diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2016-10-21 13:08:24 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-10-21 13:09:28 +0000 |
| commit | e75858307e07c46124b8f604df3a02f0f2c88dbf (patch) | |
| tree | f5c17f0cfe7c055356229fd9479f9f5dbb06cb60 | |
| parent | ac6549fa3988c594c16d11ac9e00abca0cc8c3ec (diff) | |
| download | aports-e75858307e07c46124b8f604df3a02f0f2c88dbf.tar.bz2 aports-e75858307e07c46124b8f604df3a02f0f2c88dbf.tar.xz | |
main/gd: security fix for CVE-2016-7568
fixes #6342
| -rw-r--r-- | main/gd/APKBUILD | 15 | ||||
| -rw-r--r-- | main/gd/CVE-2016-7568.patch | 33 |
2 files changed, 43 insertions, 5 deletions
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD index fefd6de3ce..978e2ad50c 100644 --- a/main/gd/APKBUILD +++ b/main/gd/APKBUILD @@ -3,7 +3,7 @@ pkgname=gd pkgver=2.2.3 _myver=${pkgver/_rc/RC} -pkgrel=0 +pkgrel=1 pkgdesc="Library for the dynamic creation of images by programmers" url="http://libgd.github.io/" arch="all" @@ -11,7 +11,9 @@ license="custom" depends= makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev" subpackages="$pkgname-dev" -source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz" +source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz + CVE-2016-7568.patch + " builddir="$srcdir"/lib$pkgname-$_myver @@ -39,6 +41,9 @@ package() { make DESTDIR="$pkgdir" install || return 1 } -md5sums="14e4134c129b4c166c3a0549a32ef340 libgd-2.2.3.tar.xz" -sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c libgd-2.2.3.tar.xz" -sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557 libgd-2.2.3.tar.xz" +md5sums="14e4134c129b4c166c3a0549a32ef340 libgd-2.2.3.tar.xz +fca9871b791d6ac88af7d6d5ce8c59d1 CVE-2016-7568.patch" +sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c libgd-2.2.3.tar.xz +0b7b7ddfc5200220763efb47cc6b56a6275fd5af70e85a8c91c667344f664012 CVE-2016-7568.patch" +sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557 libgd-2.2.3.tar.xz +8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch" diff --git a/main/gd/CVE-2016-7568.patch b/main/gd/CVE-2016-7568.patch new file mode 100644 index 0000000000..56156411e3 --- /dev/null +++ b/main/gd/CVE-2016-7568.patch @@ -0,0 +1,33 @@ +From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001 +From: trylab <trylab@users.noreply.github.com> +Date: Tue, 6 Sep 2016 18:35:32 +0800 +Subject: [PATCH] Fix integer overflow in gdImageWebpCtx + +Integer overflow can be happened in expression gdImageSX(im) * 4 * +gdImageSY(im). It could lead to heap buffer overflow in the following +code. This issue has been reported to the PHP Bug Tracking System. The +proof-of-concept file will be supplied some days later. This issue was +discovered by Ke Liu of Tencent's Xuanwu LAB. +--- + src/gd_webp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/gd_webp.c b/src/gd_webp.c +index 8eb4dee..9886399 100644 +--- a/src/gd_webp.c ++++ b/src/gd_webp.c +@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality) + quality = 80; + } + ++ if (overflow2(gdImageSX(im), 4)) { ++ return; ++ } ++ ++ if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) { ++ return; ++ } ++ + argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); + if (!argb) { + return; |