From e1376e25a755a7368d095b4eb2daf42be9e63b0d Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 15 Oct 2016 15:31:01 -0400 Subject: gnu: gd: Fix CVE-2016-8670. * gnu/packages/patches/gd-CVE-2016-8670.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gd.scm (gd)[source]: Use it. --- gnu/packages/patches/gd-CVE-2016-8670.patch | 38 +++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 gnu/packages/patches/gd-CVE-2016-8670.patch (limited to 'gnu/packages/patches/gd-CVE-2016-8670.patch') diff --git a/gnu/packages/patches/gd-CVE-2016-8670.patch b/gnu/packages/patches/gd-CVE-2016-8670.patch new file mode 100644 index 0000000000..39ee99ac31 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-8670.patch @@ -0,0 +1,38 @@ +Fix CVE-2016-8670 (buffer overflow in dynamicGetbuf()): + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670 +http://seclists.org/oss-sec/2016/q4/138 + +Patch copied from upstream source repository: + +https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9 + +From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 12 Oct 2016 11:15:32 +0200 +Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion + +We make sure to never pass a negative `rlen` as size to memcpy(). See +also . + +Patch provided by Emmanuel Law. +--- + src/gd_io_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c +index 135eda3..228bfa5 100644 +--- a/src/gd_io_dp.c ++++ b/src/gd_io_dp.c +@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) + if(remain >= len) { + rlen = len; + } else { +- if(remain == 0) { ++ if(remain <= 0) { + /* 2.0.34: EOF is incorrect. We use 0 for + * errors and EOF, just like fileGetbuf, + * which is a simple fread() wrapper. +-- +2.10.1 + -- cgit v1.2.3