Fixes the following security vulnerablities:
- CVE-2018-1000222: Libgd version 2.2.5 contains a Double Free Vulnerability
vulnerability in gdImageBmpPtr Function that can result in Remote Code
Execution . This attack appear to be exploitable via Specially Crafted
Jpeg Image can trigger double free
- CVE-2018-5711: gd_gif_in.c in the GD Graphics Library (aka libgd), as used
in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x
before 7.2.1, has an integer signedness error that leads to an infinite
loop via a crafted GIF file, as demonstrated by a call to the
imagecreatefromgif or imagecreatefromstring PHP function
- CVE-2019-11038: When using the gdImageCreateFromXbm() function in the GD
Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP
versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it
is possible to supply data that will cause the function to use the value
of uninitialized variable. This may lead to disclosing contents of the
stack that has been left there by previous code
- CVE-2019-6978: The GD Graphics Library (aka LibGD) 2.2.5 has a double free
in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This requires to remove a lot of broken code until it's fixed in upstream.
Added 2 patches from upcoming release.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The hash for the tarball is not present in
http://gnuradio.org/releases/gnuradio/sha256sums so we provide a self-
computed hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
LICENSE was renamed to LICENSE.rst with little rephrasing.
In addition, statements about the documentation licensing were
moved from LICENSE to docs/license.rst so this file was added
to _LICENSE_FILES (plus hash).
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since version 3.0.0, secretstorage doesn't support Python 2 anymore.
Update its reverese dependency (python-keyring) as well.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Asgiref doesn't support Python 2 since version 2.0.0.
All the recursive reverse dependencies already support Python 3 only.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since version 6.0.0, the package supports only Python 3, and will
lead to syntax errors when in use with Python 2.
In addition, the dependency of python-six is no longer needed.
The reursive reverse dependencies were updated accordingly.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
CVE-2019-11756: Remove refcounting from sftk_FreeSession
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
License isn't shipped with the tarball so we take
PKG-INFO as license file.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
License is provided with the tarball, so there's no need to
use PKG-INFO.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
python-docker-pycreds is no longer needed as a dependency.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
On uClibc-ng sysconf(_SC_LEVEL1_{I,D}CACHE_LINESIZE) returns -1, which
is a valid result, meaning that the limit is indeterminate. Add a patch
that handles this situation using fallback values instead of crashing
due to an assertion failure.
Upstream status:
https://lists.nongnu.org/archive/html/qemu-devel/2019-10/msg04115.html
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Without this patch, the system build using qemu_or1k_defconfig
(gcc 9.2, binutils 2.32 and uClibc 1.0.32) doesn't boot.
https://mailman.uclibc-ng.org/pipermail/devel/2019-August/001895.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Without this patch, the system build using qemu_or1k_defconfig
(gcc 9.2, binutils 2.33.1 and uClibc 1.0.32) doesn't boot.
https://mailman.uclibc-ng.org/pipermail/devel/2019-August/001895.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Also add hashes for license files
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This release fixes CVE-2019-9740, CVE-2019-9948, CVE-2019-15903.
Adjust 0002-Fix-get_python_inc-for-cross-compilation.patch for 2.7.17.
Remove the following patches (now on upstream):
* 0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch
* 0036-bpo-36216-Add-check-for-characters-in-netloc-that-no.patch
* 0037-3.7-bpo-36216-Only-print-test-messages-when-verbose-.patch
* 0038-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
* 0039-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
* 0040-2.7-bpo-36742-Fix-urlparse.urlsplit-error-message-fo.patch
* 0041-bpo-30458-Disallow-control-chars-in-http-URLs-GH-127.patch
Full release details at:
https://github.com/python/cpython/blob/v2.7.17/Misc/NEWS.d/2.7.17rc1.rst
run-tests results:
10:30:20 TestPython2 Starting
10:30:21 TestPython2 Building
10:37:37 TestPython2 Building done
10:37:47 TestPython2 Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 448.616s
OK
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Removed patch applied upstream:
1fa0931286
Drop CUPS_FILTERS_MAKE_LN_SRF_EXECUTABLE which is no longer needed now
that the ln-srf script is part of the tarball and not added through a
patch.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
