f2fb61a3a64667bce1a8398a8fcb1b348ff122 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 12:15:01 +0000
+Subject: [PATCH] * libtiff/tif_jpeg.c: avoid integer division by zero in
+ JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2653
+
+Fixes CVE-2017-7595
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_jpeg.c | 7 +++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
+index 38595f98..6c17c388 100644
+--- a/libtiff/tif_jpeg.c
++++ b/libtiff/tif_jpeg.c
+@@ -1626,6 +1626,13 @@ JPEGSetupEncode(TIFF* tif)
+ case PHOTOMETRIC_YCBCR:
+ sp->h_sampling = td->td_ycbcrsubsampling[0];
+ sp->v_sampling = td->td_ycbcrsubsampling[1];
++ if( sp->h_sampling == 0 || sp->v_sampling == 0 )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Invalig horizontal/vertical sampling value");
++ return (0);
++ }
++
+ /*
+ * A ReferenceBlackWhite field *must* be present since the
+ * default value is inappropriate for YCbCr. Fill in the
+--
+2.11.0
+
diff --git a/package/tiff/0011-libtiff-tif_dirread.c-avoid-division-by-floating-poi.patch b/package/tiff/0011-libtiff-tif_dirread.c-avoid-division-by-floating-poi.patch
new file mode 100644
index 0000000..c0c9429
--- /dev/null
+++ b/package/tiff/0011-libtiff-tif_dirread.c-avoid-division-by-floating-poi.patch
@@ -0,0 +1,47 @@
+From 3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 13:28:01 +0000
+Subject: [PATCH] * libtiff/tif_dirread.c: avoid division by floating point 0
+ in TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
+ and return 0 in that case (instead of infinity as before presumably)
+ Apparently some sanitizers do not like those divisions by zero. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2644
+
+Fixes CVE-2017-7598
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_dirread.c | 10 ++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 570d0c32..8a1e42aa 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFD
+ m.l = direntry->tdir_offset.toff_long8;
+ if (tif->tif_flags&TIFF_SWAB)
+ TIFFSwabArrayOfLong(m.i,2);
+- if (m.i[0]==0)
++ /* Not completely sure what we should do when m.i[1]==0, but some */
++ /* sanitizers do not like division by 0.0: */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++ if (m.i[0]==0 || m.i[1]==0)
+ *value=0.0;
+ else
+ *value=(double)m.i[0]/(double)m.i[1];
+@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFF
+ m.l=direntry->tdir_offset.toff_long8;
+ if (tif->tif_flags&TIFF_SWAB)
+ TIFFSwabArrayOfLong(m.i,2);
+- if ((int32)m.i[0]==0)
++ /* Not completely sure what we should do when m.i[1]==0, but some */
++ /* sanitizers do not like division by 0.0: */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++ if ((int32)m.i[0]==0 || m.i[1]==0)
+ *value=0.0;
+ else
+ *value=(double)((int32)m.i[0])/(double)m.i[1];
+--
+2.11.0
+
diff --git a/package/tiff/0012-libtiff-tif_jpeg.c-validate-BitsPerSample-in-JPEGSet.patch b/package/tiff/0012-libtiff-tif_jpeg.c-validate-BitsPerSample-in-JPEGSet.patch
new file mode 100644
index 0000000..4f46d9b
--- /dev/null
+++ b/package/tiff/0012-libtiff-tif_jpeg.c-validate-BitsPerSample-in-JPEGSet.patch
@@ -0,0 +1,35 @@
+From 0a76a8c765c7b8327c59646284fa78c3c27e5490 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 16:13:50 +0000
+Subject: [PATCH] * libtiff/tif_jpeg.c: validate BitsPerSample in
+ JPEGSetupEncode() to avoid undefined behaviour caused by invalid shift
+ exponent. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
+
+Fixes CVE-2017-7601
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_jpeg.c | 7 +++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
+index 6c17c388..192989a9 100644
+--- a/libtiff/tif_jpeg.c
++++ b/libtiff/tif_jpeg.c
+@@ -1632,6 +1632,13 @@ JPEGSetupEncode(TIFF* tif)
+ "Invalig horizontal/vertical sampling value");
+ return (0);
+ }
++ if( td->td_bitspersample > 16 )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "BitsPerSample %d not allowed for JPEG",
++ td->td_bitspersample);
++ return (0);
++ }
+
+ /*
+ * A ReferenceBlackWhite field *must* be present since the
+--
+2.11.0
+
diff --git a/package/tiff/0013-libtiff-tif_read.c-avoid-potential-undefined-behavio.patch b/package/tiff/0013-libtiff-tif_read.c-avoid-potential-undefined-behavio.patch
new file mode 100644
index 0000000..d049b13
--- /dev/null
+++ b/package/tiff/0013-libtiff-tif_read.c-avoid-potential-undefined-behavio.patch
@@ -0,0 +1,56 @@
+From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 16:33:34 +0000
+Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on
+ signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2650
+
+Fixes CVE-2017-7602
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libtiff/tif_read.c | 27 ++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 52bbf507..b7aacbda 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
+ return ((tmsize_t)(-1));
+ }
+ } else {
+- tmsize_t ma,mb;
++ tmsize_t ma;
+ tmsize_t n;
+- ma=(tmsize_t)td->td_stripoffset[strip];
+- mb=ma+size;
+- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+- n=0;
+- else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+- n=tif->tif_size-ma;
+- else
+- n=size;
++ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
++ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
++ {
++ n=0;
++ }
++ else if( ma > TIFF_TMSIZE_T_MAX - size )
++ {
++ n=0;
++ }
++ else
++ {
++ tmsize_t mb=ma+size;
++ if (mb>tif->tif_size)
++ n=tif->tif_size-ma;
++ else
++ n=size;
++ }
+ if (n!=size) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+--
+2.11.0
+
^ permalink raw reply related
* [Buildroot] [git commit] libnl: add upstream security fix
From: Peter Korsgaard @ 2017-04-27 12:12 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=5efbd573c0a4df751e038a927c09af5aac1a233e
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
CVE-2017-0553: An elevation of privilege vulnerability in libnl could enable a
local malicious application to execute arbitrary code within the context of
the Wi-Fi service
https://www.mail-archive.com/debian-bugs-dist at lists.debian.org/msg1511855.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libnl/libnl.hash | 1 +
package/libnl/libnl.mk | 2 ++
2 files changed, 3 insertions(+)
diff --git a/package/libnl/libnl.hash b/package/libnl/libnl.hash
index 9761a95..f357927 100644
--- a/package/libnl/libnl.hash
+++ b/package/libnl/libnl.hash
@@ -1,2 +1,3 @@
# From https://github.com/thom311/libnl/releases/download/libnl3_2_29/libnl-3.2.29.tar.gz.sha256sum
sha256 0beb593dc6abfffa18a5c787b27884979c1b7e7f1fd468c801e3cc938a685922 libnl-3.2.29.tar.gz
+sha256 b7bb929194eefc56c786a7e1ae5176b54713f9013ccec63760f232742ae80361 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.patch
diff --git a/package/libnl/libnl.mk b/package/libnl/libnl.mk
index 6de6825..8226f87 100644
--- a/package/libnl/libnl.mk
+++ b/package/libnl/libnl.mk
@@ -13,6 +13,8 @@ LIBNL_DEPENDENCIES = host-bison host-flex host-pkgconf
# Patching configure.ac
LIBNL_AUTORECONF = YES
+LIBNL_PATCH = https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb.patch
+
ifeq ($(BR2_PACKAGE_LIBNL_TOOLS),y)
LIBNL_CONF_OPTS += --enable-cli
else
^ permalink raw reply related
* [Buildroot] [PATCH] icu: add upstream security fix for utf-8 handling
From: Peter Korsgaard @ 2017-04-27 12:13 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170426125713.6427-1-peter@korsgaard.com>
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes:
> CVE-2017-7867 - International Components for Unicode (ICU) for C/C++ before
> 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
> related to the utf8TextAccess function in common/utext.cpp and the
> utext_setNativeIndex* function.
> CVE-2017-7868 - International Components for Unicode (ICU) for C/C++ before
> 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
> related to the utf8TextAccess function in common/utext.cpp and the
> utext_moveIndex32* function.
> Upstream: http://bugs.icu-project.org/trac/changeset/39671
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] tiff: add upstream security fixes
From: Peter Korsgaard @ 2017-04-27 12:13 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170426215814.21533-1-peter@korsgaard.com>
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing
> the following security issues:
> CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
> service (divide-by-zero error and application crash) via a crafted TIFF
> image, related to libtiff/tif_read.c:351:22.
> CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
> service (divide-by-zero error and application crash) via a crafted TIFF
> image, related to libtiff/tif_ojpeg.c:816:8.
> CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
> service (heap-based buffer over-read) or possibly have unspecified other
> impact via a crafted TIFF image, related to "READ of size 512" and
> libtiff/tif_unix.c:340:2.
> CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
> service (heap-based buffer over-read) or possibly have unspecified other
> impact via a crafted TIFF image, related to "READ of size 8" and
> libtiff/tif_read.c:523:22.
> CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer
> overflow in the tools/tiffcp resulting in DoS or code execution via a
> crafted BitsPerSample value.
> CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7
> has a left-shift undefined behavior issue, which might allow remote
> attackers to cause a denial of service (application crash) or possibly have
> unspecified other impact via a crafted image.
> CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata
> is properly initialized, which might allow remote attackers to obtain
> sensitive information from process memory via a crafted image.
> CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in
> tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
> service (memory leak) via a crafted image.
> CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7
> allows remote attackers to cause a denial of service (divide-by-zero error
> and application crash) via a crafted image.
> CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers
> to cause a denial of service (divide-by-zero error and application crash)
> via a crafted image.
> CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit
> type long" undefined behavior issue, which might allow remote attackers to
> cause a denial of service (application crash) or possibly have unspecified
> other impact via a crafted image.
> CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might
> allow remote attackers to cause a denial of service (application crash) or
> possibly have unspecified other impact via a crafted image.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] libnl: add upstream security fix
From: Peter Korsgaard @ 2017-04-27 12:13 UTC (permalink / raw)
To: buildroot
In-Reply-To: <b4aa22c38bf917ebab1e80069dacbe2c892e9bc1.1493290258.git.baruch@tkos.co.il>
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> CVE-2017-0553: An elevation of privilege vulnerability in libnl could enable a
> local malicious application to execute arbitrary code within the context of
> the Wi-Fi service
> https://www.mail-archive.com/debian-bugs-dist at lists.debian.org/msg1511855.html
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] aircrack-ng: don't build SSE code for non SSE target
From: Peter Korsgaard @ 2017-04-27 12:16 UTC (permalink / raw)
To: buildroot
In-Reply-To: <5343392152d546eef2d82eb4b98f78e82db64054.1493292614.git.baruch@tkos.co.il>
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Fixes:
> http://autobuild.buildroot.net/results/763/7631470016f923e8f4a7696e65437c71b8668b6e/
> http://autobuild.buildroot.net/results/621/621588651b5cf54726bbf5361399a2dc301b8a29/
> http://autobuild.buildroot.net/results/628/628a66ef766308fba699f1faa942306e600e5575/
> Cc: Laurent Cans <laurent.cans@gmail.com>
> Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [git commit] aircrack-ng: don't build SSE code for non SSE target
From: Peter Korsgaard @ 2017-04-27 12:16 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=dc1287ee8acf44b0842136fea90ca99e6b083035
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fixes:
http://autobuild.buildroot.net/results/763/7631470016f923e8f4a7696e65437c71b8668b6e/
http://autobuild.buildroot.net/results/621/621588651b5cf54726bbf5361399a2dc301b8a29/
http://autobuild.buildroot.net/results/628/628a66ef766308fba699f1faa942306e600e5575/
Cc: Laurent Cans <laurent.cans@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/aircrack-ng/aircrack-ng.mk | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/package/aircrack-ng/aircrack-ng.mk b/package/aircrack-ng/aircrack-ng.mk
index b728624..6b384c0 100644
--- a/package/aircrack-ng/aircrack-ng.mk
+++ b/package/aircrack-ng/aircrack-ng.mk
@@ -53,6 +53,12 @@ else
AIRCRACK_NG_MAKE_OPTS += sqlite=false
endif
+ifeq ($(BR2_X86_CPU_HAS_SSE),y)
+AIRCRACK_NG_MAKE_OPTS += NEWSSE=true
+else
+AIRCRACK_NG_MAKE_OPTS += NEWSSE=false
+endif
+
define AIRCRACK_NG_BUILD_CMDS
$(TARGET_CONFIGURE_OPTS) LDFLAGS="$(AIRCRACK_NG_LDFLAGS)" \
$(MAKE) -C $(@D) $(AIRCRACK_NG_MAKE_OPTS)
^ permalink raw reply related
* [Buildroot] [PATCH v2 1/1] package/libqmi: bump version to 1.18.0
From: Matt Weber @ 2017-04-27 12:52 UTC (permalink / raw)
To: buildroot
udev support was added with this bump, however
the support was disabled, as Buildroot currently
doesn't support the gudev package. libqmi is
looking for the Gobject bindings provided by
that package to access libudev.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
v1 -> v2
- No functional changes
- Updated commit description to include reason
for udev disabling. (Suggested by Peter K.)
---
package/libqmi/libqmi.hash | 2 +-
package/libqmi/libqmi.mk | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/libqmi/libqmi.hash b/package/libqmi/libqmi.hash
index 08da1ae..3f40154 100644
--- a/package/libqmi/libqmi.hash
+++ b/package/libqmi/libqmi.hash
@@ -1,2 +1,2 @@
# Locally computed:
-sha256 7ab6bb47fd23bf4d3fa17424e40ea5552d08b19e5ee4f125f21f316c8086ba2a libqmi-1.16.0.tar.xz
+sha256 a0a42c55935e75a630208e2f70840bd4407f56fe1c5258f5b0f6c0aaedf88cec libqmi-1.18.0.tar.xz
diff --git a/package/libqmi/libqmi.mk b/package/libqmi/libqmi.mk
index caa4398..92b635d 100644
--- a/package/libqmi/libqmi.mk
+++ b/package/libqmi/libqmi.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBQMI_VERSION = 1.16.0
+LIBQMI_VERSION = 1.18.0
LIBQMI_SITE = http://www.freedesktop.org/software/libqmi
LIBQMI_SOURCE = libqmi-$(LIBQMI_VERSION).tar.xz
LIBQMI_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs)
@@ -13,7 +13,7 @@ LIBQMI_INSTALL_STAGING = YES
LIBQMI_DEPENDENCIES = libglib2
-# we don't want -Werror
-LIBQMI_CONF_OPTS = --enable-more-warnings=no
+# we don't want -Werror and disable gudev Gobject bindings
+LIBQMI_CONF_OPTS = --enable-more-warnings=no --without-udev
$(eval $(autotools-package))
--
1.9.1
^ permalink raw reply related
* [Buildroot] [PATCH 1/1] package/libqmi: bump version to 1.18.0
From: Matthew Weber @ 2017-04-27 12:53 UTC (permalink / raw)
To: buildroot
In-Reply-To: <87fugukrcc.fsf@dell.be.48ers.dk>
Peter,
On Thu, Apr 27, 2017 at 6:44 AM, Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >>>>> "Matthew" == Matthew Weber <matthew.weber@rockwellcollins.com> writes:
>
> Hi,
>
> >> > -# we don't want -Werror
> >> > -LIBQMI_CONF_OPTS = --enable-more-warnings=no
> >> > +# we don't want -Werror and disable gudev Gobject bindings
> >>
> >> Why? It would be good to describe why we don't want udev support.
>
>
> > Sure, should I add more to the comment in the file or patch submission
> > that the gudev package currently isn't part of buildroot to provide
> > the Gobject bindings between libqmi and eudev?
>
> Just adding it in the patch description is fine, thanks!
>
https://patchwork.ozlabs.org/patch/756021/
Thanks!
^ permalink raw reply
* [Buildroot] [git commit] package/libqmi: bump version to 1.18.0
From: Peter Korsgaard @ 2017-04-27 13:27 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=2ef966fb302732581084102ce509dc0e1d5e1d2f
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
udev support was added with this bump, however
the support was disabled, as Buildroot currently
doesn't support the gudev package. libqmi is
looking for the Gobject bindings provided by
that package to access libudev.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libqmi/libqmi.hash | 2 +-
package/libqmi/libqmi.mk | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/libqmi/libqmi.hash b/package/libqmi/libqmi.hash
index 08da1ae..3f40154 100644
--- a/package/libqmi/libqmi.hash
+++ b/package/libqmi/libqmi.hash
@@ -1,2 +1,2 @@
# Locally computed:
-sha256 7ab6bb47fd23bf4d3fa17424e40ea5552d08b19e5ee4f125f21f316c8086ba2a libqmi-1.16.0.tar.xz
+sha256 a0a42c55935e75a630208e2f70840bd4407f56fe1c5258f5b0f6c0aaedf88cec libqmi-1.18.0.tar.xz
diff --git a/package/libqmi/libqmi.mk b/package/libqmi/libqmi.mk
index caa4398..92b635d 100644
--- a/package/libqmi/libqmi.mk
+++ b/package/libqmi/libqmi.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBQMI_VERSION = 1.16.0
+LIBQMI_VERSION = 1.18.0
LIBQMI_SITE = http://www.freedesktop.org/software/libqmi
LIBQMI_SOURCE = libqmi-$(LIBQMI_VERSION).tar.xz
LIBQMI_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs)
@@ -13,7 +13,7 @@ LIBQMI_INSTALL_STAGING = YES
LIBQMI_DEPENDENCIES = libglib2
-# we don't want -Werror
-LIBQMI_CONF_OPTS = --enable-more-warnings=no
+# we don't want -Werror and disable gudev Gobject bindings
+LIBQMI_CONF_OPTS = --enable-more-warnings=no --without-udev
$(eval $(autotools-package))
^ permalink raw reply related
* [Buildroot] [PATCH v2 1/1] package/libqmi: bump version to 1.18.0
From: Peter Korsgaard @ 2017-04-27 13:28 UTC (permalink / raw)
To: buildroot
In-Reply-To: <1493297522-20545-1-git-send-email-matthew.weber@rockwellcollins.com>
>>>>> "Matt" == Matt Weber <matthew.weber@rockwellcollins.com> writes:
> udev support was added with this bump, however
> the support was disabled, as Buildroot currently
> doesn't support the gudev package. libqmi is
> looking for the Gobject bindings provided by
> that package to access libudev.
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH 1/2] linux-headers: bump 4.{4,9,10}.x series
From: Vicente Olivert Riera @ 2017-04-27 13:43 UTC (permalink / raw)
To: buildroot
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
---
| 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--git a/package/linux-headers/Config.in.host b/package/linux-headers/Config.in.host
index b574e65..846c825 100644
--- a/package/linux-headers/Config.in.host
+++ b/package/linux-headers/Config.in.host
@@ -218,7 +218,7 @@ config BR2_DEFAULT_KERNEL_HEADERS
default "3.10.105" if BR2_KERNEL_HEADERS_3_10
default "3.12.73" if BR2_KERNEL_HEADERS_3_12
default "4.1.39" if BR2_KERNEL_HEADERS_4_1
- default "4.4.63" if BR2_KERNEL_HEADERS_4_4
- default "4.9.24" if BR2_KERNEL_HEADERS_4_9
- default "4.10.12" if BR2_KERNEL_HEADERS_4_10
+ default "4.4.64" if BR2_KERNEL_HEADERS_4_4
+ default "4.9.25" if BR2_KERNEL_HEADERS_4_9
+ default "4.10.13" if BR2_KERNEL_HEADERS_4_10
default BR2_DEFAULT_KERNEL_VERSION if BR2_KERNEL_HEADERS_VERSION
--
2.10.2
^ permalink raw reply related
* [Buildroot] [PATCH 2/2] linux: bump default version to 4.10.13
From: Vicente Olivert Riera @ 2017-04-27 13:43 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170427134329.60945-1-Vincent.Riera@imgtec.com>
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
---
linux/Config.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux/Config.in b/linux/Config.in
index b651152..dc19a62 100644
--- a/linux/Config.in
+++ b/linux/Config.in
@@ -26,7 +26,7 @@ choice
prompt "Kernel version"
config BR2_LINUX_KERNEL_LATEST_VERSION
- bool "Latest version (4.10.12)"
+ bool "Latest version (4.10.13)"
config BR2_LINUX_KERNEL_LATEST_CIP_VERSION
bool "Latest CIP SLTS version (v4.4.55-cip3)"
@@ -116,7 +116,7 @@ endif
config BR2_LINUX_KERNEL_VERSION
string
- default "4.10.12" if BR2_LINUX_KERNEL_LATEST_VERSION
+ default "4.10.13" if BR2_LINUX_KERNEL_LATEST_VERSION
default "v4.4.55-cip3" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION
default BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE \
if BR2_LINUX_KERNEL_CUSTOM_VERSION
--
2.10.2
^ permalink raw reply related
* [Buildroot] [PATCH 1/1] package/live555: bump version to 2017.04.26
From: Bernd Kuhls @ 2017-04-27 14:40 UTC (permalink / raw)
To: buildroot
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
package/live555/live555.hash | 4 ++--
package/live555/live555.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/live555/live555.hash b/package/live555/live555.hash
index 16f7077440..c06e13b12e 100644
--- a/package/live555/live555.hash
+++ b/package/live555/live555.hash
@@ -1,4 +1,4 @@
# From http://live555.com/liveMedia/public/live555-latest-md5.txt
-md5 df4ad1d60c2f5ae8155fb077bb011ab3 live.2016.03.16.tar.gz
+md5 7155e2d7313ef92929a8268856f0551c live.2017.04.26.tar.gz
# Locally generated
-sha256 6f98a96d4cf6e986c7711f0a2431c02cb807a8107d6715eb491a6ed9d0446cf6 live.2016.03.16.tar.gz
+sha256 a97372c84d49520dbaa595b65c39800fbd7813e717b5df9cd6c70308ce1a6033 live.2017.04.26.tar.gz
diff --git a/package/live555/live555.mk b/package/live555/live555.mk
index a6dd13c06d..e51b588082 100644
--- a/package/live555/live555.mk
+++ b/package/live555/live555.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIVE555_VERSION = 2016.03.16
+LIVE555_VERSION = 2017.04.26
LIVE555_SOURCE = live.$(LIVE555_VERSION).tar.gz
LIVE555_SITE = http://www.live555.com/liveMedia/public
LIVE555_LICENSE = LGPL-2.1+
--
2.11.0
^ permalink raw reply related
* [Buildroot] [git commit] linux-headers: bump 4.{4,9,10}.x series
From: Peter Korsgaard @ 2017-04-27 15:03 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=431bd936a154c16cab8dcf18563641949eed1cb1
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
| 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--git a/package/linux-headers/Config.in.host b/package/linux-headers/Config.in.host
index b574e65..846c825 100644
--- a/package/linux-headers/Config.in.host
+++ b/package/linux-headers/Config.in.host
@@ -218,7 +218,7 @@ config BR2_DEFAULT_KERNEL_HEADERS
default "3.10.105" if BR2_KERNEL_HEADERS_3_10
default "3.12.73" if BR2_KERNEL_HEADERS_3_12
default "4.1.39" if BR2_KERNEL_HEADERS_4_1
- default "4.4.63" if BR2_KERNEL_HEADERS_4_4
- default "4.9.24" if BR2_KERNEL_HEADERS_4_9
- default "4.10.12" if BR2_KERNEL_HEADERS_4_10
+ default "4.4.64" if BR2_KERNEL_HEADERS_4_4
+ default "4.9.25" if BR2_KERNEL_HEADERS_4_9
+ default "4.10.13" if BR2_KERNEL_HEADERS_4_10
default BR2_DEFAULT_KERNEL_VERSION if BR2_KERNEL_HEADERS_VERSION
^ permalink raw reply related
* [Buildroot] [git commit] linux: bump default version to 4.10.13
From: Peter Korsgaard @ 2017-04-27 15:03 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=6f24afad92bac1f320d794945be61e367ffc6738
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
linux/Config.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux/Config.in b/linux/Config.in
index b651152..dc19a62 100644
--- a/linux/Config.in
+++ b/linux/Config.in
@@ -26,7 +26,7 @@ choice
prompt "Kernel version"
config BR2_LINUX_KERNEL_LATEST_VERSION
- bool "Latest version (4.10.12)"
+ bool "Latest version (4.10.13)"
config BR2_LINUX_KERNEL_LATEST_CIP_VERSION
bool "Latest CIP SLTS version (v4.4.55-cip3)"
@@ -116,7 +116,7 @@ endif
config BR2_LINUX_KERNEL_VERSION
string
- default "4.10.12" if BR2_LINUX_KERNEL_LATEST_VERSION
+ default "4.10.13" if BR2_LINUX_KERNEL_LATEST_VERSION
default "v4.4.55-cip3" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION
default BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE \
if BR2_LINUX_KERNEL_CUSTOM_VERSION
^ permalink raw reply related
* [Buildroot] [PATCH 1/2] linux-headers: bump 4.{4, 9, 10}.x series
From: Peter Korsgaard @ 2017-04-27 15:03 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170427134329.60945-1-Vincent.Riera@imgtec.com>
>>>>> "Vicente" == Vicente Olivert Riera <Vincent.Riera@imgtec.com> writes:
> Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Committed both, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH 1/1] Create 'make <pkt>-show-rrdepends' command
From: George Redivo @ 2017-04-27 15:04 UTC (permalink / raw)
To: buildroot
The created command shows, recursively, the reverse depends of a
package,
it means that the command shows not only the direct dependants (which is
done by 'show-rdepends'), but also all indirect dependents.
To do this it was necessary to create a new parameter '--flat-list', or
'-f', to graph-depends.
This parameter instructs the script to just print the name of package
instead of the .dot syntax.
Signed-off-by: George Redivo <george.redivo@datacom.ind.br>
---
Makefile | 1 +
package/pkg-generic.mk | 10 ++++++++++
support/scripts/graph-depends | 16 ++++++++++++----
3 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 919d589..61943d8 100644
--- a/Makefile
+++ b/Makefile
@@ -996,6 +996,7 @@ help:
@echo ' <pkg>-build - Build <pkg> up to the build step'
@echo ' <pkg>-show-depends - List packages on which <pkg> depends'
@echo ' <pkg>-show-rdepends - List packages which have <pkg> as a dependency'
+ @echo ' <pkg>-show-rrdepends - List, recursivelly, packages which have <pkg> as a dependency'
@echo ' <pkg>-graph-depends - Generate a graph of <pkg>'\''s dependencies'
@echo ' <pkg>-graph-rdepends - Generate a graph of <pkg>'\''s reverse dependencies'
@echo ' <pkg>-dirclean - Remove <pkg> build directory'
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 3b26e6b..c0f83b6 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -353,6 +353,13 @@ define pkg-graph-depends
$$(GRAPHS_DIR)/$$(@).dot
endef
+define pkg-rrdepends
+ @$$(INSTALL) -d $$(GRAPHS_DIR)
+ @cd "$$(CONFIG_DIR)"; \
+ $$(TOPDIR)/support/scripts/graph-depends $$(BR2_GRAPH_DEPS_OPTS) \
+ -p $(1) --reverse -f
+endef
+
################################################################################
# inner-generic-package -- generates the make targets needed to build a
# generic package
@@ -737,6 +744,9 @@ $(1)-show-depends:
$(1)-show-rdepends:
@echo $$($(2)_RDEPENDENCIES)
+$(1)-show-rrdepends:
+ $(call pkg-rrdepends,$(1))
+
$(1)-show-build-order: $$(patsubst %,%-show-build-order,$$($(2)_FINAL_ALL_DEPENDENCIES))
$$(info $(1))
diff --git a/support/scripts/graph-depends b/support/scripts/graph-depends
index b258c56..f6fec09 100755
--- a/support/scripts/graph-depends
+++ b/support/scripts/graph-depends
@@ -69,6 +69,8 @@ parser.add_argument("--direct", dest="direct", action='store_true', default=True
help="Draw direct dependencies (the default)")
parser.add_argument("--reverse", dest="direct", action='store_false',
help="Draw reverse dependencies")
+parser.add_argument("--flat-list", '-f', dest="flat_list", action='store_true', default=False,
+ help="Do not draw, just print a flat list output.")
args = parser.parse_args()
check_only = args.check_only
@@ -361,7 +363,10 @@ def print_pkg_deps(depth, pkg):
if pkg in done_deps:
return
done_deps.append(pkg)
- print_attrs(pkg)
+ if args.flat_list:
+ outfile.write("%s\n" % (pkg))
+ else:
+ print_attrs(pkg)
if pkg not in dict_deps:
return
for p in stop_list:
@@ -385,13 +390,16 @@ def print_pkg_deps(depth, pkg):
add = False
break
if add:
- outfile.write("%s -> %s [dir=%s]\n" % (pkg_node_name(pkg), pkg_node_name(d), arrow_dir))
+ if not args.flat_list:
+ outfile.write("%s -> %s [dir=%s]\n" % (pkg_node_name(pkg), pkg_node_name(d), arrow_dir))
print_pkg_deps(depth+1, d)
# Start printing the graph data
-outfile.write("digraph G {\n")
+if not args.flat_list:
+ outfile.write("digraph G {\n")
done_deps = []
print_pkg_deps(0, rootpkg)
-outfile.write("}\n")
+if not args.flat_list:
+ outfile.write("}\n")
--
1.9.1
^ permalink raw reply related
* [Buildroot] [git commit] package/live555: bump version to 2017.04.26
From: Peter Korsgaard @ 2017-04-27 15:28 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=833082fdb4c7c242a24486cffffc1e9a6f597732
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/live555/live555.hash | 4 ++--
package/live555/live555.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/live555/live555.hash b/package/live555/live555.hash
index 16f7077..c06e13b 100644
--- a/package/live555/live555.hash
+++ b/package/live555/live555.hash
@@ -1,4 +1,4 @@
# From http://live555.com/liveMedia/public/live555-latest-md5.txt
-md5 df4ad1d60c2f5ae8155fb077bb011ab3 live.2016.03.16.tar.gz
+md5 7155e2d7313ef92929a8268856f0551c live.2017.04.26.tar.gz
# Locally generated
-sha256 6f98a96d4cf6e986c7711f0a2431c02cb807a8107d6715eb491a6ed9d0446cf6 live.2016.03.16.tar.gz
+sha256 a97372c84d49520dbaa595b65c39800fbd7813e717b5df9cd6c70308ce1a6033 live.2017.04.26.tar.gz
diff --git a/package/live555/live555.mk b/package/live555/live555.mk
index a6dd13c..e51b588 100644
--- a/package/live555/live555.mk
+++ b/package/live555/live555.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIVE555_VERSION = 2016.03.16
+LIVE555_VERSION = 2017.04.26
LIVE555_SOURCE = live.$(LIVE555_VERSION).tar.gz
LIVE555_SITE = http://www.live555.com/liveMedia/public
LIVE555_LICENSE = LGPL-2.1+
^ permalink raw reply related
* [Buildroot] [PATCH 1/1] package/live555: bump version to 2017.04.26
From: Peter Korsgaard @ 2017-04-27 15:28 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170427144041.19425-1-bernd.kuhls@t-online.de>
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] Restore .git directory in git package downloads
From: Ricardo Martincoski @ 2017-04-27 17:52 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170426041048.xsxovkh53dhcif4l@sapphire.tkos.co.il>
Baruch, James,
On Wednesday, April 26, 2017 1:10:48 AM, Baruch Siach wrote:
> Hi James,
>
> On Tue, Apr 25, 2017 at 10:52:19PM -0500, James Balean wrote:
>> On 20 April 2017 at 09:22, Ricardo Martincoski
>> <ricardo.martincoski@gmail.com> wrote:
>> > - it would make the tarballs for git packages not reproducible as the
>> > contents now depend on the state of the remote server (i.e. in some
>> > cases a full clone is needed; assume a tarball is generated, then a
>> > new commit is created in the remote server in any branch, a new full
>> > clone with the same reference as version would include that new commit
>> > and therefore the tarball is different);
>>
>> Isn't it already the case that git tarballs are not reproducible? For
>> example, after a tarball is generated from a clone of 'master' or a tag,
>> Buildroot doesn't check and re-clone when changes are made to the branch
>> or tag on subsequent builds.
>
> For this reason we only use immutable git references (either commits ids or
> tags) for git downloaded <PKG>_VERSION.
>
>> Additionally, the same tarball filename is
>> also used for a full clone if a shallow clone fails. So tarballs can
>> already differ markedly between users.
>
> The content of the source tree should be the same for a given git reference,
> regardless of the clone type.
Indeed. Tarballs for git packages are already reproducible.
> Buildroot has been verifying git generated tarballs using hashes in
> packages/<pkg>/<pkg>.hash files for some time now without an issue, AFAIK.
Not yet, but we are almost there, see
http://patchwork.ozlabs.org/patch/741360/
Regards,
Ricardo
^ permalink raw reply
* [Buildroot] [git commit] python-django: security bump to version 1.10.7
From: Peter Korsgaard @ 2017-04-27 19:27 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=3a66a81b7a9db8e45f15fa63cc0670d158003d5a
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fixes the following security issues:
Since 1.10.3:
CVE-2016-9013 - User with hardcoded password created when running tests on
Oracle
Marti Raudsepp reported that a user with a hardcoded password is created
when running tests with an Oracle database.
CVE-2016-9014 - DNS rebinding vulnerability when DEBUG=True
Aymeric Augustin discovered that Django does not properly validate the Host
header against settings.ALLOWED_HOSTS when the debug setting is enabled. A
remote attacker can take advantage of this flaw to perform DNS rebinding
attacks.
Since 1.10.7:
CVE-2017-7233 - Open redirect and possible XSS attack via user-supplied
numeric redirect URLs
It was discovered that is_safe_url() does not properly handle certain
numeric URLs as safe. A remote attacker can take advantage of this flaw to
perform XSS attacks or to use a Django server as an open redirect.
CVE-2017-7234 - Open redirect vulnerability in django.views.static.serve()
Phithon from Chaitin Tech discovered an open redirect vulnerability in the
django.views.static.serve() view. Note that this view is not intended for
production use.
Cc: Oli Vogt <oli.vogt.pub01@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index 38b303b..09be184 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,3 +1,3 @@
# md5 from https://pypi.python.org/pypi/django/json, sha256 locally computed
-md5 5342e77374b2acd2eafa86d2bb68f8c9 Django-1.10.2.tar.gz
-sha256 e127f12a0bfb34843b6e8c82f91e26fff6445a7ca91d222c0794174cf97cbce1 Django-1.10.2.tar.gz
+md5 693dfeabad62c561cb205900d32c2a98 Django-1.10.7.tar.gz
+sha256 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 Django-1.10.7.tar.gz
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 9065a68..9056f00 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 1.10.2
+PYTHON_DJANGO_VERSION = 1.10.7
PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://pypi.python.org/packages/57/9e/59444485f092b6ed4f1931e7d2e13b67fdab967c041d02f58a0d1dab8c23
+PYTHON_DJANGO_SITE = https://pypi.python.org/packages/15/b4/d4bb7313e02386bd23a60e1eb5670321313fb67289c6f36ec43bce747aff
PYTHON_DJANGO_LICENSE = BSD-3-Clause
PYTHON_DJANGO_LICENSE_FILES = LICENSE
PYTHON_DJANGO_SETUP_TYPE = setuptools
^ permalink raw reply related
* [Buildroot] [PATCH] python-django: security bump to version 1.10.7
From: Peter Korsgaard @ 2017-04-27 19:27 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170427073718.28757-1-peter@korsgaard.com>
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> Since 1.10.3:
> CVE-2016-9013 - User with hardcoded password created when running tests on
> Oracle
> Marti Raudsepp reported that a user with a hardcoded password is created
> when running tests with an Oracle database.
> CVE-2016-9014 - DNS rebinding vulnerability when DEBUG=True
> Aymeric Augustin discovered that Django does not properly validate the Host
> header against settings.ALLOWED_HOSTS when the debug setting is enabled. A
> remote attacker can take advantage of this flaw to perform DNS rebinding
> attacks.
> Since 1.10.7:
> CVE-2017-7233 - Open redirect and possible XSS attack via user-supplied
> numeric redirect URLs
> It was discovered that is_safe_url() does not properly handle certain
> numeric URLs as safe. A remote attacker can take advantage of this flaw to
> perform XSS attacks or to use a Django server as an open redirect.
> CVE-2017-7234 - Open redirect vulnerability in django.views.static.serve()
> Phithon from Chaitin Tech discovered an open redirect vulnerability in the
> django.views.static.serve() view. Note that this view is not intended for
> production use.
> Cc: Oli Vogt <oli.vogt.pub01@gmail.com>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply
* [Buildroot] [PATCH] libmpeg2: fix sparc32 build
From: Arnout Vandecappelle @ 2017-04-27 19:30 UTC (permalink / raw)
To: buildroot
In-Reply-To: <20170427112243.2b5693c0@free-electrons.com>
On 27-04-17 11:22, Thomas Petazzoni wrote:
> Hello,
>
> On Thu, 27 Apr 2017 11:15:34 +0200, Peter Korsgaard wrote:
>
>> > I am not sure this is the completely correct solution, and Arnout
>> > proposed another solution, see:
>>
>> > https://patchwork.ozlabs.org/patch/749138/
>> > https://patchwork.ozlabs.org/patch/749137/
>>
>> > The second patch has the explanation why Waldemar patch is not really
>> > correct.
>>
>> Ok. Can I take this as an acked-by for the check-bin-arch / pkg-generic
>> changes then? ;)
>
> I haven't reviewed the implementation details, but on the general
> principles, yes, I'm OK. It's a bit annoying to extend the package
> infrastructure for such a specific case, but I don't really see a
> better solution here, except hacking libmpeg2 to remove the runtime
> detection logic.
>
> On the other hand, do we care enough about libmpeg2 on SPARC to extend
> the package infrastructure just for this purpose? In the end, even if
> Waldemar's solution is not "correct", it avoids the need to extend the
> package infrastructure just for a purpose of a single package that will
> most likely never ever be used on SPARC.
>
> Arnout, what do you think?
When I spun that patch, I expected there would be more use cases than just
libmpeg2. But the autobuilders don't point to anything obvious, so perhaps not.
I've marked as Rejected in patchwork. We can pick it up again if something else
turns up.
Regards,
Arnout
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox