summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2018-09-09 17:48:24 -0400
committerLeo Famulari <leo@famulari.name>2018-09-09 18:13:19 -0400
commitced98c7e89a22c551dd23acd7a1b4f861958d876 (patch)
tree86a3675fe38842ae01dac67c6af7bb10b822a57a
parent15cc7e6adfa503a1cf168d19a952fae02f91ab2d (diff)
downloadpatches-ced98c7e89a22c551dd23acd7a1b4f861958d876.tar
patches-ced98c7e89a22c551dd23acd7a1b4f861958d876.tar.gz
gnu: libgd: Fix CVE-2018-{5711,1000222}.
* gnu/packages/patches/gd-CVE-2018-1000222.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gd.scm (gd/fixed): New variable. * gnu/packages/php.scm (gd-for-php)[source]: Use 'gd-CVE-2018-1000222.patch'.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/gd.scm11
-rw-r--r--gnu/packages/patches/gd-CVE-2018-1000222.patch87
-rw-r--r--gnu/packages/php.scm3
4 files changed, 101 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 0407fdc597..374e25165e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -719,6 +719,7 @@ dist_patch_DATA = \
%D%/packages/patches/gcr-disable-failing-tests.patch \
%D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \
%D%/packages/patches/gd-CVE-2018-5711.patch \
+ %D%/packages/patches/gd-CVE-2018-1000222.patch \
%D%/packages/patches/gd-fix-tests-on-i686.patch \
%D%/packages/patches/gd-freetype-test-failure.patch \
%D%/packages/patches/gdm-CVE-2018-14424.patch \
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index c374695524..327a1f1545 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -39,6 +39,7 @@
(define-public gd
(package
(name "gd")
+ (replacement gd/fixed)
;; Note: With libgd.org now pointing to github.com, genuine old
;; tarballs are no longer available. Notably, versions 2.0.x are
;; missing.
@@ -91,6 +92,16 @@ most common applications of GD involve website development.")
"See COPYING file in the distribution."))
(properties '((cpe-name . "libgd")))))
+(define-public gd/fixed
+ (hidden-package
+ (package
+ (inherit gd)
+ (source (origin
+ (inherit (package-source gd))
+ (patches (append (origin-patches (package-source gd))
+ (search-patches "gd-CVE-2018-5711.patch"
+ "gd-CVE-2018-1000222.patch"))))))))
+
(define-public perl-gd
(package
(name "perl-gd")
diff --git a/gnu/packages/patches/gd-CVE-2018-1000222.patch b/gnu/packages/patches/gd-CVE-2018-1000222.patch
new file mode 100644
index 0000000000..7e94295bb6
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2018-1000222.patch
@@ -0,0 +1,87 @@
+Fix CVE-2018-1000222:
+
+https://github.com/libgd/libgd/issues/447
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222
+
+Patch copied from upstream source repository:
+
+https://github.com/libgd/libgd/commit/4b1e18a00ce7c4b7e6919c3b3109a034393b805a
+
+From 4b1e18a00ce7c4b7e6919c3b3109a034393b805a Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 14 Jul 2018 13:54:08 -0400
+Subject: [PATCH] bmp: check return value in gdImageBmpPtr
+
+Closes #447.
+
+(cherry picked from commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5)
+---
+ src/gd_bmp.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/src/gd_bmp.c b/src/gd_bmp.c
+index ccafdcd..d625da1 100644
+--- a/src/gd_bmp.c
++++ b/src/gd_bmp.c
+@@ -48,6 +48,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
+ static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
+ static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
+
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
++
+ #define BMP_DEBUG(s)
+
+ static int gdBMPPutWord(gdIOCtx *out, int w)
+@@ -88,8 +90,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
+ void *rv;
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ if (out == NULL) return NULL;
+- gdImageBmpCtx(im, out, compression);
+- rv = gdDPExtractData(out, size);
++ if (!_gdImageBmpCtx(im, out, compression))
++ rv = gdDPExtractData(out, size);
++ else
++ rv = NULL;
+ out->gd_free(out);
+ return rv;
+ }
+@@ -142,6 +146,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
+ compression - whether to apply RLE or not.
+ */
+ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
++{
++ _gdImageBmpCtx(im, out, compression);
++}
++
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ {
+ int bitmap_size = 0, info_size, total_size, padding;
+ int i, row, xpos, pixel;
+@@ -149,6 +158,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
+ FILE *tmpfile_for_compression = NULL;
+ gdIOCtxPtr out_original = NULL;
++ int ret = 1;
+
+ /* No compression if its true colour or we don't support seek */
+ if (im->trueColor) {
+@@ -326,6 +336,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ out_original = NULL;
+ }
+
++ ret = 0;
+ cleanup:
+ if (tmpfile_for_compression) {
+ #ifdef _WIN32
+@@ -339,7 +350,7 @@ cleanup:
+ if (out_original) {
+ out_original->gd_free(out_original);
+ }
+- return;
++ return ret;
+ }
+
+ static int compress_row(unsigned char *row, int length)
+--
+2.18.0
+
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index 121ffab767..4981c60554 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -57,7 +57,8 @@
(inherit (package-source gd))
(patches (search-patches "gd-fix-tests-on-i686.patch"
"gd-freetype-test-failure.patch"
- "gd-CVE-2018-5711.patch"))))))
+ "gd-CVE-2018-5711.patch"
+ "gd-CVE-2018-1000222.patch"))))))
(define-public php
(package