gnu: libgd: Fix CVE-2018-{5711,1000222}.

* gnu/packages/patches/gd-CVE-2018-1000222.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gd.scm (gd/fixed): New variable.
* gnu/packages/php.scm (gd-for-php)[source]: Use 'gd-CVE-2018-1000222.patch'.
This commit is contained in:
Leo Famulari 2018-09-09 17:48:24 -04:00
parent 15cc7e6adf
commit ced98c7e89
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
4 changed files with 101 additions and 1 deletions

View File

@ -719,6 +719,7 @@ dist_patch_DATA = \
%D%/packages/patches/gcr-disable-failing-tests.patch \ %D%/packages/patches/gcr-disable-failing-tests.patch \
%D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \ %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \
%D%/packages/patches/gd-CVE-2018-5711.patch \ %D%/packages/patches/gd-CVE-2018-5711.patch \
%D%/packages/patches/gd-CVE-2018-1000222.patch \
%D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \
%D%/packages/patches/gd-freetype-test-failure.patch \ %D%/packages/patches/gd-freetype-test-failure.patch \
%D%/packages/patches/gdm-CVE-2018-14424.patch \ %D%/packages/patches/gdm-CVE-2018-14424.patch \

View File

@ -39,6 +39,7 @@
(define-public gd (define-public gd
(package (package
(name "gd") (name "gd")
(replacement gd/fixed)
;; Note: With libgd.org now pointing to github.com, genuine old ;; Note: With libgd.org now pointing to github.com, genuine old
;; tarballs are no longer available. Notably, versions 2.0.x are ;; tarballs are no longer available. Notably, versions 2.0.x are
;; missing. ;; missing.
@ -91,6 +92,16 @@ most common applications of GD involve website development.")
"See COPYING file in the distribution.")) "See COPYING file in the distribution."))
(properties '((cpe-name . "libgd"))))) (properties '((cpe-name . "libgd")))))
(define-public gd/fixed
(hidden-package
(package
(inherit gd)
(source (origin
(inherit (package-source gd))
(patches (append (origin-patches (package-source gd))
(search-patches "gd-CVE-2018-5711.patch"
"gd-CVE-2018-1000222.patch"))))))))
(define-public perl-gd (define-public perl-gd
(package (package
(name "perl-gd") (name "perl-gd")

View File

@ -0,0 +1,87 @@
Fix CVE-2018-1000222:
https://github.com/libgd/libgd/issues/447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222
Patch copied from upstream source repository:
https://github.com/libgd/libgd/commit/4b1e18a00ce7c4b7e6919c3b3109a034393b805a
From 4b1e18a00ce7c4b7e6919c3b3109a034393b805a Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 14 Jul 2018 13:54:08 -0400
Subject: [PATCH] bmp: check return value in gdImageBmpPtr
Closes #447.
(cherry picked from commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5)
---
src/gd_bmp.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/gd_bmp.c b/src/gd_bmp.c
index ccafdcd..d625da1 100644
--- a/src/gd_bmp.c
+++ b/src/gd_bmp.c
@@ -48,6 +48,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
+
#define BMP_DEBUG(s)
static int gdBMPPutWord(gdIOCtx *out, int w)
@@ -88,8 +90,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
void *rv;
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
if (out == NULL) return NULL;
- gdImageBmpCtx(im, out, compression);
- rv = gdDPExtractData(out, size);
+ if (!_gdImageBmpCtx(im, out, compression))
+ rv = gdDPExtractData(out, size);
+ else
+ rv = NULL;
out->gd_free(out);
return rv;
}
@@ -142,6 +146,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
compression - whether to apply RLE or not.
*/
BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+{
+ _gdImageBmpCtx(im, out, compression);
+}
+
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
{
int bitmap_size = 0, info_size, total_size, padding;
int i, row, xpos, pixel;
@@ -149,6 +158,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
FILE *tmpfile_for_compression = NULL;
gdIOCtxPtr out_original = NULL;
+ int ret = 1;
/* No compression if its true colour or we don't support seek */
if (im->trueColor) {
@@ -326,6 +336,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
out_original = NULL;
}
+ ret = 0;
cleanup:
if (tmpfile_for_compression) {
#ifdef _WIN32
@@ -339,7 +350,7 @@ cleanup:
if (out_original) {
out_original->gd_free(out_original);
}
- return;
+ return ret;
}
static int compress_row(unsigned char *row, int length)
--
2.18.0

View File

@ -57,7 +57,8 @@
(inherit (package-source gd)) (inherit (package-source gd))
(patches (search-patches "gd-fix-tests-on-i686.patch" (patches (search-patches "gd-fix-tests-on-i686.patch"
"gd-freetype-test-failure.patch" "gd-freetype-test-failure.patch"
"gd-CVE-2018-5711.patch")))))) "gd-CVE-2018-5711.patch"
"gd-CVE-2018-1000222.patch"))))))
(define-public php (define-public php
(package (package