main/gd: patch CVE-2018-14553 and CVE-2019-11038

author: J0WI <J0WI@users.noreply.github.com> 2020-04-08 16:04:31 +0200
committer: Leo <thinkabit.ukim@gmail.com> 2020-04-09 00:20:57 +0000
commit: b7a6616325748291eb409fbe35ebf1a7c7070558 (patch)
tree: 98309f5ed68e403151b0e1256acaa6eba50a6d25
parent: 1a97c2d43dcdd4cfc0f2995208b823c8cf3fad17 (diff)
download: alpine_aports-b7a6616325748291eb409fbe35ebf1a7c7070558.tar.bz2
alpine_aports-b7a6616325748291eb409fbe35ebf1a7c7070558.tar.xz
alpine_aports-b7a6616325748291eb409fbe35ebf1a7c7070558.zip
3 files changed, 80 insertions, 5 deletions
diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index 9a5ffe91c0..a8abc50656 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=gd
 pkgver=2.2.5
-pkgrel=3
+pkgrel=4
 _pkgreal=lib$pkgname
 pkgdesc="Library for the dynamic creation of images by programmers"
 url="https://libgd.github.io/"
@@ -13,7 +13,9 @@ makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev
 subpackages="$pkgname-dev $_pkgreal:libs"
 source="https://github.com/$_pkgreal/$_pkgreal/releases/download/$pkgname-$pkgver/$_pkgreal-$pkgver.tar.xz
        CVE-2018-1000222.patch
+        CVE-2018-14553.patch
        CVE-2018-5711.patch
+        CVE-2019-11038.patch
        CVE-2019-6977.patch
        CVE-2019-6978.patch
        "
@@ -23,12 +25,15 @@ case "$CARCH" in
 esac
 # secfixes:
+#   2.2.5-r3:
+#     - CVE-2018-14553
+#     - CVE-2019-11038
 #   2.2.5-r2:
-#   - CVE-2018-5711
+#     - CVE-2018-5711
-#   - CVE-2019-6977
+#     - CVE-2019-6977
-#   - CVE-2019-6978
+#     - CVE-2019-6978
 #   2.2.5-r1:
-#   - CVE-2018-1000222
+#     - CVE-2018-1000222
 build() {
        cd "$builddir"
@@ -62,6 +67,8 @@ dev() {
 sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b  libgd-2.2.5.tar.xz
 d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b  CVE-2018-1000222.patch
+9bf1677d69d04f41eba48b48e853ad706f3097edb1a96c3b681b516708be0ba199c463e7b3e44f52921e14028a7c4d74977d66e7f456b9f96d935ce9db342c0e  CVE-2018-14553.patch
 b23929f10ad75fa97d2ff797ef44d185cfe6de4f26b649e8e507b6fc41ebdb527ab4633d10df955c92d677428d9ed1707d9997954a1bcfb0070995191211d886  CVE-2018-5711.patch
+a56397fb310c94d4dc9c565dcec17ffd7411e1957ba45f1093e9fffad74192c244b1ef4f9d954c052f589fd5b4d1cc37ca5d53d8db569cee09a7bdc38bfc4eaf  CVE-2019-11038.patch
 5214ac4148c618f3fef3bb3b6675e41a76e31465cd8dac326ee99dc1ae4cfe760749997d2941743efa48e79b8dbdb536d6b6d79d9bc4e5363f2c50da52ab5cac  CVE-2019-6977.patch
 2f70f041b531a23d0bac5c5370a3fb135ca8facaa7baf1554baf35135cc9c6e21de9c09400d939e133ad090b9aa23fa901ea7b5cd9ea20d11edc38257601eb97  CVE-2019-6978.patch"
diff --git a/main/gd/CVE-2018-14553.patch b/main/gd/CVE-2018-14553.patch
new file mode 100644
index 0000000000..816bd9ccc9
--- /dev/null
+++ b/main/gd/CVE-2018-14553.patch
@@ -0,0 +1,32 @@
+From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
+Date: Fri, 20 Dec 2019 12:03:33 -0300
+Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
+diff --git a/src/gd.c b/src/gd.c
+index 592a0286..d564d1f9 100644
+--- a/src/gd.c
+++ b/src/gd.c
+@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+                }
+        }
+ 
+-       if (src->styleLength > 0) {
+-               dst->styleLength = src->styleLength;
+-               dst->stylePos    = src->stylePos;
+-               for (i = 0; i < src->styleLength; i++) {
+-                       dst->style[i] = src->style[i];
+-               }
+-       }
+-
+        dst->interlace   = src->interlace;
+ 
+        dst->alphaBlendingFlag = src->alphaBlendingFlag;
+@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ 
+        if (src->style) {
+                gdImageSetStyle(dst, src->style, src->styleLength);
+               dst->stylePos = src->stylePos;
+        }
+ 
+        for (i = 0; i < gdMaxColors; i++) {
diff --git a/main/gd/CVE-2019-11038.patch b/main/gd/CVE-2019-11038.patch
new file mode 100644
index 0000000000..1ccb9c1c15
--- /dev/null
+++ b/main/gd/CVE-2019-11038.patch
@@ -0,0 +1,36 @@
+From e13a342c079aeb73e31dfa19eaca119761bac3f3 Mon Sep 17 00:00:00 2001
+From: Jonas Meurer <jonas@freesources.org>
+Date: Tue, 11 Jun 2019 12:16:46 +0200
+Subject: [PATCH] Fix #501: Uninitialized read in gdImageCreateFromXbm
+ (CVE-2019-11038)
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
+Bug-Debian: https://bugs.debian.org/929821
+Bug: https://github.com/libgd/libgd/issues/501
+We have to ensure that `sscanf()` does indeed read a hex value here,
+and bail out otherwise.
+Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
+https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
+---
+ src/gd_xbm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 4ca41acf..cf0545ef 100644
+--- a/src/gd_xbm.c
+++ b/src/gd_xbm.c
+@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+                        }
+                        h[3] = ch;
+                }
+-               sscanf(h, "%x", &b);
+               if (sscanf(h, "%x", &b) != 1) {
+                       gd_error("invalid XBM");
+                       gdImageDestroy(im);
+                       return 0;
+               }
+                for (bit = 1; bit <= max_bit; bit = bit << 1) {
+                        gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+                        if (x == im->sx) {
author	J0WI <J0WI@users.noreply.github.com>	2020-04-08 16:04:31 +0200
committer	Leo <thinkabit.ukim@gmail.com>	2020-04-09 00:20:57 +0000
commit	b7a6616325748291eb409fbe35ebf1a7c7070558 (patch)
tree	98309f5ed68e403151b0e1256acaa6eba50a6d25
parent	1a97c2d43dcdd4cfc0f2995208b823c8cf3fad17 (diff)
download	alpine_aports-b7a6616325748291eb409fbe35ebf1a7c7070558.tar.bz2 alpine_aports-b7a6616325748291eb409fbe35ebf1a7c7070558.tar.xz alpine_aports-b7a6616325748291eb409fbe35ebf1a7c7070558.zip

diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD index 9a5ffe91c0..a8abc50656 100644 --- a/main/gd/APKBUILD +++ b/main/gd/APKBUILD
@@ -2,7 +2,7 @@
2	# Maintainer: Carlo Landmeter <clandmeter@gmail.com>	2	# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
3	pkgname=gd	3	pkgname=gd
4	pkgver=2.2.5	4	pkgver=2.2.5
5	pkgrel=3	5	pkgrel=4
6	_pkgreal=lib$pkgname	6	_pkgreal=lib$pkgname
7	pkgdesc="Library for the dynamic creation of images by programmers"	7	pkgdesc="Library for the dynamic creation of images by programmers"
8	url="https://libgd.github.io/"	8	url="https://libgd.github.io/"
@@ -13,7 +13,9 @@ makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev
13	subpackages="$pkgname-dev $_pkgreal:libs"	13	subpackages="$pkgname-dev $_pkgreal:libs"
14	source="https://github.com/$_pkgreal/$_pkgreal/releases/download/$pkgname-$pkgver/$_pkgreal-$pkgver.tar.xz	14	source="https://github.com/$_pkgreal/$_pkgreal/releases/download/$pkgname-$pkgver/$_pkgreal-$pkgver.tar.xz
15	CVE-2018-1000222.patch	15	CVE-2018-1000222.patch
		16	CVE-2018-14553.patch
16	CVE-2018-5711.patch	17	CVE-2018-5711.patch
		18	CVE-2019-11038.patch
17	CVE-2019-6977.patch	19	CVE-2019-6977.patch
18	CVE-2019-6978.patch	20	CVE-2019-6978.patch
19	"	21	"
@@ -23,12 +25,15 @@ case "$CARCH" in
23	esac	25	esac
24		26
25	# secfixes:	27	# secfixes:
		28	# 2.2.5-r3:
		29	# - CVE-2018-14553
		30	# - CVE-2019-11038
26	# 2.2.5-r2:	31	# 2.2.5-r2:
27	# - CVE-2018-5711	32	# - CVE-2018-5711
28	# - CVE-2019-6977	33	# - CVE-2019-6977
29	# - CVE-2019-6978	34	# - CVE-2019-6978
30	# 2.2.5-r1:	35	# 2.2.5-r1:
31	# - CVE-2018-1000222	36	# - CVE-2018-1000222
32		37
33	build() {	38	build() {
34	cd "$builddir"	39	cd "$builddir"
@@ -62,6 +67,8 @@ dev() {
62		67
63	sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz	68	sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz
64	d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch	69	d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch
		70	9bf1677d69d04f41eba48b48e853ad706f3097edb1a96c3b681b516708be0ba199c463e7b3e44f52921e14028a7c4d74977d66e7f456b9f96d935ce9db342c0e CVE-2018-14553.patch
65	b23929f10ad75fa97d2ff797ef44d185cfe6de4f26b649e8e507b6fc41ebdb527ab4633d10df955c92d677428d9ed1707d9997954a1bcfb0070995191211d886 CVE-2018-5711.patch	71	b23929f10ad75fa97d2ff797ef44d185cfe6de4f26b649e8e507b6fc41ebdb527ab4633d10df955c92d677428d9ed1707d9997954a1bcfb0070995191211d886 CVE-2018-5711.patch
		72	a56397fb310c94d4dc9c565dcec17ffd7411e1957ba45f1093e9fffad74192c244b1ef4f9d954c052f589fd5b4d1cc37ca5d53d8db569cee09a7bdc38bfc4eaf CVE-2019-11038.patch
66	5214ac4148c618f3fef3bb3b6675e41a76e31465cd8dac326ee99dc1ae4cfe760749997d2941743efa48e79b8dbdb536d6b6d79d9bc4e5363f2c50da52ab5cac CVE-2019-6977.patch	73	5214ac4148c618f3fef3bb3b6675e41a76e31465cd8dac326ee99dc1ae4cfe760749997d2941743efa48e79b8dbdb536d6b6d79d9bc4e5363f2c50da52ab5cac CVE-2019-6977.patch
67	2f70f041b531a23d0bac5c5370a3fb135ca8facaa7baf1554baf35135cc9c6e21de9c09400d939e133ad090b9aa23fa901ea7b5cd9ea20d11edc38257601eb97 CVE-2019-6978.patch"	74	2f70f041b531a23d0bac5c5370a3fb135ca8facaa7baf1554baf35135cc9c6e21de9c09400d939e133ad090b9aa23fa901ea7b5cd9ea20d11edc38257601eb97 CVE-2019-6978.patch"


diff --git a/main/gd/CVE-2018-14553.patch b/main/gd/CVE-2018-14553.patch new file mode 100644 index 0000000000..816bd9ccc9 --- /dev/null +++ b/main/gd/CVE-2018-14553.patch
@@ -0,0 +1,32 @@
		1	From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
		3	Date: Fri, 20 Dec 2019 12:03:33 -0300
		4	Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
		5
		6	diff --git a/src/gd.c b/src/gd.c
		7	index 592a0286..d564d1f9 100644
		8	--- a/src/gd.c
		9	+++ b/src/gd.c
		10	@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
		11	}
		12	}
		13
		14	- if (src->styleLength > 0) {
		15	- dst->styleLength = src->styleLength;
		16	- dst->stylePos = src->stylePos;
		17	- for (i = 0; i < src->styleLength; i++) {
		18	- dst->style[i] = src->style[i];
		19	- }
		20	- }
		21	-
		22	dst->interlace = src->interlace;
		23
		24	dst->alphaBlendingFlag = src->alphaBlendingFlag;
		25	@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
		26
		27	if (src->style) {
		28	gdImageSetStyle(dst, src->style, src->styleLength);
		29	+ dst->stylePos = src->stylePos;
		30	}
		31
		32	for (i = 0; i < gdMaxColors; i++) {


diff --git a/main/gd/CVE-2019-11038.patch b/main/gd/CVE-2019-11038.patch new file mode 100644 index 0000000000..1ccb9c1c15 --- /dev/null +++ b/main/gd/CVE-2019-11038.patch
@@ -0,0 +1,36 @@
		1	From e13a342c079aeb73e31dfa19eaca119761bac3f3 Mon Sep 17 00:00:00 2001
		2	From: Jonas Meurer <jonas@freesources.org>
		3	Date: Tue, 11 Jun 2019 12:16:46 +0200
		4	Subject: [PATCH] Fix #501: Uninitialized read in gdImageCreateFromXbm
		5	(CVE-2019-11038)
		6
		7	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
		8	Bug-Debian: https://bugs.debian.org/929821
		9	Bug: https://github.com/libgd/libgd/issues/501
		10
		11	We have to ensure that `sscanf()` does indeed read a hex value here,
		12	and bail out otherwise.
		13
		14	Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
		15	https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
		16	---
		17	src/gd_xbm.c \| 6 +++++-
		18	1 file changed, 5 insertions(+), 1 deletion(-)
		19
		20	diff --git a/src/gd_xbm.c b/src/gd_xbm.c
		21	index 4ca41acf..cf0545ef 100644
		22	--- a/src/gd_xbm.c
		23	+++ b/src/gd_xbm.c
		24	@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
		25	}
		26	h[3] = ch;
		27	}
		28	- sscanf(h, "%x", &b);
		29	+ if (sscanf(h, "%x", &b) != 1) {
		30	+ gd_error("invalid XBM");
		31	+ gdImageDestroy(im);
		32	+ return 0;
		33	+ }
		34	for (bit = 1; bit <= max_bit; bit = bit << 1) {
		35	gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
		36	if (x == im->sx) {