main/gd: security fixes

- CVE-2021-38115 - CVE-2021-40145
author: J0WI <J0WI@users.noreply.github.com> 2021-09-08 17:04:34 +0200
committer: J0WI <J0WI@users.noreply.github.com> 2021-09-08 17:10:01 +0200
commit: f0553ace280669808b577e43e25fb53ce4225162 (patch)
tree: 7045ee0e6844ceaaf089b597ac0831533943117c
parent: 178222d4dbc28360486d10441d6c9ad5c032e55a (diff)
3 files changed, 164 insertions, 3 deletions
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index e4726b31b27..88444f78b9e 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
 pkgname=gd
 pkgver=2.3.2
-pkgrel=0
+pkgrel=1
 _pkgreal=lib$pkgname
 pkgdesc="Library for the dynamic creation of images by programmers"
 url="https://libgd.github.io/"
@@ -16,15 +16,22 @@ makedepends="
 	zlib-dev
 	"
 subpackages="$pkgname-dev $_pkgreal:libs"
-source="https://github.com/$_pkgreal/$_pkgreal/releases/download/gd-$pkgver/$_pkgreal-$pkgver.tar.xz"
+source="https://github.com/$_pkgreal/$_pkgreal/releases/download/gd-$pkgver/$_pkgreal-$pkgver.tar.xz
+	CVE-2021-38115.patch
+	CVE-2021-40145.patch
+	"
 builddir="$srcdir/$_pkgreal-$pkgver"
 # https://github.com/libgd/libgd/issues/359
 options="!check"
 
 # secfixes:
+#   2.3.0-r1:
+#     - CVE-2021-38115
+#     - CVE-2021-40145
 #   2.3.0-r0:
 #     - CVE-2019-11038
 #     - CVE-2018-14553
+#     - CVE-2017-6363
 #   2.2.5-r2:
 #     - CVE-2018-5711
 #     - CVE-2019-6977
@@ -60,4 +67,8 @@ dev() {
 	mv "$pkgdir"/usr/bin/bdftogd "$subpkgdir"/usr/bin/
 }
 
-sha512sums="a31c6dbb64e7b725b63f3b400f7bebc289e2d776bdca0595af23006841660dc93a56c2247b98f8a584438a826f9e9ff0bea17d0b3900e48e281580b1308794d2  libgd-2.3.2.tar.xz"
+sha512sums="
+a31c6dbb64e7b725b63f3b400f7bebc289e2d776bdca0595af23006841660dc93a56c2247b98f8a584438a826f9e9ff0bea17d0b3900e48e281580b1308794d2  libgd-2.3.2.tar.xz
+cf455c3487dd3ef074abb0d89c2763e5652b11273a63eb050212dbed911e6fe9b65bf26c2de8ac9dc32d8225c096389075f518296280c3109c19612daafdb043  CVE-2021-38115.patch
+778ec72d6bcccd5fac032bb165f198cd588bc59e8358cb0933fe2e7e688416d693c517b0c2afd1c3b682619404a94bb4f0babbdf895774e83c869a34f191f84a  CVE-2021-40145.patch
+"
diff --git a/main/gd/CVE-2021-38115.patch b/main/gd/CVE-2021-38115.patch
new file mode 100644
index 00000000000..94083594e04
--- /dev/null
+++ b/main/gd/CVE-2021-38115.patch
@@ -0,0 +1,26 @@
+From 8b111b2b4a4842179be66db68d84dda91a246032 Mon Sep 17 00:00:00 2001
+From: maryam ebrahimzadeh <maryam.ebr@student.sharif.edu>
+Date: Mon, 19 Jul 2021 10:07:13 +0430
+Subject: [PATCH] fix read out-of-bands in reading tga header file
+
+---
+ src/gd_tga.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index cae9428da..286febb28 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -191,7 +191,11 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
+ 			return -1;
+ 		}
+ 
+-		gdGetBuf(tga->ident, tga->identsize, ctx);
++		
++		if (gdGetBuf(tga->ident, tga->identsize, ctx) != tga->identsize) {
++			gd_error("fail to read header ident");
++			return -1;
++		}
+ 	}
+ 
+ 	return 1;
diff --git a/main/gd/CVE-2021-40145.patch b/main/gd/CVE-2021-40145.patch
new file mode 100644
index 00000000000..3f6b855eb2a
--- /dev/null
+++ b/main/gd/CVE-2021-40145.patch
@@ -0,0 +1,124 @@
+From e95059590fadaabd9aadc0c0489804d75a3c5d52 Mon Sep 17 00:00:00 2001
+From: maryam ebrahimzadeh <maryam.ebr@student.sharif.edu>
+Date: Mon, 19 Jul 2021 18:52:50 +0430
+Subject: [PATCH 1/3] gdImageGd2Ptr memory leak
+
+---
+ src/gd_gd2.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 760e85b9f..84ec53375 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -1,4 +1,4 @@
+-/*
++ /*
+    * gd_gd2.c
+    *
+    * Implements the I/O and support for the GD2 format.
+@@ -910,9 +910,11 @@ _gd2PutHeader (gdImagePtr im, gdIOCtx * out, int cs, int fmt, int cx, int cy)
+ 
+ }
+ 
+-static void
++/* returns 0 on success, 1 on failure */
++static int
+ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ {
++	int ret = 0;
+ 	int ncx, ncy, cx, cy;
+ 	int x, y, ylo, yhi, xlo, xhi;
+ 	int chunkLen;
+@@ -974,10 +976,12 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ 		/* */
+ 		chunkData = gdCalloc (cs * bytesPerPixel * cs, 1);
+ 		if (!chunkData) {
++			ret = 1;
+ 			goto fail;
+ 		}
+ 		compData = gdCalloc (compMax, 1);
+ 		if (!compData) {
++			ret = 1;
+ 			goto fail;
+ 		}
+ 
+@@ -992,6 +996,7 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ 
+ 		chunkIdx = gdCalloc (idxSize * sizeof (t_chunk_info), 1);
+ 		if (!chunkIdx) {
++			ret = 1;
+ 			goto fail;
+ 		}
+ 	};
+@@ -1107,6 +1112,8 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ 	}
+ 	GD2_DBG (printf ("Done\n"));
+ 
++	return ret;
++
+ }
+ 
+ /*
+@@ -1128,8 +1135,11 @@ BGD_DECLARE(void *) gdImageGd2Ptr (gdImagePtr im, int cs, int fmt, int *size)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
+ 	if (out == NULL) return NULL;
+-	_gdImageGd2 (im, out, cs, fmt);
+-	rv = gdDPExtractData (out, size);
++	if (_gdImageGd2(im, out, cs, fmt)) {
++		rv = NULL;
++	} else {
++		rv = gdDPExtractData(out, size);
++	}
+ 	out->gd_free (out);
+ 	return rv;
+ }
+
+From e8eeb8dde5bc4c9d4e7ae1ab43d9fd1780ceb792 Mon Sep 17 00:00:00 2001
+From: Maryam Ebrahimzadeh <61263086+me22bee@users.noreply.github.com>
+Date: Tue, 24 Aug 2021 11:46:07 +0430
+Subject: [PATCH 2/3] trigger the github actions
+
+---
+ src/gd_gd2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 84ec53375..097c93d0d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -1135,11 +1135,13 @@ BGD_DECLARE(void *) gdImageGd2Ptr (gdImagePtr im, int cs, int fmt, int *size)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
+ 	if (out == NULL) return NULL;
++	
+ 	if (_gdImageGd2(im, out, cs, fmt)) {
+ 		rv = NULL;
+ 	} else {
+ 		rv = gdDPExtractData(out, size);
+ 	}
++	
+ 	out->gd_free (out);
+ 	return rv;
+ }
+
+From a1d4caace613d31209b42d22d9f7ebe37c381f9a Mon Sep 17 00:00:00 2001
+From: Maryam Ebrahimzadeh <61263086+me22bee@users.noreply.github.com>
+Date: Tue, 24 Aug 2021 12:02:23 +0430
+Subject: [PATCH 3/3] remove non-printable bytes
+
+---
+ src/gd_gd2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 097c93d0d..5c57d44a6 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -1,4 +1,4 @@
+- /*
++/*
+    * gd_gd2.c
+    *
+    * Implements the I/O and support for the GD2 format.
author	J0WI <J0WI@users.noreply.github.com>	2021-09-08 17:04:34 +0200
committer	J0WI <J0WI@users.noreply.github.com>	2021-09-08 17:10:01 +0200
commit	f0553ace280669808b577e43e25fb53ce4225162 (patch)
tree	7045ee0e6844ceaaf089b597ac0831533943117c
parent	178222d4dbc28360486d10441d6c9ad5c032e55a (diff)