diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2016-10-21 13:08:24 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-10-21 15:12:05 +0200 |
commit | e52825649f88796511db5350698443009cc47d06 (patch) | |
tree | 9450b872455ee3194ee287ab415e0e59a25faf91 | |
parent | a9c59696d69df232d543f278c34f1241e3c1e103 (diff) | |
download | alpine_aports-e52825649f88796511db5350698443009cc47d06.tar.bz2 alpine_aports-e52825649f88796511db5350698443009cc47d06.tar.xz alpine_aports-e52825649f88796511db5350698443009cc47d06.zip |
main/gd: security fix for CVE-2016-7568
fixes #6343
-rw-r--r-- | main/gd/APKBUILD | 17 | ||||
-rw-r--r-- | main/gd/CVE-2016-7568.patch | 33 |
2 files changed, 45 insertions, 5 deletions
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD index e822dd80e5..894f0dd40e 100644 --- a/main/gd/APKBUILD +++ b/main/gd/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | pkgname=gd | 3 | pkgname=gd |
4 | pkgver=2.2.3 | 4 | pkgver=2.2.3 |
5 | _myver=${pkgver/_rc/RC} | 5 | _myver=${pkgver/_rc/RC} |
6 | pkgrel=0 | 6 | pkgrel=1 |
7 | pkgdesc="Library for the dynamic creation of images by programmers" | 7 | pkgdesc="Library for the dynamic creation of images by programmers" |
8 | url="http://www.libgd.org/" | 8 | url="http://www.libgd.org/" |
9 | arch="all" | 9 | arch="all" |
@@ -11,7 +11,9 @@ license="custom" | |||
11 | depends= | 11 | depends= |
12 | makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev" | 12 | makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev" |
13 | subpackages="$pkgname-dev $pkgname-doc" | 13 | subpackages="$pkgname-dev $pkgname-doc" |
14 | source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz" | 14 | source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz |
15 | CVE-2016-7568.patch | ||
16 | " | ||
15 | 17 | ||
16 | # secfixes: | 18 | # secfixes: |
17 | # 2.2.1-r0: | 19 | # 2.2.1-r0: |
@@ -25,6 +27,8 @@ source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgve | |||
25 | # - CVE-2016-6132 | 27 | # - CVE-2016-6132 |
26 | # - CVE-2016-6207 | 28 | # - CVE-2016-6207 |
27 | # - CVE-2016-6214 | 29 | # - CVE-2016-6214 |
30 | # 2.2.3-r1: | ||
31 | # - CVE-2016-7568 | ||
28 | 32 | ||
29 | builddir="$srcdir"/lib$pkgname-$_myver | 33 | builddir="$srcdir"/lib$pkgname-$_myver |
30 | 34 | ||
@@ -54,6 +58,9 @@ package() { | |||
54 | rm -r "$pkgdir"/usr/lib/libgd.la | 58 | rm -r "$pkgdir"/usr/lib/libgd.la |
55 | } | 59 | } |
56 | 60 | ||
57 | md5sums="14e4134c129b4c166c3a0549a32ef340 libgd-2.2.3.tar.xz" | 61 | md5sums="14e4134c129b4c166c3a0549a32ef340 libgd-2.2.3.tar.xz |
58 | sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c libgd-2.2.3.tar.xz" | 62 | fca9871b791d6ac88af7d6d5ce8c59d1 CVE-2016-7568.patch" |
59 | sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557 libgd-2.2.3.tar.xz" | 63 | sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c libgd-2.2.3.tar.xz |
64 | 0b7b7ddfc5200220763efb47cc6b56a6275fd5af70e85a8c91c667344f664012 CVE-2016-7568.patch" | ||
65 | sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557 libgd-2.2.3.tar.xz | ||
66 | 8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch" | ||
diff --git a/main/gd/CVE-2016-7568.patch b/main/gd/CVE-2016-7568.patch new file mode 100644 index 0000000000..56156411e3 --- /dev/null +++ b/main/gd/CVE-2016-7568.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001 | ||
2 | From: trylab <trylab@users.noreply.github.com> | ||
3 | Date: Tue, 6 Sep 2016 18:35:32 +0800 | ||
4 | Subject: [PATCH] Fix integer overflow in gdImageWebpCtx | ||
5 | |||
6 | Integer overflow can be happened in expression gdImageSX(im) * 4 * | ||
7 | gdImageSY(im). It could lead to heap buffer overflow in the following | ||
8 | code. This issue has been reported to the PHP Bug Tracking System. The | ||
9 | proof-of-concept file will be supplied some days later. This issue was | ||
10 | discovered by Ke Liu of Tencent's Xuanwu LAB. | ||
11 | --- | ||
12 | src/gd_webp.c | 8 ++++++++ | ||
13 | 1 file changed, 8 insertions(+) | ||
14 | |||
15 | diff --git a/src/gd_webp.c b/src/gd_webp.c | ||
16 | index 8eb4dee..9886399 100644 | ||
17 | --- a/src/gd_webp.c | ||
18 | +++ b/src/gd_webp.c | ||
19 | @@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality) | ||
20 | quality = 80; | ||
21 | } | ||
22 | |||
23 | + if (overflow2(gdImageSX(im), 4)) { | ||
24 | + return; | ||
25 | + } | ||
26 | + | ||
27 | + if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) { | ||
28 | + return; | ||
29 | + } | ||
30 | + | ||
31 | argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); | ||
32 | if (!argb) { | ||
33 | return; | ||