From dc7573cd330d1fc2e4bd50c1ba171906e1d5d5c0 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 22 Aug 2017 08:58:35 +0800
Subject: tiff: Security fixes

Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-9147
https://nvd.nist.gov/vuln/detail/CVE-2017-9936
https://nvd.nist.gov/vuln/detail/CVE-2017-10668
https://nvd.nist.gov/vuln/detail/CVE-2017-11335

Patches from:
CVE-2017-9147:
https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06
CVE-2017-9936:
https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a
CVE-2017-10688:
https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
CVE-2017-11355:
https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556

(From OE-Core rev: 5c89539edb17d01ffe82a1b2e7d092816003ecf3)

(From OE-Core rev: eaf72d105bed54e332e2e5c0c5c0a0087ecd91dd)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

minor fixes to get to apply

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../libtiff/files/CVE-2017-10688.patch             |  88 +++++++++
 .../libtiff/files/CVE-2017-11335.patch             |  54 ++++++
 .../libtiff/files/CVE-2017-9147.patch              | 203 +++++++++++++++++++++
 .../libtiff/files/CVE-2017-9936.patch              |  46 +++++
 meta/recipes-multimedia/libtiff/tiff_4.0.7.bb      |   4 +
 5 files changed, 395 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch

(limited to 'meta/recipes-multimedia')

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
new file mode 100644
index 0000000000..ed9c0f50f9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
@@ -0,0 +1,88 @@
+From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Fri, 30 Jun 2017 17:29:44 +0000
+Subject: [PATCH] * libtiff/tif_dirwrite.c: in
+ TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
+ data type, replace assertion that the file is BigTIFF, by a non-fatal error.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
+ OWL337
+
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]
+
+CVE: CVE-2017-10688
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog              |  8 ++++++++
+ libtiff/tif_dirwrite.c | 20 ++++++++++++++++----
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog
++++ tiff-4.0.7/ChangeLog
+@@ -1,3 +1,11 @@
++2017-06-30  Even Rouault <even.rouault at spatialys.com>
++
++	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
++	functions associated with LONG8/SLONG8 data type, replace assertion that
++	the file is BigTIFF, by a non-fatal error.
++	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
++	Reported by team OWL337
++
+ 2017-06-26  Even Rouault <even.rouault at spatialys.com>
+ 
+ 	* libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
+Index: tiff-4.0.7/libtiff/tif_dirwrite.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_dirwrite.c
++++ tiff-4.0.7/libtiff/tif_dirwrite.c
+@@ -2047,7 +2047,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF*
+ {
+ 	uint64 m;
+ 	assert(sizeof(uint64)==8);
+-	assert(tif->tif_flags&TIFF_BIGTIFF);
++	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
++		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
++		return(0);
++	}
+ 	m=value;
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabLong8(&m);
+@@ -2060,7 +2063,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(T
+ {
+ 	assert(count<0x20000000);
+ 	assert(sizeof(uint64)==8);
+-	assert(tif->tif_flags&TIFF_BIGTIFF);
++	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
++		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
++		return(0);
++	}
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabArrayOfLong8(value,count);
+ 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
+@@ -2072,7 +2078,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF*
+ {
+ 	int64 m;
+ 	assert(sizeof(int64)==8);
+-	assert(tif->tif_flags&TIFF_BIGTIFF);
++	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
++		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
++		return(0);
++	}
+ 	m=value;
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabLong8((uint64*)(&m));
+@@ -2085,7 +2094,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(
+ {
+ 	assert(count<0x20000000);
+ 	assert(sizeof(int64)==8);
+-	assert(tif->tif_flags&TIFF_BIGTIFF);
++	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
++		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
++		return(0);
++	}
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabArrayOfLong8((uint64*)value,count);
+ 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
new file mode 100644
index 0000000000..d08e7612b7
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
@@ -0,0 +1,54 @@
+From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 15 Jul 2017 11:13:46 +0000
+Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
+ "Raw" mode on PlanarConfig=Contig input images. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
+
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556]
+
+CVE: CVE-2017-11355
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog        | 7 +++++++
+ tools/tiff2pdf.c | 7 ++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 42eaeb7..6980da8 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-07-15  Even Rouault <even.rouault at spatialys.com>
++
++	* tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
++	mode on PlanarConfig=Contig input images.
++	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
++	Reported by team OWL337
++
+ 2017-06-30  Even Rouault <even.rouault at spatialys.com>
+ 
+ 	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index db196e0..cd1e235 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ 	    return;
+ 
+ 	t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
+-	if(t2p->pdf_nopassthrough==0){
++        /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
++        /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
++        /* do not take into account the number of samples, and thus */
++        /* that can cause heap buffer overflows such as in */
++        /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
++	if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
+ #ifdef CCITT_SUPPORT
+ 		if(t2p->tiff_compression==COMPRESSION_CCITTFAX4  
+ 			){
+-- 
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
new file mode 100644
index 0000000000..94f33900a5
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
@@ -0,0 +1,203 @@
+From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Thu, 1 Jun 2017 12:44:04 +0000
+Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+to behave differently depending on whether the codec is enabled or not, and
+thus can avoid stack based buffer overflows in a number of TIFF utilities
+such as tiffsplit, tiffcmp, thumbnail, etc.
+Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+Fixes:
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+http://bugzilla.maptools.org/show_bug.cgi?id=2693
+http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+http://bugzilla.maptools.org/show_bug.cgi?id=2441
+http://bugzilla.maptools.org/show_bug.cgi?id=2433
+
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
+
+CVE: CVE-2017-9147
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog             |  20 ++++++++++
+ libtiff/tif_dir.h     |   1 +
+ libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ libtiff/tif_dirread.c |   4 ++
+ 4 files changed, 128 insertions(+)
+
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog
++++ tiff-4.0.7/ChangeLog
+@@ -1,3 +1,23 @@
++2017-06-01  Even Rouault <even.rouault at spatialys.com>
++
++       * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
++       and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
++       codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
++       to behave differently depending on whether the codec is enabled or not, and
++       thus can avoid stack based buffer overflows in a number of TIFF utilities
++       such as tiffsplit, tiffcmp, thumbnail, etc.
++       Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
++       (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
++       Fixes:
++       http://bugzilla.maptools.org/show_bug.cgi?id=2580
++       http://bugzilla.maptools.org/show_bug.cgi?id=2693
++       http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
++       http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
++       http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
++       http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
++       http://bugzilla.maptools.org/show_bug.cgi?id=2441
++       http://bugzilla.maptools.org/show_bug.cgi?id=2433
++
+ 2017-01-11 Even Rouault <even.rouault at spatialys.com>
+ 
+ 	* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+Index: tiff-4.0.7/libtiff/tif_dir.h
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_dir.h
++++ tiff-4.0.7/libtiff/tif_dir.h
+@@ -291,6 +291,7 @@ struct _TIFFField {
+ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
+ extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
++extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+ 
+ #if defined(__cplusplus)
+ }
+Index: tiff-4.0.7/libtiff/tif_dirinfo.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_dirinfo.c
++++ tiff-4.0.7/libtiff/tif_dirinfo.c
+@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFF
+ 	return 0;
+ }
+ 
++int
++_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
++{
++	/* Filter out non-codec specific tags */
++	switch (tag) {
++	    /* Shared tags */
++	    case TIFFTAG_PREDICTOR:
++	    /* JPEG tags */
++	    case TIFFTAG_JPEGTABLES:
++	    /* OJPEG tags */
++	    case TIFFTAG_JPEGIFOFFSET:
++	    case TIFFTAG_JPEGIFBYTECOUNT:
++	    case TIFFTAG_JPEGQTABLES:
++	    case TIFFTAG_JPEGDCTABLES:
++	    case TIFFTAG_JPEGACTABLES:
++	    case TIFFTAG_JPEGPROC:
++	    case TIFFTAG_JPEGRESTARTINTERVAL:
++	    /* CCITT* */
++	    case TIFFTAG_BADFAXLINES:
++	    case TIFFTAG_CLEANFAXDATA:
++	    case TIFFTAG_CONSECUTIVEBADFAXLINES:
++	    case TIFFTAG_GROUP3OPTIONS:
++	    case TIFFTAG_GROUP4OPTIONS:
++		break;
++	    default:
++		return 1;
++	}
++	/* Check if codec specific tags are allowed for the current
++	 * compression scheme (codec) */
++	switch (tif->tif_dir.td_compression) {
++	    case COMPRESSION_LZW:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++	    case COMPRESSION_PACKBITS:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_THUNDERSCAN:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_NEXT:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_JPEG:
++		if (tag == TIFFTAG_JPEGTABLES)
++		    return 1;
++		break;
++	    case COMPRESSION_OJPEG:
++		switch (tag) {
++		    case TIFFTAG_JPEGIFOFFSET:
++		    case TIFFTAG_JPEGIFBYTECOUNT:
++		    case TIFFTAG_JPEGQTABLES:
++		    case TIFFTAG_JPEGDCTABLES:
++		    case TIFFTAG_JPEGACTABLES:
++		    case TIFFTAG_JPEGPROC:
++		    case TIFFTAG_JPEGRESTARTINTERVAL:
++			return 1;
++		}
++		break;
++	    case COMPRESSION_CCITTRLE:
++	    case COMPRESSION_CCITTRLEW:
++	    case COMPRESSION_CCITTFAX3:
++	    case COMPRESSION_CCITTFAX4:
++		switch (tag) {
++		    case TIFFTAG_BADFAXLINES:
++		    case TIFFTAG_CLEANFAXDATA:
++		    case TIFFTAG_CONSECUTIVEBADFAXLINES:
++			return 1;
++		    case TIFFTAG_GROUP3OPTIONS:
++			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
++			    return 1;
++			break;
++		    case TIFFTAG_GROUP4OPTIONS:
++			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
++			    return 1;
++			break;
++		}
++		break;
++	    case COMPRESSION_JBIG:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_DEFLATE:
++	    case COMPRESSION_ADOBE_DEFLATE:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++	   case COMPRESSION_PIXARLOG:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++	    case COMPRESSION_SGILOG:
++	    case COMPRESSION_SGILOG24:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_LZMA:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++
++	}
++	return 0;
++}
++
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+ 
+ /*
+Index: tiff-4.0.7/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_dirread.c
++++ tiff-4.0.7/libtiff/tif_dirread.c
+@@ -3566,6 +3566,10 @@ TIFFReadDirectory(TIFF* tif)
+ 							goto bad;
+ 						dp->tdir_tag=IGNORE;
+ 						break;
++                                        default:
++                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
++                                                dp->tdir_tag=IGNORE;
++                                            break;
+ 				}
+ 			}
+ 		}
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
new file mode 100644
index 0000000000..204949bfc6
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
@@ -0,0 +1,46 @@
+From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 26 Jun 2017 15:19:59 +0000
+Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of
+ JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported
+ by team OWL337
+
+* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
+
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a]
+
+CVE: CVE-2017-9936
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog          | 6 ++++++
+ libtiff/tif_jbig.c | 1 +
+ 2 files changed, 7 insertions(+)
+
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog
++++ tiff-4.0.7/ChangeLog
+@@ -1,3 +1,9 @@
++2017-06-26  Even Rouault <even.rouault at spatialys.com>
++
++	* libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
++	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
++	Reported by team OWL337
++
+ 2017-06-01  Even Rouault <even.rouault at spatialys.com>
+ 
+        * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+Index: tiff-4.0.7/libtiff/tif_jbig.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_jbig.c
++++ tiff-4.0.7/libtiff/tif_jbig.c
+@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8*
+ 			     jbg_strerror(decodeStatus)
+ #endif
+ 			     );
++		jbg_dec_free(&decoder);
+ 		return 0;
+ 	}
+ 
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index e58173604e..e60cbb564f 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -7,6 +7,10 @@ CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://libtool2.patch \
            file://libtiff-CVE-2017-5225.patch \
+           file://CVE-2017-9147.patch \
+           file://CVE-2017-9936.patch \
+           file://CVE-2017-10688.patch \
+           file://CVE-2017-11335.patch \
           "
 
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
-- 
cgit 1.2.3-korg