* [PATCH 0/2] Upgrade libav and fix one qemu cve issue @ 2015-05-26 7:14 Kai Kang 2015-05-26 7:14 ` [PATCH 1/2] qemu: fix CVE-2015-3456 Kai Kang 2015-05-26 7:14 ` [PATCH 2/2] libav: upgrade to 9.18 Kai Kang 0 siblings, 2 replies; 5+ messages in thread From: Kai Kang @ 2015-05-26 7:14 UTC (permalink / raw) To: openembedded-core The following changes since commit 971ce829df02cf6970d2a4af377704b8930feee9: bitbake: data: Move warning code to the first loop for performance (2015-05-25 09:00:58 +0100) are available in the git repository at: git://git.yoctoproject.org/poky-contrib kangkai/CVEs http://git.yoctoproject.org/cgit.cgi//log/?h=kangkai/CVEs Kai Kang (2): qemu: fix CVE-2015-3456 libav: upgrade to 9.18 .../qemu/qemu/qemu-CVE-2015-3456.patch | 92 ++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.3.0.bb | 1 + meta/recipes-multimedia/libav/libav.inc | 2 - .../libav/libav/libav-fix-CVE-2014-9676.patch | 98 ++++++++++++++++++++++ meta/recipes-multimedia/libav/libav_9.16.bb | 4 - meta/recipes-multimedia/libav/libav_9.18.bb | 6 ++ 6 files changed, 197 insertions(+), 6 deletions(-) create mode 100644 meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch delete mode 100644 meta/recipes-multimedia/libav/libav_9.16.bb create mode 100644 meta/recipes-multimedia/libav/libav_9.18.bb -- 1.9.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] qemu: fix CVE-2015-3456 2015-05-26 7:14 [PATCH 0/2] Upgrade libav and fix one qemu cve issue Kai Kang @ 2015-05-26 7:14 ` Kai Kang 2015-05-26 7:14 ` [PATCH 2/2] libav: upgrade to 9.18 Kai Kang 1 sibling, 0 replies; 5+ messages in thread From: Kai Kang @ 2015-05-26 7:14 UTC (permalink / raw) To: openembedded-core Backport patch to fix qemuc CVE issue CVE-2015-3456. Refs: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c Signed-off-by: Kai Kang <kai.kang@windriver.com> --- .../qemu/qemu/qemu-CVE-2015-3456.patch | 92 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.3.0.bb | 1 + 2 files changed, 93 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch new file mode 100644 index 0000000..f05441f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch @@ -0,0 +1,92 @@ +qemu: CVE-2015-3456 + +the patch comes from: +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 +http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c + +fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reviewed-by: John Snow <jsnow@redhat.com> +Signed-off-by: John Snow <jsnow@redhat.com> +Signed-off-by: Li Wang <li.wang@windriver.com> + +Upstream-Status: Backport + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 490d127..045459e 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +1.7.9.5 + diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb index 25c5e4d..4782941 100644 --- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://qemu-enlarge-env-entry-size.patch \ file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ + file://qemu-CVE-2015-3456.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221" -- 1.9.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] libav: upgrade to 9.18 2015-05-26 7:14 [PATCH 0/2] Upgrade libav and fix one qemu cve issue Kai Kang 2015-05-26 7:14 ` [PATCH 1/2] qemu: fix CVE-2015-3456 Kai Kang @ 2015-05-26 7:14 ` Kai Kang 2015-05-27 1:24 ` Randy MacLeod 1 sibling, 1 reply; 5+ messages in thread From: Kai Kang @ 2015-05-26 7:14 UTC (permalink / raw) To: openembedded-core Upgrade libav from version 9.16 to 9.18. Remove unused var INC_PR and backport patch to fix CVE-2014-9676. Signed-off-by: Kai Kang <kai.kang@windriver.com> --- meta/recipes-multimedia/libav/libav.inc | 2 - .../libav/libav/libav-fix-CVE-2014-9676.patch | 98 ++++++++++++++++++++++ meta/recipes-multimedia/libav/libav_9.16.bb | 4 - meta/recipes-multimedia/libav/libav_9.18.bb | 6 ++ 4 files changed, 104 insertions(+), 6 deletions(-) create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch delete mode 100644 meta/recipes-multimedia/libav/libav_9.16.bb create mode 100644 meta/recipes-multimedia/libav/libav_9.18.bb diff --git a/meta/recipes-multimedia/libav/libav.inc b/meta/recipes-multimedia/libav/libav.inc index cac836f..6ef273b 100644 --- a/meta/recipes-multimedia/libav/libav.inc +++ b/meta/recipes-multimedia/libav/libav.inc @@ -24,8 +24,6 @@ ARM_INSTRUCTION_SET = "arm" DEPENDS = "alsa-lib zlib libogg yasm-native" -INC_PR = "r8" - inherit autotools pkgconfig B = "${S}/build.${HOST_SYS}.${TARGET_SYS}" diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch new file mode 100644 index 0000000..1e31caa --- /dev/null +++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch @@ -0,0 +1,98 @@ +Upstream-Status: Backport + +Backport patch to fix CVE-2014-9676. + +https://security-tracker.debian.org/tracker/CVE-2014-9676 +https://git.libav.org/?p=libav.git;a=commit;h=b3f04657368a32a9903406395f865e230b1de348 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +From b3f04657368a32a9903406395f865e230b1de348 Mon Sep 17 00:00:00 2001 +From: Luca Barbato <lu_zero@gentoo.org> +Date: Mon, 5 Jan 2015 10:40:41 +0100 +Subject: [PATCH] segment: Fix the failure paths + +A failure in segment_end() or segment_start() would lead to freeing +a dangling pointer and in general further calls to seg_write_packet() +or to seg_write_trailer() would have the same faulty behaviour. + +CC: libav-stable@libav.org +Reported-By: luodalongde@gmail.com +--- + libavformat/segment.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/libavformat/segment.c b/libavformat/segment.c +index 52da6b9..bcfd1f9 100644 +--- a/libavformat/segment.c ++++ b/libavformat/segment.c +@@ -184,6 +184,13 @@ static void close_null_ctx(AVIOContext *pb) + av_free(pb); + } + ++static void seg_free_context(SegmentContext *seg) ++{ ++ avio_closep(&seg->pb); ++ avformat_free_context(seg->avf); ++ seg->avf = NULL; ++} ++ + static int seg_write_header(AVFormatContext *s) + { + SegmentContext *seg = s->priv_data; +@@ -265,12 +272,9 @@ static int seg_write_header(AVFormatContext *s) + } + + fail: +- if (ret) { +- if (seg->list) +- avio_close(seg->pb); +- if (seg->avf) +- avformat_free_context(seg->avf); +- } ++ if (ret < 0) ++ seg_free_context(seg); ++ + return ret; + } + +@@ -282,6 +286,9 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) + int64_t end_pts = seg->recording_time * seg->number; + int ret, can_split = 1; + ++ if (!oc) ++ return AVERROR(EINVAL); ++ + if (seg->has_video) { + can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO && + pkt->flags & AV_PKT_FLAG_KEY; +@@ -322,11 +329,8 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) + ret = ff_write_chained(oc, pkt->stream_index, pkt, s); + + fail: +- if (ret < 0) { +- if (seg->list) +- avio_close(seg->pb); +- avformat_free_context(oc); +- } ++ if (ret < 0) ++ seg_free_context(seg); + + return ret; + } +@@ -335,7 +339,11 @@ static int seg_write_trailer(struct AVFormatContext *s) + { + SegmentContext *seg = s->priv_data; + AVFormatContext *oc = seg->avf; +- int ret; ++ int ret = 0; ++ ++ if (!oc) ++ goto fail; ++ + if (!seg->write_header_trailer) { + if ((ret = segment_end(oc, 0)) < 0) + goto fail; +-- +2.4.1.314.g9532ead + diff --git a/meta/recipes-multimedia/libav/libav_9.16.bb b/meta/recipes-multimedia/libav/libav_9.16.bb deleted file mode 100644 index 79ff3f8..0000000 --- a/meta/recipes-multimedia/libav/libav_9.16.bb +++ /dev/null @@ -1,4 +0,0 @@ -require libav.inc - -SRC_URI[md5sum] = "7b44b75cec24b8e7545e5029e76917e0" -SRC_URI[sha256sum] = "ca846473b0b8ed8e3404c52e5e92df6d35cb5fa487eec498525de3ffda4367a0" diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb new file mode 100644 index 0000000..210a649 --- /dev/null +++ b/meta/recipes-multimedia/libav/libav_9.18.bb @@ -0,0 +1,6 @@ +require libav.inc + +SRC_URI[md5sum] = "75e838068a75fb88e1b4ea0546bc16f0" +SRC_URI[sha256sum] = "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614d066d7" + +SRC_URI += "file://libav-fix-CVE-2014-9676.patch" -- 1.9.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] libav: upgrade to 9.18 2015-05-26 7:14 ` [PATCH 2/2] libav: upgrade to 9.18 Kai Kang @ 2015-05-27 1:24 ` Randy MacLeod 2015-05-27 1:59 ` Kang Kai 0 siblings, 1 reply; 5+ messages in thread From: Randy MacLeod @ 2015-05-27 1:24 UTC (permalink / raw) To: Kai Kang, openembedded-core On 2015-05-26 03:14 AM, Kai Kang wrote: > Upgrade libav from version 9.16 to 9.18. Remove unused var INC_PR and > backport patch to fix CVE-2014-9676. We can keep that version if people want it but it's almost pretty old. Version 11.3 is the latest branch. Libav 11.3 https://libav.org/releases/libav-11.3.release Oh and on the 11 branch, the CVE fix is in commit: libav.git $ git branch --contains f6c82b34 * release/11 found by looking at your commit b3f0465, then finding a new function seg_free_context and then: $ git blame libavformat/segment.c | grep seg_free_context There are some pacakges that depend on libav: libav/libpostproc_git.bb gstreamer alsa-plugins From: $ grep -r libav meta/recipes* | grep DEPENDS | grep -v libavahi meta/recipes-multimedia/libav/libpostproc_git.bb:DEPENDS = "libav" $ grep -r libav meta/ | grep PACKAGECONFIG | grep libav meta/recipes-multimedia/gstreamer/gstreamer1.0-libav.inc:\ PACKAGECONFIG[libav] = "--with-system-libav,,libav" meta/recipes-multimedia/alsa/alsa-plugins_1.0.29.bb:\ PACKAGECONFIG[avcodec] = "--enable-avcodec,--disable-avcodec,libav" I think the upgrade should be okay but please do test it. ../Randy > > Signed-off-by: Kai Kang <kai.kang@windriver.com> > --- > meta/recipes-multimedia/libav/libav.inc | 2 - > .../libav/libav/libav-fix-CVE-2014-9676.patch | 98 ++++++++++++++++++++++ > meta/recipes-multimedia/libav/libav_9.16.bb | 4 - > meta/recipes-multimedia/libav/libav_9.18.bb | 6 ++ > 4 files changed, 104 insertions(+), 6 deletions(-) > create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch > delete mode 100644 meta/recipes-multimedia/libav/libav_9.16.bb > create mode 100644 meta/recipes-multimedia/libav/libav_9.18.bb > > diff --git a/meta/recipes-multimedia/libav/libav.inc b/meta/recipes-multimedia/libav/libav.inc > index cac836f..6ef273b 100644 > --- a/meta/recipes-multimedia/libav/libav.inc > +++ b/meta/recipes-multimedia/libav/libav.inc > @@ -24,8 +24,6 @@ ARM_INSTRUCTION_SET = "arm" > > DEPENDS = "alsa-lib zlib libogg yasm-native" > > -INC_PR = "r8" > - > inherit autotools pkgconfig > > B = "${S}/build.${HOST_SYS}.${TARGET_SYS}" > diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch > new file mode 100644 > index 0000000..1e31caa > --- /dev/null > +++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch > @@ -0,0 +1,98 @@ > +Upstream-Status: Backport > + > +Backport patch to fix CVE-2014-9676. > + > +https://security-tracker.debian.org/tracker/CVE-2014-9676 > +https://git.libav.org/?p=libav.git;a=commit;h=b3f04657368a32a9903406395f865e230b1de348 > + > +Signed-off-by: Kai Kang <kai.kang@windriver.com> > +--- > +From b3f04657368a32a9903406395f865e230b1de348 Mon Sep 17 00:00:00 2001 > +From: Luca Barbato <lu_zero@gentoo.org> > +Date: Mon, 5 Jan 2015 10:40:41 +0100 > +Subject: [PATCH] segment: Fix the failure paths > + > +A failure in segment_end() or segment_start() would lead to freeing > +a dangling pointer and in general further calls to seg_write_packet() > +or to seg_write_trailer() would have the same faulty behaviour. > + > +CC: libav-stable@libav.org > +Reported-By: luodalongde@gmail.com > +--- > + libavformat/segment.c | 32 ++++++++++++++++++++------------ > + 1 file changed, 20 insertions(+), 12 deletions(-) > + > +diff --git a/libavformat/segment.c b/libavformat/segment.c > +index 52da6b9..bcfd1f9 100644 > +--- a/libavformat/segment.c > ++++ b/libavformat/segment.c > +@@ -184,6 +184,13 @@ static void close_null_ctx(AVIOContext *pb) > + av_free(pb); > + } > + > ++static void seg_free_context(SegmentContext *seg) > ++{ > ++ avio_closep(&seg->pb); > ++ avformat_free_context(seg->avf); > ++ seg->avf = NULL; > ++} > ++ > + static int seg_write_header(AVFormatContext *s) > + { > + SegmentContext *seg = s->priv_data; > +@@ -265,12 +272,9 @@ static int seg_write_header(AVFormatContext *s) > + } > + > + fail: > +- if (ret) { > +- if (seg->list) > +- avio_close(seg->pb); > +- if (seg->avf) > +- avformat_free_context(seg->avf); > +- } > ++ if (ret < 0) > ++ seg_free_context(seg); > ++ > + return ret; > + } > + > +@@ -282,6 +286,9 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) > + int64_t end_pts = seg->recording_time * seg->number; > + int ret, can_split = 1; > + > ++ if (!oc) > ++ return AVERROR(EINVAL); > ++ > + if (seg->has_video) { > + can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO && > + pkt->flags & AV_PKT_FLAG_KEY; > +@@ -322,11 +329,8 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) > + ret = ff_write_chained(oc, pkt->stream_index, pkt, s); > + > + fail: > +- if (ret < 0) { > +- if (seg->list) > +- avio_close(seg->pb); > +- avformat_free_context(oc); > +- } > ++ if (ret < 0) > ++ seg_free_context(seg); > + > + return ret; > + } > +@@ -335,7 +339,11 @@ static int seg_write_trailer(struct AVFormatContext *s) > + { > + SegmentContext *seg = s->priv_data; > + AVFormatContext *oc = seg->avf; > +- int ret; > ++ int ret = 0; > ++ > ++ if (!oc) > ++ goto fail; > ++ > + if (!seg->write_header_trailer) { > + if ((ret = segment_end(oc, 0)) < 0) > + goto fail; > +-- > +2.4.1.314.g9532ead > + > diff --git a/meta/recipes-multimedia/libav/libav_9.16.bb b/meta/recipes-multimedia/libav/libav_9.16.bb > deleted file mode 100644 > index 79ff3f8..0000000 > --- a/meta/recipes-multimedia/libav/libav_9.16.bb > +++ /dev/null > @@ -1,4 +0,0 @@ > -require libav.inc > - > -SRC_URI[md5sum] = "7b44b75cec24b8e7545e5029e76917e0" > -SRC_URI[sha256sum] = "ca846473b0b8ed8e3404c52e5e92df6d35cb5fa487eec498525de3ffda4367a0" > diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb > new file mode 100644 > index 0000000..210a649 > --- /dev/null > +++ b/meta/recipes-multimedia/libav/libav_9.18.bb > @@ -0,0 +1,6 @@ > +require libav.inc > + > +SRC_URI[md5sum] = "75e838068a75fb88e1b4ea0546bc16f0" > +SRC_URI[sha256sum] = "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614d066d7" > + > +SRC_URI += "file://libav-fix-CVE-2014-9676.patch" > -- # Randy MacLeod. SMTS, Linux, Wind River Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON, Canada, K2K 2W5 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] libav: upgrade to 9.18 2015-05-27 1:24 ` Randy MacLeod @ 2015-05-27 1:59 ` Kang Kai 0 siblings, 0 replies; 5+ messages in thread From: Kang Kai @ 2015-05-27 1:59 UTC (permalink / raw) To: Randy MacLeod, openembedded-core On 2015年05月27日 09:24, Randy MacLeod wrote: > On 2015-05-26 03:14 AM, Kai Kang wrote: >> Upgrade libav from version 9.16 to 9.18. Remove unused var INC_PR and >> backport patch to fix CVE-2014-9676. > > We can keep that version if people want it but it's almost pretty old. > > Version 11.3 is the latest branch. > Libav 11.3 > https://libav.org/releases/libav-11.3.release > > Oh and on the 11 branch, the CVE fix is in commit: > > libav.git $ git branch --contains f6c82b34 > * release/11 > > found by looking at your commit b3f0465, then finding a new > function seg_free_context and then: > $ git blame libavformat/segment.c | grep seg_free_context > > > There are some pacakges that depend on libav: > libav/libpostproc_git.bb > gstreamer > alsa-plugins > > From: > $ grep -r libav meta/recipes* | grep DEPENDS | grep -v libavahi > meta/recipes-multimedia/libav/libpostproc_git.bb:DEPENDS = "libav" > > > $ grep -r libav meta/ | grep PACKAGECONFIG | grep libav > meta/recipes-multimedia/gstreamer/gstreamer1.0-libav.inc:\ > PACKAGECONFIG[libav] = "--with-system-libav,,libav" > meta/recipes-multimedia/alsa/alsa-plugins_1.0.29.bb:\ > PACKAGECONFIG[avcodec] = "--enable-avcodec,--disable-avcodec,libav" > > > I think the upgrade should be okay but please do test it. I'll add recipe for serial 11. If the old version recipe is kept, I suppose it is nesscessary to update it to the latest version for serial 9. --Kai > > ../Randy > >> >> Signed-off-by: Kai Kang <kai.kang@windriver.com> >> --- >> meta/recipes-multimedia/libav/libav.inc | 2 - >> .../libav/libav/libav-fix-CVE-2014-9676.patch | 98 >> ++++++++++++++++++++++ >> meta/recipes-multimedia/libav/libav_9.16.bb | 4 - >> meta/recipes-multimedia/libav/libav_9.18.bb | 6 ++ >> 4 files changed, 104 insertions(+), 6 deletions(-) >> create mode 100644 >> meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch >> delete mode 100644 meta/recipes-multimedia/libav/libav_9.16.bb >> create mode 100644 meta/recipes-multimedia/libav/libav_9.18.bb >> >> diff --git a/meta/recipes-multimedia/libav/libav.inc >> b/meta/recipes-multimedia/libav/libav.inc >> index cac836f..6ef273b 100644 >> --- a/meta/recipes-multimedia/libav/libav.inc >> +++ b/meta/recipes-multimedia/libav/libav.inc >> @@ -24,8 +24,6 @@ ARM_INSTRUCTION_SET = "arm" >> >> DEPENDS = "alsa-lib zlib libogg yasm-native" >> >> -INC_PR = "r8" >> - >> inherit autotools pkgconfig >> >> B = "${S}/build.${HOST_SYS}.${TARGET_SYS}" >> diff --git >> a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch >> b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch >> new file mode 100644 >> index 0000000..1e31caa >> --- /dev/null >> +++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch >> @@ -0,0 +1,98 @@ >> +Upstream-Status: Backport >> + >> +Backport patch to fix CVE-2014-9676. >> + >> +https://security-tracker.debian.org/tracker/CVE-2014-9676 >> +https://git.libav.org/?p=libav.git;a=commit;h=b3f04657368a32a9903406395f865e230b1de348 >> >> + >> +Signed-off-by: Kai Kang <kai.kang@windriver.com> >> +--- >> +From b3f04657368a32a9903406395f865e230b1de348 Mon Sep 17 00:00:00 2001 >> +From: Luca Barbato <lu_zero@gentoo.org> >> +Date: Mon, 5 Jan 2015 10:40:41 +0100 >> +Subject: [PATCH] segment: Fix the failure paths >> + >> +A failure in segment_end() or segment_start() would lead to freeing >> +a dangling pointer and in general further calls to seg_write_packet() >> +or to seg_write_trailer() would have the same faulty behaviour. >> + >> +CC: libav-stable@libav.org >> +Reported-By: luodalongde@gmail.com >> +--- >> + libavformat/segment.c | 32 ++++++++++++++++++++------------ >> + 1 file changed, 20 insertions(+), 12 deletions(-) >> + >> +diff --git a/libavformat/segment.c b/libavformat/segment.c >> +index 52da6b9..bcfd1f9 100644 >> +--- a/libavformat/segment.c >> ++++ b/libavformat/segment.c >> +@@ -184,6 +184,13 @@ static void close_null_ctx(AVIOContext *pb) >> + av_free(pb); >> + } >> + >> ++static void seg_free_context(SegmentContext *seg) >> ++{ >> ++ avio_closep(&seg->pb); >> ++ avformat_free_context(seg->avf); >> ++ seg->avf = NULL; >> ++} >> ++ >> + static int seg_write_header(AVFormatContext *s) >> + { >> + SegmentContext *seg = s->priv_data; >> +@@ -265,12 +272,9 @@ static int seg_write_header(AVFormatContext *s) >> + } >> + >> + fail: >> +- if (ret) { >> +- if (seg->list) >> +- avio_close(seg->pb); >> +- if (seg->avf) >> +- avformat_free_context(seg->avf); >> +- } >> ++ if (ret < 0) >> ++ seg_free_context(seg); >> ++ >> + return ret; >> + } >> + >> +@@ -282,6 +286,9 @@ static int seg_write_packet(AVFormatContext *s, >> AVPacket *pkt) >> + int64_t end_pts = seg->recording_time * seg->number; >> + int ret, can_split = 1; >> + >> ++ if (!oc) >> ++ return AVERROR(EINVAL); >> ++ >> + if (seg->has_video) { >> + can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO && >> + pkt->flags & AV_PKT_FLAG_KEY; >> +@@ -322,11 +329,8 @@ static int seg_write_packet(AVFormatContext *s, >> AVPacket *pkt) >> + ret = ff_write_chained(oc, pkt->stream_index, pkt, s); >> + >> + fail: >> +- if (ret < 0) { >> +- if (seg->list) >> +- avio_close(seg->pb); >> +- avformat_free_context(oc); >> +- } >> ++ if (ret < 0) >> ++ seg_free_context(seg); >> + >> + return ret; >> + } >> +@@ -335,7 +339,11 @@ static int seg_write_trailer(struct >> AVFormatContext *s) >> + { >> + SegmentContext *seg = s->priv_data; >> + AVFormatContext *oc = seg->avf; >> +- int ret; >> ++ int ret = 0; >> ++ >> ++ if (!oc) >> ++ goto fail; >> ++ >> + if (!seg->write_header_trailer) { >> + if ((ret = segment_end(oc, 0)) < 0) >> + goto fail; >> +-- >> +2.4.1.314.g9532ead >> + >> diff --git a/meta/recipes-multimedia/libav/libav_9.16.bb >> b/meta/recipes-multimedia/libav/libav_9.16.bb >> deleted file mode 100644 >> index 79ff3f8..0000000 >> --- a/meta/recipes-multimedia/libav/libav_9.16.bb >> +++ /dev/null >> @@ -1,4 +0,0 @@ >> -require libav.inc >> - >> -SRC_URI[md5sum] = "7b44b75cec24b8e7545e5029e76917e0" >> -SRC_URI[sha256sum] = >> "ca846473b0b8ed8e3404c52e5e92df6d35cb5fa487eec498525de3ffda4367a0" >> diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb >> b/meta/recipes-multimedia/libav/libav_9.18.bb >> new file mode 100644 >> index 0000000..210a649 >> --- /dev/null >> +++ b/meta/recipes-multimedia/libav/libav_9.18.bb >> @@ -0,0 +1,6 @@ >> +require libav.inc >> + >> +SRC_URI[md5sum] = "75e838068a75fb88e1b4ea0546bc16f0" >> +SRC_URI[sha256sum] = >> "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614d066d7" >> + >> +SRC_URI += "file://libav-fix-CVE-2014-9676.patch" >> > > -- Regards, Neil | Kai Kang ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-05-27 1:59 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-05-26 7:14 [PATCH 0/2] Upgrade libav and fix one qemu cve issue Kai Kang 2015-05-26 7:14 ` [PATCH 1/2] qemu: fix CVE-2015-3456 Kai Kang 2015-05-26 7:14 ` [PATCH 2/2] libav: upgrade to 9.18 Kai Kang 2015-05-27 1:24 ` Randy MacLeod 2015-05-27 1:59 ` Kang Kai
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox