From a81445737db53110281e39f211ca7d4b14f393d3 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 28 Jul 2016 13:47:25 -0400 Subject: gnu: gd: Update to 2.2.3 [fixes CVE-2016-6207]. * gnu/packages/patches/gd-CVE-2016-5766.patch, gnu/packages/patches/gd-CVE-2016-6128.patch, gnu/packages/patches/gd-CVE-2016-6132.patch, gnu/packages/patches/gd-CVE-2016-6214.patch, gnu/packages/patches/gd-fix-test-on-i686.patch: Delete files. * gnu/packages/patches/gd-fix-tests-on-i686.patch: New file. * gnu/local.mk (dist_patch_DATA): Update accordingly. * gnu/packages/gd.scm (gd): Update to 2.2.3. [source]: Update patches field accordingly. --- gnu/packages/patches/gd-CVE-2016-5766.patch | 81 ----------------------------- 1 file changed, 81 deletions(-) delete mode 100644 gnu/packages/patches/gd-CVE-2016-5766.patch (limited to 'gnu/packages/patches/gd-CVE-2016-5766.patch') diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch deleted file mode 100644 index 400cb0ab48..0000000000 --- a/gnu/packages/patches/gd-CVE-2016-5766.patch +++ /dev/null @@ -1,81 +0,0 @@ -Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap -overflow). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766 - -Adapted from upstream commits: -https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0 -https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79 - -Since `patch` cannot apply Git binary diffs, we omit the addition of -'tests/gd2/php_bug_72339.c' and its associated binary data. - -From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001 -From: Pierre Joye -Date: Tue, 28 Jun 2016 16:23:42 +0700 -Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in - _gd2GetHeader() resulting in heap overflow - ---- - src/gd_gd2.c | 5 ++++- - tests/gd2/CMakeLists.txt | 1 + - tests/gd2/Makemodule.am | 6 ++++-- - tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++ - tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes - 5 files changed, 30 insertions(+), 3 deletions(-) - create mode 100644 tests/gd2/php_bug_72339.c - create mode 100644 tests/gd2/php_bug_72339_exp.gd2 - -diff --git a/src/gd_gd2.c b/src/gd_gd2.c -index fd1e0c9..bdbbecf 100644 ---- a/src/gd_gd2.c -+++ b/src/gd_gd2.c -@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, - nc = (*ncx) * (*ncy); - GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); - sidx = sizeof (t_chunk_info) * nc; -+ if (overflow2(sidx, nc)) { -+ goto fail1; -+ } - cidx = gdCalloc (sidx, 1); -- if (!cidx) { -+ if (cidx == NULL) { - goto fail1; - } - for (i = 0; i < nc; i++) { -From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001 -From: Pierre Joye -Date: Wed, 29 Jun 2016 09:36:26 +0700 -Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in - _gd2GetHeader() resulting in heap overflow. Sync with php's sync - ---- - src/gd_gd2.c | 7 ++++++- - tests/gd2/php_bug_72339.c | 2 +- - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/gd_gd2.c b/src/gd_gd2.c -index bdbbecf..2837456 100644 ---- a/src/gd_gd2.c -+++ b/src/gd_gd2.c -@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, - - if (gd2_compressed (*fmt)) { - nc = (*ncx) * (*ncy); -+ - GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); -+ if (overflow2(sizeof(t_chunk_info), nc)) { -+ goto fail1; -+ } - sidx = sizeof (t_chunk_info) * nc; -- if (overflow2(sidx, nc)) { -+ if (sidx <= 0) { - goto fail1; - } -+ - cidx = gdCalloc (sidx, 1); - if (cidx == NULL) { - goto fail1; --- -2.9.1 - -- cgit v1.2.3