aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2018-10-02 14:03:36 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2018-10-02 16:11:23 +0200
commit1b9e8e254652655fd729cebdb23661dbfd50bccf (patch)
treee9608cf073b7958de51984b27d40a22912b95530
parentfae42a57529214cd7ee88738466541ee2f7f3643 (diff)
downloadaports-1b9e8e254652655fd729cebdb23661dbfd50bccf.tar.bz2
aports-1b9e8e254652655fd729cebdb23661dbfd50bccf.tar.xz
main/gd: backport security fix for CVE-2018-1000222
fixes #9502
-rw-r--r--main/gd/APKBUILD8
-rw-r--r--main/gd/CVE-2018-1000222.patch73
2 files changed, 79 insertions, 2 deletions
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index c1a823e930..1aa71dddab 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -3,7 +3,7 @@
pkgname=gd
pkgver=2.2.5
_myver=${pkgver/_rc/RC}
-pkgrel=0
+pkgrel=1
pkgdesc="Library for the dynamic creation of images by programmers"
url="http://libgd.github.io/"
arch="all"
@@ -13,10 +13,13 @@ makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev"
subpackages="$pkgname-dev"
source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz
CVE-2016-7568.patch
+ CVE-2018-1000222.patch
"
builddir="$srcdir"/lib$pkgname-$_myver
# secfixes:
+# 2.2.5-r1:
+# - CVE-2018-1000222
# 2.2.5-r0:
# - CVE-2017-6362
# - CVE-2017-7890
@@ -57,4 +60,5 @@ fca9871b791d6ac88af7d6d5ce8c59d1 CVE-2016-7568.patch"
sha256sums="8c302ccbf467faec732f0741a859eef4ecae22fea2d2ab87467be940842bde51 libgd-2.2.5.tar.xz
0b7b7ddfc5200220763efb47cc6b56a6275fd5af70e85a8c91c667344f664012 CVE-2016-7568.patch"
sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz
-8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch"
+8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch
+d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch"
diff --git a/main/gd/CVE-2018-1000222.patch b/main/gd/CVE-2018-1000222.patch
new file mode 100644
index 0000000000..80f9712bf8
--- /dev/null
+++ b/main/gd/CVE-2018-1000222.patch
@@ -0,0 +1,73 @@
+From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 14 Jul 2018 13:54:08 -0400
+Subject: [PATCH] bmp: check return value in gdImageBmpPtr
+
+Closes #447.
+---
+ src/gd_bmp.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/src/gd_bmp.c b/src/gd_bmp.c
+index bde0b9d3..78f40d9a 100644
+--- a/src/gd_bmp.c
++++ b/src/gd_bmp.c
+@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
+ static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
+ static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
+
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
++
+ #define BMP_DEBUG(s)
+
+ static int gdBMPPutWord(gdIOCtx *out, int w)
+@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
+ void *rv;
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ if (out == NULL) return NULL;
+- gdImageBmpCtx(im, out, compression);
+- rv = gdDPExtractData(out, size);
++ if (!_gdImageBmpCtx(im, out, compression))
++ rv = gdDPExtractData(out, size);
++ else
++ rv = NULL;
+ out->gd_free(out);
+ return rv;
+ }
+@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
+ compression - whether to apply RLE or not.
+ */
+ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
++{
++ _gdImageBmpCtx(im, out, compression);
++}
++
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ {
+ int bitmap_size = 0, info_size, total_size, padding;
+ int i, row, xpos, pixel;
+@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
+ FILE *tmpfile_for_compression = NULL;
+ gdIOCtxPtr out_original = NULL;
++ int ret = 1;
+
+ /* No compression if its true colour or we don't support seek */
+ if (im->trueColor) {
+@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ out_original = NULL;
+ }
+
++ ret = 0;
+ cleanup:
+ if (tmpfile_for_compression) {
+ #ifdef _WIN32
+@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ if (out_original) {
+ out_original->gd_free(out_original);
+ }
+- return;
++ return ret;
+ }
+
+ static int compress_row(unsigned char *row, int length)