From a1537ac2bae1d7eae39188317daf1186a673e6a2 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 15 Jul 2016 14:48:09 -0400 Subject: gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}. * gnu/packages/patches/gd-CVE-2016-5766.patch, gnu/packages/patches/gd-CVE-2016-6128.patch, gnu/packages/patches/gd-CVE-2016-6132.patch, gnu/packages/patches/gd-CVE-2016-6214.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gd.scm (gd): Use patches. --- gnu/packages/patches/gd-CVE-2016-5766.patch | 81 +++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 gnu/packages/patches/gd-CVE-2016-5766.patch (limited to 'gnu/packages/patches/gd-CVE-2016-5766.patch') diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch new file mode 100644 index 0000000000..400cb0ab48 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-5766.patch @@ -0,0 +1,81 @@ +Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap +overflow). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766 + +Adapted from upstream commits: +https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0 +https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79 + +Since `patch` cannot apply Git binary diffs, we omit the addition of +'tests/gd2/php_bug_72339.c' and its associated binary data. + +From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Tue, 28 Jun 2016 16:23:42 +0700 +Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in + _gd2GetHeader() resulting in heap overflow + +--- + src/gd_gd2.c | 5 ++++- + tests/gd2/CMakeLists.txt | 1 + + tests/gd2/Makemodule.am | 6 ++++-- + tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++ + tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes + 5 files changed, 30 insertions(+), 3 deletions(-) + create mode 100644 tests/gd2/php_bug_72339.c + create mode 100644 tests/gd2/php_bug_72339_exp.gd2 + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index fd1e0c9..bdbbecf 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + nc = (*ncx) * (*ncy); + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); + sidx = sizeof (t_chunk_info) * nc; ++ if (overflow2(sidx, nc)) { ++ goto fail1; ++ } + cidx = gdCalloc (sidx, 1); +- if (!cidx) { ++ if (cidx == NULL) { + goto fail1; + } + for (i = 0; i < nc; i++) { +From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Wed, 29 Jun 2016 09:36:26 +0700 +Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in + _gd2GetHeader() resulting in heap overflow. Sync with php's sync + +--- + src/gd_gd2.c | 7 ++++++- + tests/gd2/php_bug_72339.c | 2 +- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index bdbbecf..2837456 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + + if (gd2_compressed (*fmt)) { + nc = (*ncx) * (*ncy); ++ + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); ++ if (overflow2(sizeof(t_chunk_info), nc)) { ++ goto fail1; ++ } + sidx = sizeof (t_chunk_info) * nc; +- if (overflow2(sidx, nc)) { ++ if (sidx <= 0) { + goto fail1; + } ++ + cidx = gdCalloc (sidx, 1); + if (cidx == NULL) { + goto fail1; +-- +2.9.1 + -- cgit v1.2.3