Yes, it is not clear. What it means is that the patch was applied to 4.0.8 code, but not, I think, 4.0.8 code as seen on openembedded-core before 4.0.8 was obsolete. It still applies for 4.0.9.
Joe -----Original Message----- From: akuster808 [mailto:akuster...@gmail.com] Sent: Tuesday, July 10, 2018 4:48 PM To: Slater, Joseph; openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [oe-core][PATCH 1/1] tiff: security fix CVE-2018-10963 On 07/10/2018 04:03 PM, Joe Slater wrote: > Denial of service described at > https://nvd.nist.gov/vuln/detail/CVE-2018-10963. > > Signed-off-by: Joe Slater <joe.sla...@windriver.com> > --- > .../libtiff/files/CVE-2018-10963.patch | 41 > ++++++++++++++++++++++ > meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | 1 + > 2 files changed, 42 insertions(+) > create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch > > diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch > b/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch > new file mode 100644 > index 0000000..13a1eb5 > --- /dev/null > +++ b/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch > @@ -0,0 +1,41 @@ > +From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001 > +From: Even Rouault <even.roua...@spatialys.com> > +Date: Sat, 12 May 2018 14:24:15 +0200 > +Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes > + http://bugzilla.maptools.org/show_bug.cgi?id=2795. > + CVE-2018-10963 > + > +--- > +CVE: CVE-2018-10963 > + > +Same patch as applied to 4.0.8. I don't know what that means. The fix is in 4.0.8 or this patch applies cleanly to 4.0.8 or affects < 4.0.8. - armin > + > +Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/de144f...] > + > +Signed-off-by: Joe Slater <joe.sla...@windriver.com> > + > +--- > + libtiff/tif_dirwrite.c | 7 +++++-- > + 1 file changed, 5 insertions(+), 2 deletions(-) > + > +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c > +index 2430de6..c15a28d 100644 > +--- a/libtiff/tif_dirwrite.c > ++++ b/libtiff/tif_dirwrite.c > +@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int > imagedone, uint64* pdiroff) > + } > + break; > + default: > +- assert(0); /* > we should never get here */ > +- break; > ++ > TIFFErrorExt(tif->tif_clientdata,module, > ++ > "Cannot write tag %d (%s)", > ++ > TIFFFieldTag(o), > ++ > o->field_name ? o->field_name : "unknown"); > ++ goto bad; > + } > + } > + } > +-- > +1.7.9.5 > + > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb > b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb > index 8c3bba5..e8e2a11 100644 > --- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb > +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb > @@ -9,6 +9,7 @@ SRC_URI = > "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ > file://CVE-2017-9935.patch \ > file://CVE-2017-18013.patch \ > file://CVE-2018-5784.patch \ > + file://CVE-2018-10963.patch \ > " > > SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core