aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2016-10-21 13:08:24 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2016-10-21 13:09:28 +0000
commite75858307e07c46124b8f604df3a02f0f2c88dbf (patch)
treef5c17f0cfe7c055356229fd9479f9f5dbb06cb60
parentac6549fa3988c594c16d11ac9e00abca0cc8c3ec (diff)
downloadaports-e75858307e07c46124b8f604df3a02f0f2c88dbf.tar.bz2
aports-e75858307e07c46124b8f604df3a02f0f2c88dbf.tar.xz
main/gd: security fix for CVE-2016-7568
fixes #6342
-rw-r--r--main/gd/APKBUILD15
-rw-r--r--main/gd/CVE-2016-7568.patch33
2 files changed, 43 insertions, 5 deletions
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index fefd6de3ce..978e2ad50c 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -3,7 +3,7 @@
pkgname=gd
pkgver=2.2.3
_myver=${pkgver/_rc/RC}
-pkgrel=0
+pkgrel=1
pkgdesc="Library for the dynamic creation of images by programmers"
url="http://libgd.github.io/"
arch="all"
@@ -11,7 +11,9 @@ license="custom"
depends=
makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev"
subpackages="$pkgname-dev"
-source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz"
+source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz
+ CVE-2016-7568.patch
+ "
builddir="$srcdir"/lib$pkgname-$_myver
@@ -39,6 +41,9 @@ package() {
make DESTDIR="$pkgdir" install || return 1
}
-md5sums="14e4134c129b4c166c3a0549a32ef340 libgd-2.2.3.tar.xz"
-sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c libgd-2.2.3.tar.xz"
-sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557 libgd-2.2.3.tar.xz"
+md5sums="14e4134c129b4c166c3a0549a32ef340 libgd-2.2.3.tar.xz
+fca9871b791d6ac88af7d6d5ce8c59d1 CVE-2016-7568.patch"
+sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c libgd-2.2.3.tar.xz
+0b7b7ddfc5200220763efb47cc6b56a6275fd5af70e85a8c91c667344f664012 CVE-2016-7568.patch"
+sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557 libgd-2.2.3.tar.xz
+8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch"
diff --git a/main/gd/CVE-2016-7568.patch b/main/gd/CVE-2016-7568.patch
new file mode 100644
index 0000000000..56156411e3
--- /dev/null
+++ b/main/gd/CVE-2016-7568.patch
@@ -0,0 +1,33 @@
+From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001
+From: trylab <trylab@users.noreply.github.com>
+Date: Tue, 6 Sep 2016 18:35:32 +0800
+Subject: [PATCH] Fix integer overflow in gdImageWebpCtx
+
+Integer overflow can be happened in expression gdImageSX(im) * 4 *
+gdImageSY(im). It could lead to heap buffer overflow in the following
+code. This issue has been reported to the PHP Bug Tracking System. The
+proof-of-concept file will be supplied some days later. This issue was
+discovered by Ke Liu of Tencent's Xuanwu LAB.
+---
+ src/gd_webp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/gd_webp.c b/src/gd_webp.c
+index 8eb4dee..9886399 100644
+--- a/src/gd_webp.c
++++ b/src/gd_webp.c
+@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+ quality = 80;
+ }
+
++ if (overflow2(gdImageSX(im), 4)) {
++ return;
++ }
++
++ if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
++ return;
++ }
++
+ argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
+ if (!argb) {
+ return;