Commit Graph

11 Commits

Author SHA1 Message Date
Gyorgy Sarvari 7f49deaf7e libraw: mark CVE-2026-20911 and CVE-2026-21413 patched
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-20911
https://nvd.nist.gov/vuln/detail/CVE-2026-21413

Both CVEs are tracked with incorrect version info: NVD indicates that
0.22.1 is explicitly vulnerable, but the fixes are actually included
in this release.

Relevant commits:
CVE-2026-20911: https://github.com/LibRaw/LibRaw/commit/5357bb5fc67ac616838fb84de67260d45987489b
CVE-2026-21413: https://github.com/LibRaw/LibRaw/commit/75ed2c12a35b765b3b6ad695cc1f044f19efe644

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-04-20 07:35:35 -07:00
Gyorgy Sarvari 7355320e12 libraw: mark fixed CVEs patched
These CVEs have been fixed already in the current version, however
NVD tracks them with incorrect version information.

Commits that fix them:
CVE-2026-20884: https://github.com/LibRaw/LibRaw/commit/aa4458eb511daeae90676c1ce5c587106e4aaec1
CVE-2026-24450: https://github.com/LibRaw/LibRaw/commit/c911c9b9edffa5fab99f828d0fee6dd2d0f6105f

These commits were identified from the changelog of this version[1], which mentions the
Talos ID of the vulnerabilities (and the Talos ID is mentioned in the NVD reports[2][3]).

[1]: https://github.com/LibRaw/LibRaw/releases/tag/0.22.1
[2]: https://nvd.nist.gov/vuln/detail/CVE-2026-24450
[3]: https://nvd.nist.gov/vuln/detail/CVE-2026-20884

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-04-13 15:28:24 -07:00
Gyorgy Sarvari 357f65dd13 libraw: upgrade 0.21.4 -> 0.22.1
Contains fixes for CVE-2026-5318[1] and CVE-2026-5318[2] (both are tracked without
a version by NVD, so they are explicitly marked as patched)

License-update: copyright year bump

Changelog: https://github.com/LibRaw/LibRaw/blob/0.22-stable/Changelog.txt

[1]: https://github.com/LibRaw/LibRaw/commit/5357bb5fc67ac616838fb84de67260d45987489b
[2]: https://github.com/LibRaw/LibRaw/commit/2468614a9cbcab6b75ca279ab60cac62156f7aeb

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-04-06 09:46:30 -07:00
Gyorgy Sarvari 6cdb2e09d0 libraw: upgrade 0.21.2 -> 0.21.4
This upgrade contains fixes for the following vulnerabilities:
CVE-2025-43961, CVE-2025-43962, CVE-2025-43963 and CVE-2025-43964

Also drop two old CVE_STATUS entries which are not needed anymore,
because the database has been updated with correct info.

Changelog:
https://github.com/LibRaw/LibRaw/blob/master/Changelog.txt

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-10-08 18:46:01 -07:00
Alexander Kanavin fc78d37ff0 meta-openembedded/all: adapt to UNPACKDIR changes
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.

I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-06-25 06:44:52 -07:00
Ninette Adhikari 0d244743de libraw: CVE status update for CVE-2020-22628 and CVE-2023-1729
The current version (0.21.2) is not affected by the CVE which affects versions earlier than 0.21.2.

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-06-28 11:22:03 -07:00
Wang Mingyu 204e694ac2 libraw: upgrade 0.21.1 -> 0.21.2
Changelog
========
* New compile-defined limit LIBRAW_MAX_PROFILE_SIZE_MB:
  limits allocation/read size for embedded color profile (default: 256Mb)
* Embedded color profile allocation/read size: limited by input file size.
* Multiple fixes (mostly inspired by oss-fuzz) to improve library stability and/or input checks.
* raw-identify: use fallback if PATH_MAX not available
* Disabled color conversion for Canon 16-bit thumbnails
* docs/changelog: explained the case when no thumbnail is found in specific file
* swapXX renamed to libraw_swapXX to avoid name conflict
* better striped thumbnails handling

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-01-08 19:54:42 -08:00
Khem Raj a651f50385 libraw: upgrade 0.20.2 -> 0.21.1
License-Update: Copyright years changed

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-11-06 08:47:08 -08:00
Khem Raj 14c7d8a0d7 recipes: Update LICENSE variable to use SPDX license identifiers
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-03-04 17:41:45 -08:00
Richard Purdie b402a3076f recipes: Update SRC_URI branch and protocols
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-11-03 06:57:49 -07:00
Khem Raj ea0af875ca libraw: Move from meta-qt5-extra to meta-oe
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andreas Müller <schnitzeltony@gmail.com>
2021-05-17 09:00:36 -07:00