diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2016-10-21 13:08:24 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-10-21 15:12:05 +0200 |
| commit | e52825649f88796511db5350698443009cc47d06 (patch) | |
| tree | 9450b872455ee3194ee287ab415e0e59a25faf91 | |
| parent | a9c59696d69df232d543f278c34f1241e3c1e103 (diff) | |
| download | alpine_aports-e52825649f88796511db5350698443009cc47d06.tar.bz2 alpine_aports-e52825649f88796511db5350698443009cc47d06.tar.xz alpine_aports-e52825649f88796511db5350698443009cc47d06.zip | |
main/gd: security fix for CVE-2016-7568
fixes #6343
| -rw-r--r-- | main/gd/APKBUILD | 17 | ||||
| -rw-r--r-- | main/gd/CVE-2016-7568.patch | 33 |
2 files changed, 45 insertions, 5 deletions
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD index e822dd80e5..894f0dd40e 100644 --- a/main/gd/APKBUILD +++ b/main/gd/APKBUILD | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | pkgname=gd | 3 | pkgname=gd |
| 4 | pkgver=2.2.3 | 4 | pkgver=2.2.3 |
| 5 | _myver=${pkgver/_rc/RC} | 5 | _myver=${pkgver/_rc/RC} |
| 6 | pkgrel=0 | 6 | pkgrel=1 |
| 7 | pkgdesc="Library for the dynamic creation of images by programmers" | 7 | pkgdesc="Library for the dynamic creation of images by programmers" |
| 8 | url="http://www.libgd.org/" | 8 | url="http://www.libgd.org/" |
| 9 | arch="all" | 9 | arch="all" |
| @@ -11,7 +11,9 @@ license="custom" | |||
| 11 | depends= | 11 | depends= |
| 12 | makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev" | 12 | makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev" |
| 13 | subpackages="$pkgname-dev $pkgname-doc" | 13 | subpackages="$pkgname-dev $pkgname-doc" |
| 14 | source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz" | 14 | source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz |
| 15 | CVE-2016-7568.patch | ||
| 16 | " | ||
| 15 | 17 | ||
| 16 | # secfixes: | 18 | # secfixes: |
| 17 | # 2.2.1-r0: | 19 | # 2.2.1-r0: |
| @@ -25,6 +27,8 @@ source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgve | |||
| 25 | # - CVE-2016-6132 | 27 | # - CVE-2016-6132 |
| 26 | # - CVE-2016-6207 | 28 | # - CVE-2016-6207 |
| 27 | # - CVE-2016-6214 | 29 | # - CVE-2016-6214 |
| 30 | # 2.2.3-r1: | ||
| 31 | # - CVE-2016-7568 | ||
| 28 | 32 | ||
| 29 | builddir="$srcdir"/lib$pkgname-$_myver | 33 | builddir="$srcdir"/lib$pkgname-$_myver |
| 30 | 34 | ||
| @@ -54,6 +58,9 @@ package() { | |||
| 54 | rm -r "$pkgdir"/usr/lib/libgd.la | 58 | rm -r "$pkgdir"/usr/lib/libgd.la |
| 55 | } | 59 | } |
| 56 | 60 | ||
| 57 | md5sums="14e4134c129b4c166c3a0549a32ef340 libgd-2.2.3.tar.xz" | 61 | md5sums="14e4134c129b4c166c3a0549a32ef340 libgd-2.2.3.tar.xz |
| 58 | sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c libgd-2.2.3.tar.xz" | 62 | fca9871b791d6ac88af7d6d5ce8c59d1 CVE-2016-7568.patch" |
| 59 | sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557 libgd-2.2.3.tar.xz" | 63 | sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c libgd-2.2.3.tar.xz |
| 64 | 0b7b7ddfc5200220763efb47cc6b56a6275fd5af70e85a8c91c667344f664012 CVE-2016-7568.patch" | ||
| 65 | sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557 libgd-2.2.3.tar.xz | ||
| 66 | 8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch" | ||
diff --git a/main/gd/CVE-2016-7568.patch b/main/gd/CVE-2016-7568.patch new file mode 100644 index 0000000000..56156411e3 --- /dev/null +++ b/main/gd/CVE-2016-7568.patch | |||
| @@ -0,0 +1,33 @@ | |||
| 1 | From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: trylab <trylab@users.noreply.github.com> | ||
| 3 | Date: Tue, 6 Sep 2016 18:35:32 +0800 | ||
| 4 | Subject: [PATCH] Fix integer overflow in gdImageWebpCtx | ||
| 5 | |||
| 6 | Integer overflow can be happened in expression gdImageSX(im) * 4 * | ||
| 7 | gdImageSY(im). It could lead to heap buffer overflow in the following | ||
| 8 | code. This issue has been reported to the PHP Bug Tracking System. The | ||
| 9 | proof-of-concept file will be supplied some days later. This issue was | ||
| 10 | discovered by Ke Liu of Tencent's Xuanwu LAB. | ||
| 11 | --- | ||
| 12 | src/gd_webp.c | 8 ++++++++ | ||
| 13 | 1 file changed, 8 insertions(+) | ||
| 14 | |||
| 15 | diff --git a/src/gd_webp.c b/src/gd_webp.c | ||
| 16 | index 8eb4dee..9886399 100644 | ||
| 17 | --- a/src/gd_webp.c | ||
| 18 | +++ b/src/gd_webp.c | ||
| 19 | @@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality) | ||
| 20 | quality = 80; | ||
| 21 | } | ||
| 22 | |||
| 23 | + if (overflow2(gdImageSX(im), 4)) { | ||
| 24 | + return; | ||
| 25 | + } | ||
| 26 | + | ||
| 27 | + if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) { | ||
| 28 | + return; | ||
| 29 | + } | ||
| 30 | + | ||
| 31 | argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); | ||
| 32 | if (!argb) { | ||
| 33 | return; | ||