diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2018-10-02 14:03:36 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-10-02 16:05:06 +0200 |
| commit | 0b18843792bc3a090f55ce0f51d3f3049ff91f23 (patch) | |
| tree | a477ffdd2fd5c17e618c34ea3edbdf1e4877985a | |
| parent | 447318e4bff01df5d8424ebddea8345bd4a29501 (diff) | |
main/gd: backport security fix for CVE-2018-1000222
fixes #9499
| -rw-r--r-- | main/gd/APKBUILD | 10 | ||||
| -rw-r--r-- | main/gd/CVE-2018-1000222.patch | 73 |
2 files changed, 81 insertions, 2 deletions
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD index 2fffb9fc7cd..0d03b6369f9 100644 --- a/main/gd/APKBUILD +++ b/main/gd/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=gd pkgver=2.2.5 -pkgrel=0 +pkgrel=1 _pkgreal=lib$pkgname pkgdesc="Library for the dynamic creation of images by programmers" url="http://libgd.github.io/" @@ -13,10 +13,15 @@ makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev subpackages="$pkgname-dev $_pkgreal:libs" source="https://github.com/$_pkgreal/$_pkgreal/releases/download/$pkgname-$pkgver/$_pkgreal-$pkgver.tar.xz CVE-2016-7568.patch + CVE-2018-1000222.patch " builddir="$srcdir/$_pkgreal-$pkgver" options="!check" +# secfixes: +# 2.2.5-r1: +# - CVE-2018-1000222 + build() { cd "$builddir" ./configure \ @@ -48,4 +53,5 @@ dev() { } sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz -8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch" +8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch +d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch" diff --git a/main/gd/CVE-2018-1000222.patch b/main/gd/CVE-2018-1000222.patch new file mode 100644 index 00000000000..80f9712bf8e --- /dev/null +++ b/main/gd/CVE-2018-1000222.patch @@ -0,0 +1,73 @@ +From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Sat, 14 Jul 2018 13:54:08 -0400 +Subject: [PATCH] bmp: check return value in gdImageBmpPtr + +Closes #447. +--- + src/gd_bmp.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/src/gd_bmp.c b/src/gd_bmp.c +index bde0b9d3..78f40d9a 100644 +--- a/src/gd_bmp.c ++++ b/src/gd_bmp.c +@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp + static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); + static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); + ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); ++ + #define BMP_DEBUG(s) + + static int gdBMPPutWord(gdIOCtx *out, int w) +@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageBmpCtx(im, out, compression); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageBmpCtx(im, out, compression)) ++ rv = gdDPExtractData(out, size); ++ else ++ rv = NULL; + out->gd_free(out); + return rv; + } +@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) + compression - whether to apply RLE or not. + */ + BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) ++{ ++ _gdImageBmpCtx(im, out, compression); ++} ++ ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + { + int bitmap_size = 0, info_size, total_size, padding; + int i, row, xpos, pixel; +@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; + FILE *tmpfile_for_compression = NULL; + gdIOCtxPtr out_original = NULL; ++ int ret = 1; + + /* No compression if its true colour or we don't support seek */ + if (im->trueColor) { +@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + out_original = NULL; + } + ++ ret = 0; + cleanup: + if (tmpfile_for_compression) { + #ifdef _WIN32 +@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + if (out_original) { + out_original->gd_free(out_original); + } +- return; ++ return ret; + } + + static int compress_row(unsigned char *row, int length) |