[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: gd: Fix-CVE-2016-3074.
From: |
Leo Famulari |
Subject: |
01/01: gnu: gd: Fix-CVE-2016-3074. |
Date: |
Tue, 17 May 2016 17:21:36 +0000 (UTC) |
lfam pushed a commit to branch master
in repository guix.
commit fb2b0f5c87321f5aab0dc13130ef92a76040fbe3
Author: Leo Famulari <address@hidden>
Date: Tue May 17 00:20:17 2016 -0400
gnu: gd: Fix-CVE-2016-3074.
* gnu/packages/patches/gd-CVE-2016-3074.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gd.scm (gd)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/gd.scm | 4 ++-
gnu/packages/patches/gd-CVE-2016-3074.patch | 36 +++++++++++++++++++++++++++
3 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 4bbded9..0e461b3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -494,6 +494,7 @@ dist_patch_DATA =
\
gnu/packages/patches/gcc-cross-environment-variables.patch \
gnu/packages/patches/gcc-libvtv-runpath.patch \
gnu/packages/patches/gcc-5.0-libvtv-runpath.patch \
+ gnu/packages/patches/gd-CVE-2016-3074.patch \
gnu/packages/patches/geoclue-config.patch \
gnu/packages/patches/ghostscript-CVE-2015-3228.patch \
gnu/packages/patches/ghostscript-runpath.patch \
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 769e7ce..e52a030 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2013, 2016 Ludovic Courtès <address@hidden>
;;; Copyright © 2015 Mark H Weaver <address@hidden>
;;; Copyright © 2015 Eric Bavier <address@hidden>
+;;; Copyright © 2016 Leo Famulari <address@hidden>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -48,7 +49,8 @@
"libgd-" version ".tar.xz"))
(sha256
(base32
- "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls"))))
+ "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls"))
+ (patches (search-patches "gd-CVE-2016-3074.patch"))))
(build-system gnu-build-system)
(native-inputs
`(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/patches/gd-CVE-2016-3074.patch
b/gnu/packages/patches/gd-CVE-2016-3074.patch
new file mode 100644
index 0000000..a90c51d
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-3074.patch
@@ -0,0 +1,36 @@
+Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19
+(gd2: handle corrupt images better (CVE-2016-3074)).
+
+This patch omits the upstream changes to '.gitignore', and the test
+added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and
+'tests/gd2/invalid_neg_size.gd2'.
+
+We omit the test because its input data,
+'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff,
+which is not supported by `patch`.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
+https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+---
+ .gitignore | 1 +
+ src/gd_gd2.c | 2 ++
+ tests/Makefile.am | 3 ++-
+ tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++
+ tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
+ 5 files changed, 30 insertions(+), 1 deletion(-)
+ create mode 100644 tests/gd2/gd2_read_corrupt.c
+ create mode 100644 tests/gd2/invalid_neg_size.gd2
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 6f28461..a50b33d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ if (gdGetInt (&cidx[i].size, in) != 1) {
+ goto fail2;
+ };
++ if (cidx[i].offset < 0 || cidx[i].size < 0)
++ goto fail2;
+ };
+ *chunkIdx = cidx;
+ };