diff options
author | Leo Famulari <leo@famulari.name> | 2016-07-15 14:48:09 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-07-16 12:49:22 -0400 |
commit | a1537ac2bae1d7eae39188317daf1186a673e6a2 (patch) | |
tree | 3c5e48205ba2b657d4f8627461dd83e4db31b95e /gnu | |
parent | b9174ff4493b8c502c06f8ba80183115f542d90c (diff) | |
download | patches-a1537ac2bae1d7eae39188317daf1186a673e6a2.tar patches-a1537ac2bae1d7eae39188317daf1186a673e6a2.tar.gz |
gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}.
* gnu/packages/patches/gd-CVE-2016-5766.patch,
gnu/packages/patches/gd-CVE-2016-6128.patch,
gnu/packages/patches/gd-CVE-2016-6132.patch,
gnu/packages/patches/gd-CVE-2016-6214.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gd.scm (gd): Use patches.
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 4 | ||||
-rw-r--r-- | gnu/packages/gd.scm | 4 | ||||
-rw-r--r-- | gnu/packages/patches/gd-CVE-2016-5766.patch | 81 | ||||
-rw-r--r-- | gnu/packages/patches/gd-CVE-2016-6128.patch | 253 | ||||
-rw-r--r-- | gnu/packages/patches/gd-CVE-2016-6132.patch | 55 | ||||
-rw-r--r-- | gnu/packages/patches/gd-CVE-2016-6214.patch | 66 |
6 files changed, 463 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 71409b9735..536ecef4ea 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -510,6 +510,10 @@ dist_patch_DATA = \ %D%/packages/patches/gcc-cross-environment-variables.patch \ %D%/packages/patches/gcc-libvtv-runpath.patch \ %D%/packages/patches/gcc-5.0-libvtv-runpath.patch \ + %D%/packages/patches/gd-CVE-2016-5766.patch \ + %D%/packages/patches/gd-CVE-2016-6128.patch \ + %D%/packages/patches/gd-CVE-2016-6132.patch \ + %D%/packages/patches/gd-CVE-2016-6214.patch \ %D%/packages/patches/gegl-CVE-2012-4433.patch \ %D%/packages/patches/geoclue-config.patch \ %D%/packages/patches/ghostscript-CVE-2015-3228.patch \ diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index b4e634969e..700de33a7a 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -47,6 +47,10 @@ (uri (string-append "https://github.com/libgd/libgd/releases/download/gd-" version "/libgd-" version ".tar.xz")) + (patches (search-patches "gd-CVE-2016-5766.patch" + "gd-CVE-2016-6128.patch" + "gd-CVE-2016-6132.patch" + "gd-CVE-2016-6214.patch")) (sha256 (base32 "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8")))) diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch new file mode 100644 index 0000000000..400cb0ab48 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-5766.patch @@ -0,0 +1,81 @@ +Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap +overflow). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766 + +Adapted from upstream commits: +https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0 +https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79 + +Since `patch` cannot apply Git binary diffs, we omit the addition of +'tests/gd2/php_bug_72339.c' and its associated binary data. + +From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Tue, 28 Jun 2016 16:23:42 +0700 +Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in + _gd2GetHeader() resulting in heap overflow + +--- + src/gd_gd2.c | 5 ++++- + tests/gd2/CMakeLists.txt | 1 + + tests/gd2/Makemodule.am | 6 ++++-- + tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++ + tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes + 5 files changed, 30 insertions(+), 3 deletions(-) + create mode 100644 tests/gd2/php_bug_72339.c + create mode 100644 tests/gd2/php_bug_72339_exp.gd2 + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index fd1e0c9..bdbbecf 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + nc = (*ncx) * (*ncy); + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); + sidx = sizeof (t_chunk_info) * nc; ++ if (overflow2(sidx, nc)) { ++ goto fail1; ++ } + cidx = gdCalloc (sidx, 1); +- if (!cidx) { ++ if (cidx == NULL) { + goto fail1; + } + for (i = 0; i < nc; i++) { +From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Wed, 29 Jun 2016 09:36:26 +0700 +Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in + _gd2GetHeader() resulting in heap overflow. Sync with php's sync + +--- + src/gd_gd2.c | 7 ++++++- + tests/gd2/php_bug_72339.c | 2 +- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index bdbbecf..2837456 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + + if (gd2_compressed (*fmt)) { + nc = (*ncx) * (*ncy); ++ + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); ++ if (overflow2(sizeof(t_chunk_info), nc)) { ++ goto fail1; ++ } + sidx = sizeof (t_chunk_info) * nc; +- if (overflow2(sidx, nc)) { ++ if (sidx <= 0) { + goto fail1; + } ++ + cidx = gdCalloc (sidx, 1); + if (cidx == NULL) { + goto fail1; +-- +2.9.1 + diff --git a/gnu/packages/patches/gd-CVE-2016-6128.patch b/gnu/packages/patches/gd-CVE-2016-6128.patch new file mode 100644 index 0000000000..45ee6b0cfa --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-6128.patch @@ -0,0 +1,253 @@ +Fix CVE-2016-6128 (invalid color index is not properly handled leading +to denial of service). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6128 + +Copied from upstream commits: +https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd + +From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Mon, 27 Jun 2016 11:17:39 +0700 +Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can lead + to crash + +--- + src/gd_crop.c | 4 ++++ + tests/CMakeLists.txt | 1 + + tests/Makefile.am | 1 + + 3 files changed, 6 insertions(+) + +diff --git a/src/gd_crop.c b/src/gd_crop.c +index 0296633..532b49b 100644 +--- a/src/gd_crop.c ++++ b/src/gd_crop.c +@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c + return NULL; + } + ++ if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) { ++ return NULL; ++ } ++ + /* TODO: Add gdImageGetRowPtr and works with ptr at the row level + * for the true color and palette images + * new formats will simply work with ptr +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 6f5c786..5093d52 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -31,6 +31,7 @@ if (BUILD_TEST) + gdimagecolortransparent + gdimagecopy + gdimagecopyrotated ++ gdimagecrop + gdimagefile + gdimagefill + gdimagefilledellipse +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 4f6e756..5a0ebe8 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am + include gdimagecolortransparent/Makemodule.am + include gdimagecopy/Makemodule.am + include gdimagecopyrotated/Makemodule.am ++include gdimagecrop/Makemodule.am + include gdimagefile/Makemodule.am + include gdimagefill/Makemodule.am + include gdimagefilledellipse/Makemodule.am +-- +2.9.1 + +From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Mon, 27 Jun 2016 11:20:07 +0700 +Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can lead + to crash + +--- + tests/gdimagecrop/.gitignore | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tests/gdimagecrop/.gitignore + +diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore +new file mode 100644 +index 0000000..8e8c9c3 +--- /dev/null ++++ b/tests/gdimagecrop/.gitignore +@@ -0,0 +1 @@ ++/php_bug_72494 +-- +2.9.1 + +From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Mon, 27 Jun 2016 11:24:50 +0700 +Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can lead + to crash + +--- + tests/gdimagecrop/CMakeLists.txt | 5 +++++ + 1 file changed, 5 insertions(+) + create mode 100644 tests/gdimagecrop/CMakeLists.txt + +diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLists.txt +new file mode 100644 +index 0000000..f7e4c7e +--- /dev/null ++++ b/tests/gdimagecrop/CMakeLists.txt +@@ -0,0 +1,5 @@ ++SET(TESTS_FILES ++ php_bug_72494 ++) ++ ++ADD_GD_TESTS() +-- +2.9.1 + +From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Mon, 27 Jun 2016 11:25:12 +0700 +Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can lead + to crash + +--- + tests/gdimagecrop/Makemodule.am | 5 +++++ + 1 file changed, 5 insertions(+) + create mode 100644 tests/gdimagecrop/Makemodule.am + +diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodule.am +new file mode 100644 +index 0000000..210888b +--- /dev/null ++++ b/tests/gdimagecrop/Makemodule.am +@@ -0,0 +1,5 @@ ++libgd_test_programs += \ ++ gdimagecrop/php_bug_72494 ++ ++EXTRA_DIST += \ ++ gdimagecrop/CMakeLists.txt +-- +2.9.1 + +From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Mon, 27 Jun 2016 11:25:40 +0700 +Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can lead + to crash + +--- + tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + create mode 100644 tests/gdimagecrop/php_bug_72494.c + +diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c +new file mode 100644 +index 0000000..adaa379 +--- /dev/null ++++ b/tests/gdimagecrop/php_bug_72494.c +@@ -0,0 +1,23 @@ ++#include <stdio.h> ++#include <stdlib.h> ++#include "gd.h" ++ ++#include "gdtest.h" ++ ++int main() ++{ ++ gdImagePtr im, exp; ++ int error = 0; ++ ++ im = gdImageCreate(50, 50); ++ ++ if (!im) { ++ gdTestErrorMsg("gdImageCreate failed.\n"); ++ return 1; ++ } ++ ++ gdImageCropThreshold(im, 1337, 0); ++ gdImageDestroy(im); ++ /* this bug tests a crash, it never reaches this point if the bug exists*/ ++ return 0; ++} +-- +2.9.1 + +From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Mon, 27 Jun 2016 11:38:07 +0700 +Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, remove + useless <0 comparison + +--- + src/gd_crop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gd_crop.c b/src/gd_crop.c +index 532b49b..d51ad67 100644 +--- a/src/gd_crop.c ++++ b/src/gd_crop.c +@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c + return NULL; + } + +- if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) { ++ if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) { + return NULL; + } + +-- +2.9.1 + +From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Mon, 27 Jun 2016 11:51:40 +0700 +Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, remove + useless <0 comparison + +--- + tests/gdimagecrop/php_bug_72494.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c +index adaa379..5cb589b 100644 +--- a/tests/gdimagecrop/php_bug_72494.c ++++ b/tests/gdimagecrop/php_bug_72494.c +@@ -6,7 +6,7 @@ + + int main() + { +- gdImagePtr im, exp; ++ gdImagePtr im; + int error = 0; + + im = gdImageCreate(50, 50); +-- +2.9.1 + +From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pierre.php@gmail.com> +Date: Mon, 27 Jun 2016 12:04:25 +0700 +Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, remove + useless <0 comparison + +--- + tests/gdimagecrop/php_bug_72494.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c +index 5cb589b..3bd19be 100644 +--- a/tests/gdimagecrop/php_bug_72494.c ++++ b/tests/gdimagecrop/php_bug_72494.c +@@ -7,7 +7,6 @@ + int main() + { + gdImagePtr im; +- int error = 0; + + im = gdImageCreate(50, 50); + +-- +2.9.1 + diff --git a/gnu/packages/patches/gd-CVE-2016-6132.patch b/gnu/packages/patches/gd-CVE-2016-6132.patch new file mode 100644 index 0000000000..4c475b71b2 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-6132.patch @@ -0,0 +1,55 @@ +Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132 + +Copied from upstream commit: +https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d + +From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> +Date: Tue, 12 Jul 2016 11:24:09 +0200 +Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA + files (CVE-2016-6132) + +--- + src/gd_tga.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/gd_tga.c b/src/gd_tga.c +index ef20f86..20fe2d2 100644 +--- a/src/gd_tga.c ++++ b/src/gd_tga.c +@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + return -1; + } + +- gdGetBuf(conversion_buffer, image_block_size, ctx); ++ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { ++ gd_error("gd-tga: premature end of image data\n"); ++ gdFree(conversion_buffer); ++ return -1; ++ } + + while (buffer_caret < image_block_size) { + tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret]; +@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + } + conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char)); + if (conversion_buffer == NULL) { ++ gd_error("gd-tga: premature end of image data\n"); + gdFree( decompression_buffer ); + return -1; + } + +- gdGetBuf( conversion_buffer, image_block_size, ctx ); ++ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { ++ gdFree(conversion_buffer); ++ gdFree(decompression_buffer); ++ return -1; ++ } + + buffer_caret = 0; + +-- +2.9.1 + diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/patches/gd-CVE-2016-6214.patch new file mode 100644 index 0000000000..7894a32bb1 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-6214.patch @@ -0,0 +1,66 @@ +Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214 + +Adapted from upstream commit: +https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308 + +Since `patch` cannot apply Git binary diffs, we omit the addition of +'tests/tga/bug00247a.c' and its associated binary data. + +From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 12 Jul 2016 19:23:13 +0200 +Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error + gracefully + +Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are +really supported. All other combinations will be rejected with a warning. + +(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9) +--- + src/gd_tga.c | 16 ++++++---------- + tests/tga/.gitignore | 1 + + tests/tga/CMakeLists.txt | 1 + + tests/tga/Makemodule.am | 4 +++- + tests/tga/bug00247a.c | 19 +++++++++++++++++++ + tests/tga/bug00247a.tga | Bin 0 -> 36 bytes + 6 files changed, 30 insertions(+), 11 deletions(-) + create mode 100644 tests/tga/bug00247a.c + create mode 100644 tests/tga/bug00247a.tga + +diff --git a/src/gd_tga.c b/src/gd_tga.c +index 20fe2d2..b4f8fa6 100644 +--- a/src/gd_tga.c ++++ b/src/gd_tga.c +@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx) + if (tga->bits == TGA_BPP_24) { + *tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]); + bitmap_caret += 3; +- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) { ++ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) { + register int a = tga->bitmap[bitmap_caret + 3]; + + *tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1)); +@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga) + printf("wxh: %i %i\n", tga->width, tga->height); + #endif + +- switch(tga->bits) { +- case 8: +- case 16: +- case 24: +- case 32: +- break; +- default: +- gd_error("bps %i not supported", tga->bits); ++ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0) ++ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8))) ++ { ++ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n", ++ tga->bits, tga->alphabits); + return -1; +- break; + } + + tga->ident = NULL; |