Add 0003-test-asclen-CVE-2018-19540.patch:
If txtdesc->asclen is < 1, the array index of
txtdesc->ascdata will be negative which causes the heap based overflow.
Patch was proposed upstream[1] but upstream is very inactive. Linux
distributions use the same fix to patch their packages.
1: https://github.com/mdadams/jasper/pull/198
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add 0002-check-null-in-jp2_decode.patch:
Patch was proposed upstream[1] but upstream is very inactive.
Linux distributions use the same fix to patch their packages.
1: https://github.com/mdadams/jasper/pull/200
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add 0001-verify-data-range-CVE-2018-19541.patch:
We need to verify the data is in the expected range. Otherwise we get
problems later.
Patch was proposed upstream[1] but upstream is very inactive. Linux
distributions use the same fix to patch their packages.
1: https://github.com/mdadams/jasper/pull/211
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On Github, a large number of projects name their tag
<some-prefix>-0.3-<some-suffix> (i.e release-3.0, poco-0.1-release,
etc.). In fact majority of the cased adressed in this commit concerns
prefixes.
In most packages, we encode those prefix/suffix in the <pkg>_VERSION
variable.
The problem with this approach is that when used in conjunction with
release-monitoring.org, it doesn't work very well, because
release-monitoring.org has the concept of "version prefix/suffix" and
using that they drop the prefix/suffix to really get the version. For
example on https://release-monitoring.org/project/5418/ the latest
release of "poco" is "1.8.1", not "poco-1.8.1-release".
Therefore, a number of packages in Buildroot have a version that
doesn't match with release-monitoring.org.
Since really the version number of 1.8.1, is makes sense to update our
packages to drop these prefixes/suffixes.
This commit addreses the case of github-fetched packages with
non-conventional prefixes/suffixes.
Note that these changes modify the name of the files stored in DL_DIR,
which means that this will force a re-download of those package source
code for all users, and requires a change to their .hash file.
Signed-off-by: Victor Huesca <victor.huesca@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Changed _SITE to github, current version is not available from upstream
website.
Removed patches applied upstream:
0002-Fixed-bugs-due-to-uninitialized-data-in-the-JP2-deco.patch
e96fc4fdd5
0003-Added-a-check-in-the-JP2-encoder-to-ensure-that-the-.patch
58ba0365d9
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Use upstream provided tarball.
Upstream switched to cmake.
libjpeg dependency is now optional.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
My local 'next' branch was not uptodate, so the previous merge was missing
the most recent changes.
Thanks to François Perrad for noticing.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 71d9b0c1f0.
Now that -mauto-litpools is in TARGET_ABI when building for xtensa, -O0
builds succeed, so this workaround is no longer needed.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixed CVEs:
- CVE-2016-9387
- CVE-2016-9388
- CVE-2016-9389
- CVE-2016-9390
- CVE-2016-9391
- CVE-2016-9392
- CVE-2016-9393
- CVE-2016-9394
- CVE-2016-9395
- CVE-2016-9396
- CVE-2016-9397
- CVE-2016-9398
- CVE-2016-9399
- CVE-2016-9557
- CVE-2016-9560
Changes to jasper.mk:
- Switched site method to GitHub. 1.900.31 is not released as a tarball
in the official website.
- Autoreconf necessary since there isn't any configure script. We need
to generate it.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-8693: Double free vulnerability in mem_close
CVE-2016-8692: Divide by zero in jpc_dec_process_siz
CVE-2016-8691: Divide by zero in jpc_dec_process_siz
CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted
BMP image
CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
CVE-2016-8886: memory allocation failure in jas_malloc
CVE-2016-8887: Null pointer dereference in jp2_colr_destroy
CVE-2016-8884, CVE-2016-8885: Null pointer dereference in bmp_getdata
(incomplete fix for CVE-2016-8690)
CVE-2016-8880: Heap buffer overflow in jpc_dec_cp_setfromcox()
CVE-2016-8881: Heap buffer overflow in jpc_getuint16()
CVE-2016-8882: Null pointer access in jpc_pi_destroy
CVE-2016-8883: Assert in jpc_dec_tiledecode()
Drop upstream patches.
Change SITE to the official download location, since the current one does not
have the updated version. Unfortunately, the official site only offers tar.gz.
Fix license. It is "based on the MIT license", but not exactly the same
(http://www.ece.uvic.ca/~frodo/jasper/; under "Legal Issues").
Drop autoreconf; the autotools version has been updated since commit
324ccec90d (jasper: autoreconf to fix rpath issue) that introduced it.
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This drops architecture-specific ABI flags, which may be important.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
