gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}.

* gnu/packages/patches/gd-CVE-2016-5766.patch,
gnu/packages/patches/gd-CVE-2016-6128.patch,
gnu/packages/patches/gd-CVE-2016-6132.patch,
gnu/packages/patches/gd-CVE-2016-6214.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gd.scm (gd): Use patches.
This commit is contained in:
Leo Famulari 2016-07-15 14:48:09 -04:00
parent b9174ff449
commit a1537ac2ba
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
6 changed files with 463 additions and 0 deletions

View File

@ -510,6 +510,10 @@ dist_patch_DATA = \
%D%/packages/patches/gcc-cross-environment-variables.patch \ %D%/packages/patches/gcc-cross-environment-variables.patch \
%D%/packages/patches/gcc-libvtv-runpath.patch \ %D%/packages/patches/gcc-libvtv-runpath.patch \
%D%/packages/patches/gcc-5.0-libvtv-runpath.patch \ %D%/packages/patches/gcc-5.0-libvtv-runpath.patch \
%D%/packages/patches/gd-CVE-2016-5766.patch \
%D%/packages/patches/gd-CVE-2016-6128.patch \
%D%/packages/patches/gd-CVE-2016-6132.patch \
%D%/packages/patches/gd-CVE-2016-6214.patch \
%D%/packages/patches/gegl-CVE-2012-4433.patch \ %D%/packages/patches/gegl-CVE-2012-4433.patch \
%D%/packages/patches/geoclue-config.patch \ %D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghostscript-CVE-2015-3228.patch \ %D%/packages/patches/ghostscript-CVE-2015-3228.patch \

View File

@ -47,6 +47,10 @@
(uri (string-append (uri (string-append
"https://github.com/libgd/libgd/releases/download/gd-" "https://github.com/libgd/libgd/releases/download/gd-"
version "/libgd-" version ".tar.xz")) version "/libgd-" version ".tar.xz"))
(patches (search-patches "gd-CVE-2016-5766.patch"
"gd-CVE-2016-6128.patch"
"gd-CVE-2016-6132.patch"
"gd-CVE-2016-6214.patch"))
(sha256 (sha256
(base32 (base32
"1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8")))) "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8"))))

View File

@ -0,0 +1,81 @@
Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
overflow).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
Adapted from upstream commits:
https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
Since `patch` cannot apply Git binary diffs, we omit the addition of
'tests/gd2/php_bug_72339.c' and its associated binary data.
From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Tue, 28 Jun 2016 16:23:42 +0700
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
_gd2GetHeader() resulting in heap overflow
---
src/gd_gd2.c | 5 ++++-
tests/gd2/CMakeLists.txt | 1 +
tests/gd2/Makemodule.am | 6 ++++--
tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++
tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
5 files changed, 30 insertions(+), 3 deletions(-)
create mode 100644 tests/gd2/php_bug_72339.c
create mode 100644 tests/gd2/php_bug_72339_exp.gd2
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index fd1e0c9..bdbbecf 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
nc = (*ncx) * (*ncy);
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
sidx = sizeof (t_chunk_info) * nc;
+ if (overflow2(sidx, nc)) {
+ goto fail1;
+ }
cidx = gdCalloc (sidx, 1);
- if (!cidx) {
+ if (cidx == NULL) {
goto fail1;
}
for (i = 0; i < nc; i++) {
From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Wed, 29 Jun 2016 09:36:26 +0700
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
_gd2GetHeader() resulting in heap overflow. Sync with php's sync
---
src/gd_gd2.c | 7 ++++++-
tests/gd2/php_bug_72339.c | 2 +-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index bdbbecf..2837456 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
if (gd2_compressed (*fmt)) {
nc = (*ncx) * (*ncy);
+
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ if (overflow2(sizeof(t_chunk_info), nc)) {
+ goto fail1;
+ }
sidx = sizeof (t_chunk_info) * nc;
- if (overflow2(sidx, nc)) {
+ if (sidx <= 0) {
goto fail1;
}
+
cidx = gdCalloc (sidx, 1);
if (cidx == NULL) {
goto fail1;
--
2.9.1

View File

@ -0,0 +1,253 @@
Fix CVE-2016-6128 (invalid color index is not properly handled leading
to denial of service).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6128
Copied from upstream commits:
https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd
From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:17:39 +0700
Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can lead
to crash
---
src/gd_crop.c | 4 ++++
tests/CMakeLists.txt | 1 +
tests/Makefile.am | 1 +
3 files changed, 6 insertions(+)
diff --git a/src/gd_crop.c b/src/gd_crop.c
index 0296633..532b49b 100644
--- a/src/gd_crop.c
+++ b/src/gd_crop.c
@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
return NULL;
}
+ if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
+ return NULL;
+ }
+
/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
* for the true color and palette images
* new formats will simply work with ptr
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 6f5c786..5093d52 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -31,6 +31,7 @@ if (BUILD_TEST)
gdimagecolortransparent
gdimagecopy
gdimagecopyrotated
+ gdimagecrop
gdimagefile
gdimagefill
gdimagefilledellipse
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 4f6e756..5a0ebe8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am
include gdimagecolortransparent/Makemodule.am
include gdimagecopy/Makemodule.am
include gdimagecopyrotated/Makemodule.am
+include gdimagecrop/Makemodule.am
include gdimagefile/Makemodule.am
include gdimagefill/Makemodule.am
include gdimagefilledellipse/Makemodule.am
--
2.9.1
From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:20:07 +0700
Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can lead
to crash
---
tests/gdimagecrop/.gitignore | 1 +
1 file changed, 1 insertion(+)
create mode 100644 tests/gdimagecrop/.gitignore
diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore
new file mode 100644
index 0000000..8e8c9c3
--- /dev/null
+++ b/tests/gdimagecrop/.gitignore
@@ -0,0 +1 @@
+/php_bug_72494
--
2.9.1
From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:24:50 +0700
Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can lead
to crash
---
tests/gdimagecrop/CMakeLists.txt | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 tests/gdimagecrop/CMakeLists.txt
diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLists.txt
new file mode 100644
index 0000000..f7e4c7e
--- /dev/null
+++ b/tests/gdimagecrop/CMakeLists.txt
@@ -0,0 +1,5 @@
+SET(TESTS_FILES
+ php_bug_72494
+)
+
+ADD_GD_TESTS()
--
2.9.1
From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:25:12 +0700
Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can lead
to crash
---
tests/gdimagecrop/Makemodule.am | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 tests/gdimagecrop/Makemodule.am
diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodule.am
new file mode 100644
index 0000000..210888b
--- /dev/null
+++ b/tests/gdimagecrop/Makemodule.am
@@ -0,0 +1,5 @@
+libgd_test_programs += \
+ gdimagecrop/php_bug_72494
+
+EXTRA_DIST += \
+ gdimagecrop/CMakeLists.txt
--
2.9.1
From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:25:40 +0700
Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can lead
to crash
---
tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
create mode 100644 tests/gdimagecrop/php_bug_72494.c
diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
new file mode 100644
index 0000000..adaa379
--- /dev/null
+++ b/tests/gdimagecrop/php_bug_72494.c
@@ -0,0 +1,23 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include "gd.h"
+
+#include "gdtest.h"
+
+int main()
+{
+ gdImagePtr im, exp;
+ int error = 0;
+
+ im = gdImageCreate(50, 50);
+
+ if (!im) {
+ gdTestErrorMsg("gdImageCreate failed.\n");
+ return 1;
+ }
+
+ gdImageCropThreshold(im, 1337, 0);
+ gdImageDestroy(im);
+ /* this bug tests a crash, it never reaches this point if the bug exists*/
+ return 0;
+}
--
2.9.1
From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:38:07 +0700
Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, remove
useless <0 comparison
---
src/gd_crop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/gd_crop.c b/src/gd_crop.c
index 532b49b..d51ad67 100644
--- a/src/gd_crop.c
+++ b/src/gd_crop.c
@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
return NULL;
}
- if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
+ if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
return NULL;
}
--
2.9.1
From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:51:40 +0700
Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, remove
useless <0 comparison
---
tests/gdimagecrop/php_bug_72494.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
index adaa379..5cb589b 100644
--- a/tests/gdimagecrop/php_bug_72494.c
+++ b/tests/gdimagecrop/php_bug_72494.c
@@ -6,7 +6,7 @@
int main()
{
- gdImagePtr im, exp;
+ gdImagePtr im;
int error = 0;
im = gdImageCreate(50, 50);
--
2.9.1
From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 12:04:25 +0700
Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, remove
useless <0 comparison
---
tests/gdimagecrop/php_bug_72494.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
index 5cb589b..3bd19be 100644
--- a/tests/gdimagecrop/php_bug_72494.c
+++ b/tests/gdimagecrop/php_bug_72494.c
@@ -7,7 +7,6 @@
int main()
{
gdImagePtr im;
- int error = 0;
im = gdImageCreate(50, 50);
--
2.9.1

View File

@ -0,0 +1,55 @@
Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132
Copied from upstream commit:
https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d
From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Tue, 12 Jul 2016 11:24:09 +0200
Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
files (CVE-2016-6132)
---
src/gd_tga.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/gd_tga.c b/src/gd_tga.c
index ef20f86..20fe2d2 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
return -1;
}
- gdGetBuf(conversion_buffer, image_block_size, ctx);
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+ gd_error("gd-tga: premature end of image data\n");
+ gdFree(conversion_buffer);
+ return -1;
+ }
while (buffer_caret < image_block_size) {
tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
}
conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
if (conversion_buffer == NULL) {
+ gd_error("gd-tga: premature end of image data\n");
gdFree( decompression_buffer );
return -1;
}
- gdGetBuf( conversion_buffer, image_block_size, ctx );
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+ gdFree(conversion_buffer);
+ gdFree(decompression_buffer);
+ return -1;
+ }
buffer_caret = 0;
--
2.9.1

View File

@ -0,0 +1,66 @@
Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
Adapted from upstream commit:
https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308
Since `patch` cannot apply Git binary diffs, we omit the addition of
'tests/tga/bug00247a.c' and its associated binary data.
From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 12 Jul 2016 19:23:13 +0200
Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
gracefully
Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
really supported. All other combinations will be rejected with a warning.
(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
---
src/gd_tga.c | 16 ++++++----------
tests/tga/.gitignore | 1 +
tests/tga/CMakeLists.txt | 1 +
tests/tga/Makemodule.am | 4 +++-
tests/tga/bug00247a.c | 19 +++++++++++++++++++
tests/tga/bug00247a.tga | Bin 0 -> 36 bytes
6 files changed, 30 insertions(+), 11 deletions(-)
create mode 100644 tests/tga/bug00247a.c
create mode 100644 tests/tga/bug00247a.tga
diff --git a/src/gd_tga.c b/src/gd_tga.c
index 20fe2d2..b4f8fa6 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
if (tga->bits == TGA_BPP_24) {
*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
bitmap_caret += 3;
- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
+ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
register int a = tga->bitmap[bitmap_caret + 3];
*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
printf("wxh: %i %i\n", tga->width, tga->height);
#endif
- switch(tga->bits) {
- case 8:
- case 16:
- case 24:
- case 32:
- break;
- default:
- gd_error("bps %i not supported", tga->bits);
+ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
+ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
+ {
+ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
+ tga->bits, tga->alphabits);
return -1;
- break;
}
tga->ident = NULL;