From ced98c7e89a22c551dd23acd7a1b4f861958d876 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 9 Sep 2018 17:48:24 -0400 Subject: gnu: libgd: Fix CVE-2018-{5711,1000222}. * gnu/packages/patches/gd-CVE-2018-1000222.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gd.scm (gd/fixed): New variable. * gnu/packages/php.scm (gd-for-php)[source]: Use 'gd-CVE-2018-1000222.patch'. --- gnu/local.mk | 1 + gnu/packages/gd.scm | 11 ++++ gnu/packages/patches/gd-CVE-2018-1000222.patch | 87 ++++++++++++++++++++++++++ gnu/packages/php.scm | 3 +- 4 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/gd-CVE-2018-1000222.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index 0407fdc597..374e25165e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -719,6 +719,7 @@ dist_patch_DATA = \ %D%/packages/patches/gcr-disable-failing-tests.patch \ %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \ %D%/packages/patches/gd-CVE-2018-5711.patch \ + %D%/packages/patches/gd-CVE-2018-1000222.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-freetype-test-failure.patch \ %D%/packages/patches/gdm-CVE-2018-14424.patch \ diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index c374695524..327a1f1545 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -39,6 +39,7 @@ (define-public gd (package (name "gd") + (replacement gd/fixed) ;; Note: With libgd.org now pointing to github.com, genuine old ;; tarballs are no longer available. Notably, versions 2.0.x are ;; missing. @@ -91,6 +92,16 @@ most common applications of GD involve website development.") "See COPYING file in the distribution.")) (properties '((cpe-name . "libgd"))))) +(define-public gd/fixed + (hidden-package + (package + (inherit gd) + (source (origin + (inherit (package-source gd)) + (patches (append (origin-patches (package-source gd)) + (search-patches "gd-CVE-2018-5711.patch" + "gd-CVE-2018-1000222.patch")))))))) + (define-public perl-gd (package (name "perl-gd") diff --git a/gnu/packages/patches/gd-CVE-2018-1000222.patch b/gnu/packages/patches/gd-CVE-2018-1000222.patch new file mode 100644 index 0000000000..7e94295bb6 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2018-1000222.patch @@ -0,0 +1,87 @@ +Fix CVE-2018-1000222: + +https://github.com/libgd/libgd/issues/447 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222 + +Patch copied from upstream source repository: + +https://github.com/libgd/libgd/commit/4b1e18a00ce7c4b7e6919c3b3109a034393b805a + +From 4b1e18a00ce7c4b7e6919c3b3109a034393b805a Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sat, 14 Jul 2018 13:54:08 -0400 +Subject: [PATCH] bmp: check return value in gdImageBmpPtr + +Closes #447. + +(cherry picked from commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5) +--- + src/gd_bmp.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/src/gd_bmp.c b/src/gd_bmp.c +index ccafdcd..d625da1 100644 +--- a/src/gd_bmp.c ++++ b/src/gd_bmp.c +@@ -48,6 +48,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp + static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); + static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); + ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); ++ + #define BMP_DEBUG(s) + + static int gdBMPPutWord(gdIOCtx *out, int w) +@@ -88,8 +90,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageBmpCtx(im, out, compression); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageBmpCtx(im, out, compression)) ++ rv = gdDPExtractData(out, size); ++ else ++ rv = NULL; + out->gd_free(out); + return rv; + } +@@ -142,6 +146,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) + compression - whether to apply RLE or not. + */ + BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) ++{ ++ _gdImageBmpCtx(im, out, compression); ++} ++ ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + { + int bitmap_size = 0, info_size, total_size, padding; + int i, row, xpos, pixel; +@@ -149,6 +158,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; + FILE *tmpfile_for_compression = NULL; + gdIOCtxPtr out_original = NULL; ++ int ret = 1; + + /* No compression if its true colour or we don't support seek */ + if (im->trueColor) { +@@ -326,6 +336,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + out_original = NULL; + } + ++ ret = 0; + cleanup: + if (tmpfile_for_compression) { + #ifdef _WIN32 +@@ -339,7 +350,7 @@ cleanup: + if (out_original) { + out_original->gd_free(out_original); + } +- return; ++ return ret; + } + + static int compress_row(unsigned char *row, int length) +-- +2.18.0 + diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm index 121ffab767..4981c60554 100644 --- a/gnu/packages/php.scm +++ b/gnu/packages/php.scm @@ -57,7 +57,8 @@ (inherit (package-source gd)) (patches (search-patches "gd-fix-tests-on-i686.patch" "gd-freetype-test-failure.patch" - "gd-CVE-2018-5711.patch")))))) + "gd-CVE-2018-5711.patch" + "gd-CVE-2018-1000222.patch")))))) (define-public php (package -- cgit v1.2.3