rtime.felk.cvut.cz Git - coffee/buildroot.git/commit

author	Peter Korsgaard <peter@korsgaard.com>
	Thu, 21 Sep 2017 07:04:16 +0000 (09:04 +0200)
committer	Peter Korsgaard <peter@korsgaard.com>
	Thu, 21 Sep 2017 19:32:23 +0000 (21:32 +0200)
commit	3853675ae03df209253c34d292eb3b9535e3f68c
tree	abd679ba7835b5be6c5f51fd1a4dd2850160c75f	tree \| snapshot
parent	57f4efed7965e573a444544363d0cf74cec13be1	commit \| diff

gdk-pixbuf: security bump to version 2.36.10

Fixes the following security issues:

CVE-2017-2862 - An exploitable heap overflow vulnerability exists in the
gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6.  A
specially crafted jpeg file can cause a heap overflow resulting in remote
code execution.  An attacker can send a file or url to trigger this
vulnerability.

CVE-2017-2870 - An exploitable integer overflow vulnerability exists in the
tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with
Clang.  A specially crafted tiff file can cause a heap-overflow resulting in
remote code execution.  An attacker can send a file or a URL to trigger this
vulnerability.

CVE-2017-6311 - gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows
context-dependent attackers to cause a denial of service (NULL pointer
dereference and application crash) via vectors related to printing an error
message.

The host version now needs the same workaround as we do for the target to
not pull in shared-mime-info.

Also add a hash for the license file while we're at it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/gdk-pixbuf/gdk-pixbuf.hash		diff \| blob \| history
package/gdk-pixbuf/gdk-pixbuf.mk		diff \| blob \| history