| Age | Commit message (Collapse) | Author |
|---|
|
Backport fix from gitlab.com/libtiff/libtiff.
nvd.nist.gov does not yet reference this patch.
(From OE-Core rev: f72c8af3f2c1ec9e4d9ffcf0cc6e7fdf572b21b9)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Fixes
WARNING: x264-r2854+gitAUTOINC+e9a5903edf-r0 do_package_qa: QA Issue: ELF binary '/mnt/a/yoe/build/tmp/work/i586-yoe-linux-musl/x264/r2854+gitAUTOINC+e9a5903edf-r0/packages-split/x264/usr/lib/libx264.so.152'
has relocations in .text [textrel]
WARNING: x264-r2854+gitAUTOINC+e9a5903edf-r0 do_package_qa: QA Issue: ELF binary '/mnt/a/yoe/build/tmp/work/i586-yoe-linux-musl/x264/r2854+gitAUTOINC+e9a5903edf-r0/packages-split/x264-bin/usr/bin/x264'
has relocations in .text [textrel]
(From OE-Core rev: ea1204c6d9a02f0e38cf616e89d46530908972bb)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28.
Fixed in https://github.com/erikd/libsndfile/issues/397
(From OE-Core rev: 6b5a9078a7c5035590ee4dc2e23582da94d4a104)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
* CVE-2018-13785
In libpng 1.6.34, a wrong calculation of row_factor in the
png_check_chunk_length function (pngrutil.c) may trigger an
integer overflow and resultant divide-by-zero while processing
a crafted PNG file, leading to a denial of service.
(cherry picked from 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2)
Affects libpng <= 1.6.34
CVE: CVE-2018-13785
Ref: https://access.redhat.com/security/cve/cve-2018-13785
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
(From OE-Core rev: e2bec1f7e05ec014bd887440521da7e1a13555be)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.
CVE-2017-14634
Closes: #318
Affects libsndfile1 = 1.0.28
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
sfe_copy_data_fp: check value of "max" variable for being normal
and check elements of the data[] array for being finite.
Both checks use functions provided by the <math.h> header as declared
by the C99 standard.
Fixes #317
CVE-2017-14245
CVE-2017-14246
Affects libsndfile1 = 1.0.28
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
stream_decoder.c: Fix a memory leak
Leak reported by Secunia Research.
Affects flac = 1.3.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Cleans up the packaging by moving libasound.so.2 back into the alsa-lib
package which was previously empty.
Previously, it was difficult to create an image that had libasound.so.2,
then create an SDK from that image that had the proper development
files, because the only way to get libasound.so.2 was to do:
IMAGE_INSTALL += "libasound"
This however caused a problem because all of the development files that
would be desired in the SDK were located in alsa-lib-dev, which wouldn't
be included because alsa-lib wasn't included, and it was impossible to
include alsa-lib because it was an empty package that was culled.
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 30352f3d84344bff8c06625f9674947417f6e8e1)
Change-Id: I2fb065b7e00569ba3a6aac631ac863999455bfb2
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Sanity check number of channels in setup.
Fixes #2335.
Link: https://gitlab.xiph.org/xiph/vorbis/issues/2335
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
CVE-2017-14160: fix bounds check on very low sample rates.
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
NULL pointer use as described at nvd.nist.gov/vuln/detail/CVE-2018-7456.
(From OE-Core rev: 122da5cec495fc8ddfd880327e7c3ed0dc70e04f)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Buffer overflow described at nvd.nits.gov/vuln/detail/CVE-2018-8905.
(From OE-Core rev: 3f6f2a0619b4e243e6a9e52cee2cdd625ebf6769)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Denial of service described at https://nvd.nist.gov/vuln/detail/CVE-2018-10963.
(From OE-Core rev: d19a9b41d3b2dcba3b102a8289b7787b4b131e96)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The patent on mp3 format due to expire, so remove LICENSE_FLAGS from
lame recipe.
Ref:
https://bugzilla.gnome.org/show_bug.cgi?id=774252
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit ef98095cabeb54bd86c2cb78229a1180c7403d4d)
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
mgp123 is patent free from version 1.25.0, so remove LICENSE_FLAGS.
https://mpg123.de/cgi-bin/news.cgi#2017-05-29
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit b0bc82a5f238db82425b3b146e269bc6605cbdce)
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
If alsa-utils configure is not passed a --with-udev-rules-dir option then
it defaults to using /lib/udev/rules.d. This meant that the hard-coded use
of ${D}/lib in do_install in 262e69c9c7acf0beb7bb6b96299e3c993c906434
worked correctly to remove the unwanted rules.
Subsequently, 0a4372705a030ca54ed420cdfec33d46ab93499c changed do_install
to use ${nonarch_base_libdir}, claiming to fix this in the usrmerge case.
This means that if udev is not present in PACKAGECONFIG and usrmerge is
present in DISTRO_FEATURES then the alsa-utils build system will install
the rules in ${D}/lib/udev/rules.d but do_install will attempt to remove
${D}/usr/lib, resulting in something like:
rmdir: failed to remove '.../tmp-glibc/work/i586-oe-linux/alsa-utils/1.1.5-r0/image/usr/lib': No such file or directory
To fix this, let's just tell configure to install the rules in a specific
known location when udev is disabled. This location can then easily be
cleaned up in do_install without doing any harm if udev is enabled.
Tested both with and without usrmerge in DISTRO_FEATURES and with and
without udev in PACKAGECONFIG.
(From OE-Core rev: 022b644e6ba2caa0b32ce3323621c07f78166234)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Cc: Phil Blundell <pb@pbcl.net>
Cc: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
It is not using autoconf completely, therefore there
is no autoreconf happening, so when we depend on latest
gnu-config changes e.g. new architectures like riscv
the build does not see them and fails.
Installing these files from native sysroot helps
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Prevent out-of-bounds write in codebook decoding. The bug could allow
code execution from a specially crafted Ogg Vorbis file.
References:
https://www.debian.org/security/2018/dsa-4140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in
info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
exists in the function mapping0_forward() in mapping0.c, which may lead
to DoS when operating on a crafted audio file with vorbis_analysis().
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix CVE-2017-99935, CVE-2017-18013, CVE-2018-5784
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-9935
https://nvd.nist.gov/vuln/detail/CVE-2017-18013
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
Patches from:
CVE-2017-9935:
https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
CVE-2017-18013:
https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
CVE-2018-5784:
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Sourceforge for some reason claims an older version is 'the latest'.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Header file conflict between 32-bit and 64-bit versions.
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
License-Update: License file changes are due to updates in Version and Copyright date
Signed-off-by: youngseok <earwigz32@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
libcheck dep was removed from gst-rtsp-server some time back [1].
Disable building of examples and tests and remove dep on libcgroup which
was needed, if present, to build only one specific example.
[1] https://cgit.freedesktop.org/gstreamer/gst-rtsp-server/commit?id=43ec4e7c786227b85aec06599c3955626e241a01
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
gst-validate follows GStreamer versioning. Inherit class to make
sure development releases aren't marked as latest.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The CVE database stores all GStreamer issues under the catch-all product
'gstreamer', which none of our recipes match. Set CVE_PRODUCT to 'gstreamer' in
the core library: this isn't ideal but is far better than not scanning for any.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Change dependency from yasm to nasm following this change:
commit d2b5f4873e2147452a723b61b14f030b2ee760a5
Author: Henrik Gramner <henrik@gramner.com>
Date: Sat Mar 18 18:50:36 2017 +0100
x86: Change assembler from yasm to nasm
Refreshed the following patch:
don-t-default-to-cortex-a9-with-neon.patch
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This patch looks like it will be merged upstream.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
memfd_create is now available in glibc
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Gstreamer would attempt to launch gst-plugin-scanner binary installed on the host
if the target binary was failing (and it does, intentionally, fail in our case). Most
of the time the host binary is absent, and so this has no effect, but sometimes
it's present, and so the whole thing (running under qemu) fails.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1.Upgrade tiff from 4.0.8 to 4.0.9.
2.Delete CVE-2017-10688.patch, CVE-2017-11335.patch, CVE-2017-13726.patch, CVE-2017-13727.patch, CVE-2017-9147.patch, CVE-2017-9936.patch, since it is integrated upstream.
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
As suggested by updated AUH
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The order was wrong: GST_PLUGIN_SCANNER_1_0 was previously set before
GTKDOC_EXTRA_ENVIRONMENT and so was overriden by upstream setting it
from there. This changes the location of GST_PLUGIN_SCANNER_1_0 setting
to come after GTKDOC_EXTRA_ENVIRONMENT.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
seds can get stale without warning and repeated application can cause problems,
so move the gtk-doc seds into a patch.
(From OE-Core rev: a704411ab0f1e5f8cbf57ff54b36d60ccaf0d223)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
pulse is added as a system user, so the group 'pulse' is
meant to be a system group as well, which is the same with
other distros like ubuntu/centos.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When the gtk-doc API documentation is enabled (via the api-documentation DISTRO_FEATURE, typically) this recipe fails to build:
WORKDIR/build/docs/validate/gst-validate-scan: line 117:
WORKDIR/build/docs/validate/.libs/lt-gst-validate-scan:
No such file or directory
Forcibly disable the gtk-doc for now.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Switch to using current repository, switch to meson (following
upstream), rename the recipe like upstream.
Add a patch to install the player binaries.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Latest g-i upstream adds target paths to this variable which breaks
qemu in various confusing ways.
Instead, the list of target library paths is exported to GIR_EXTRA_LIBS_PATH,
so that it can be picked up automatically by the qemu wrapper script
and given to qemu (manually setting this variable from various recipes
will be removed in a different patch).
Also, re-enable parts of g-i on mips64, as it is the same issue.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The fourth 1.12 bug-fix release
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The gst-validate is a tool to run integration tests of Gstreamer
components [1].
This tool can be used along with gst-integration-testsuites (scenarios
and media) [2] to test Gstreamer components on the target device.
An example of test using gst-integration-testsuites:
$ gst-validate-launcher --sync # get [2] uses git and git-annex
$ gst-validate-launcher
or
$ gst-validate-launcher -nd # needs xserver-xorg-xvfb to run wo DISPLAY
[1]
https://blogs.gnome.org/tsaunier/2014/04/21/gst-validate-a-suite-of-tools-to-run-integration-tests-for-gstreamer-2/
[2] https://cgit.freedesktop.org/gstreamer/gst-integration-testsuites
Signed-off-by: Aníbal Limón <anibal.limon@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
Joe Slater
Khem Raj
Changqing Li
Sinan Kaya
Jagadeesh Krishnanjanappa
Joshua Watt
Kai Kang
Mike Crowe
Tanu Kaskinen
Yi Zhao
Alexander Kanavin
Zhang Xiao
Ross Burton
youngseok
Anuj Mittal
Maxin B. John
Huang Qiyu
Jackie Huang
Jussi Kukkonen
Aníbal Limón