diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-06-02 08:24:36 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-06-02 08:25:20 +0000 |
commit | 9c357d4b73ee5422aa963ff6ac9f0748053150ec (patch) | |
tree | 4666daf3dfe266a90c542ac9cc59800eb86ab7e1 | |
parent | 2d54dce8b391bd0303685760cc41aed58f3f29f0 (diff) | |
download | aports-9c357d4b73ee5422aa963ff6ac9f0748053150ec.tar.bz2 aports-9c357d4b73ee5422aa963ff6ac9f0748053150ec.tar.xz |
main/gd: security fix (CVE-2016-3074). Fixes #5613
-rw-r--r-- | main/gd/APKBUILD | 15 | ||||
-rw-r--r-- | main/gd/CVE-2016-3074.patch | 110 |
2 files changed, 120 insertions, 5 deletions
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD index e7e7bb51c8..bd78bc9c74 100644 --- a/main/gd/APKBUILD +++ b/main/gd/APKBUILD @@ -3,7 +3,7 @@ pkgname=gd pkgver=2.1.1 _myver=${pkgver/_rc/RC} -pkgrel=0 +pkgrel=1 pkgdesc="Library for the dynamic creation of images by programmers" url="http://www.libgd.org/" arch="all" @@ -11,7 +11,9 @@ license="custom" depends= makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev" subpackages="$pkgname-dev $pkgname-doc" -source="http://bitbucket.org/libgd/gd-libgd/downloads/libgd-$pkgver.tar.xz" +source="http://bitbucket.org/libgd/gd-libgd/downloads/libgd-$pkgver.tar.xz + CVE-2016-3074.patch + " _builddir="$srcdir"/lib$pkgname-$_myver prepare() { @@ -44,6 +46,9 @@ package() { rm -r "$pkgdir"/usr/lib/libgd.la } -md5sums="9076f3abd1f9815d106da36467ea15bc libgd-2.1.1.tar.xz" -sha256sums="9ada1ed45594abc998ebc942cef12b032fbad672e73efc22bc9ff54f5df2b285 libgd-2.1.1.tar.xz" -sha512sums="48f444402a4b89e412870f9091b92eb26136c5c0d795722262ad973c7d4103476204a2de36133a2634b8f410d6bccdcf60afb829a74ac2fddfb96aff2cd2567b libgd-2.1.1.tar.xz" +md5sums="9076f3abd1f9815d106da36467ea15bc libgd-2.1.1.tar.xz +9a90f7e93c8259953ef8f67aead1b2b6 CVE-2016-3074.patch" +sha256sums="9ada1ed45594abc998ebc942cef12b032fbad672e73efc22bc9ff54f5df2b285 libgd-2.1.1.tar.xz +827b4c3522bb865976cc56b92a60bc0df4e271a46044ac4994881b0106aaddf9 CVE-2016-3074.patch" +sha512sums="48f444402a4b89e412870f9091b92eb26136c5c0d795722262ad973c7d4103476204a2de36133a2634b8f410d6bccdcf60afb829a74ac2fddfb96aff2cd2567b libgd-2.1.1.tar.xz +8887f305cda02594fa4296a343a9c5fdc579f0cab72f4a5fcdf9cbf3d813fa05c0a53ab4fa879de0102c41d10cb08831902a379d2fdb5142d7b8e6d1ea3ef81a CVE-2016-3074.patch" diff --git a/main/gd/CVE-2016-3074.patch b/main/gd/CVE-2016-3074.patch new file mode 100644 index 0000000000..85000886c2 --- /dev/null +++ b/main/gd/CVE-2016-3074.patch @@ -0,0 +1,110 @@ +From 2bb97f407c1145c850416a3bfbcc8cf124e68a19 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Sat, 16 Apr 2016 03:51:22 -0400 +Subject: [PATCH] gd2: handle corrupt images better (CVE-2016-3074) + +Make sure we do some range checking on corrupted chunks. + +Thanks to Hans Jerry Illikainen <hji@dyntopia.com> for indepth report +and reproducer information. Made for easy test case writing :). +--- + .gitignore | 1 + + src/gd_gd2.c | 2 ++ + tests/Makefile.am | 3 ++- + tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++ + tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes + 5 files changed, 30 insertions(+), 1 deletion(-) + create mode 100644 tests/gd2/gd2_read_corrupt.c + create mode 100644 tests/gd2/invalid_neg_size.gd2 + +diff --git a/.gitignore b/.gitignore +index a68f3b9..35acd71 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -150,6 +150,7 @@ Makefile.in + /tests/gd2/gd2_im2im + /tests/gd2/gd2_null + /tests/gd2/gd2_read ++/tests/gd2/gd2_read_corrupt + /tests/gdimagearc/bug00079 + /tests/gdimageline/gdimageline_aa + /tests/gdimageline/bug00072 +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index 6f28461..a50b33d 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + if (gdGetInt (&cidx[i].size, in) != 1) { + goto fail2; + }; ++ if (cidx[i].offset < 0 || cidx[i].size < 0) ++ goto fail2; + }; + *chunkIdx = cidx; + }; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index ed2c35b..b582266 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -129,7 +129,8 @@ endif + + if HAVE_LIBZ + check_PROGRAMS += \ +- gd2/gd2_null ++ gd2/gd2_null \ ++ gd2/gd2_read_corrupt + endif + + if HAVE_LIBPNG +diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c +new file mode 100644 +index 0000000..11f6a67 +--- /dev/null ++++ b/tests/gd2/gd2_read_corrupt.c +@@ -0,0 +1,25 @@ ++/* Just try to read the invalid gd2 image & not crash. */ ++#include "gd.h" ++#include <stdio.h> ++#include <stdlib.h> ++#include "gdtest.h" ++ ++int main() ++{ ++ gdImagePtr im; ++ FILE *fp; ++ char path[1024]; ++ ++ /* Read the corrupt image. */ ++ sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR); ++ fp = fopen(path, "rb"); ++ if (!fp) { ++ printf("failed, cannot open file\n"); ++ return 1; ++ } ++ im = gdImageCreateFromGd2(fp); ++ fclose(fp); ++ ++ /* Should have failed & rejected it. */ ++ return im == NULL ? 0 : 1; ++} +diff --git a/tests/gd2/invalid_neg_size.gd2 b/tests/gd2/invalid_neg_size.gd2 +new file mode 100644 +index 0000000000000000000000000000000000000000..3075f15a81a5ac0312f1548ef7733726c58c1f24 +GIT binary patch +literal 1676 +zcmYdKF=Aj~VqgS92QbaVz`&x(z`&3Xq-XpG0w8-7jE2By2#o9ys9<DFVVM2jkq&_A +zrDUq`{Y^Pj0@g4#f0QiA55HlZ@HF9tMV4@gn1|r?E8jjStJyO=Js<hwb(hMKkhS`+ +zIH#n4b81fOwK1Q}GC6xgli<E9^KAlt^6h-|{O7gG+mZ)9yjgNsGr@B1WVxObuQtrM +z#=^yN#mUv!UZ(isn|)g<Gm@q5JT~X>)=nrYtl!eO@Y0j(uP24Oy8cV*JZTi%$LjUn +zHzKcM%atz4N1|6Bc&yqQwj{71^7_XwahG!Za#qgRp0&AK_7P)ivKtpiqy+Qht#SF* +zMaQJhn^t_9qk56qrqA%Mh<Mrlt=-}^_8Zw$*2~9UTQu|P_ebAXt^L@%Vt&w)*ca?Q +zmoGA&ZC@r<dvR&!HA|J%GCJj_qO%-7e~P{{Z%T`}?Mk-4Qs-VbA2hzb+D@-d@!0Z+ +zna|e#ek}Mja+lhIXxR|+VBxjjJloZ}IRBU@_!{=-_#X*LR5`n@?<Lo!M7h*c?@zVv +zYd=`G>{#vZ%zd@pEzz2O-%mf&R%I<VH&wT7kAHuuw|n=Ay_LQ$h6%e%zJGeR{l>8q +zf?T2nbvg-FtoADt&xdhev;R0l>jm4q7qbJdANGtCPvX9R`uql)<-sap|IGrVrT6W5 +zXnv=f!*bd}GjY+2hGIKyAG$nqUSL?uGc}?vV9J_*x4-T7>?=Ea+<1Qdhx_^N-fMX) +OZWwA+Ogk&gc>@5dGaWbp + +literal 0 +HcmV?d00001 + |