diff --git a/gnu/local.mk b/gnu/local.mk index ee99882c5f..ba5af56bd9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -681,6 +681,7 @@ dist_patch_DATA = \ %D%/packages/patches/gcc-6-source-date-epoch-2.patch \ %D%/packages/patches/gcr-disable-failing-tests.patch \ %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \ + %D%/packages/patches/gd-CVE-2018-5711.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-freetype-test-failure.patch \ %D%/packages/patches/gegl-CVE-2012-4433.patch \ diff --git a/gnu/packages/patches/gd-CVE-2018-5711.patch b/gnu/packages/patches/gd-CVE-2018-5711.patch new file mode 100644 index 0000000000..83b12cde63 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2018-5711.patch @@ -0,0 +1,61 @@ +This patch is adapted from commit a11f47475e6443b7f32d21f2271f28f417e2ac04 and +fixes CVE-2018-5711. + +From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 29 Nov 2017 19:37:38 +0100 +Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +CVE-2018-5711 + +See also https://bugs.php.net/bug.php?id=75571. +--- + src/gd_gif_in.c | 12 ++++++------ + 1 file changed, 38 insertions(+), 6 deletions(-) + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index daf26e7..0a8bd71 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -335,11 +335,6 @@ terminated: + return 0; + } + +- if(!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } +- + /* Check for open colors at the end, so + * we can reduce colorsTotal and ultimately + * BitsPerPixel */ +@@ -351,6 +346,11 @@ terminated: + } + } + ++ if(!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } ++ + return im; + } + +@@ -447,7 +447,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if(flag) { + scd->curbit = 0; + +-- +2.13.6 + diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm index 1ed3dc7ce0..f3f279a533 100644 --- a/gnu/packages/php.scm +++ b/gnu/packages/php.scm @@ -50,6 +50,15 @@ (define-module (gnu packages php) #:use-module (guix build-system gnu) #:use-module ((guix licenses) #:prefix license:)) +(define gd-for-php + (package + (inherit gd) + (source (origin + (inherit (package-source gd)) + (patches (search-patches "gd-fix-tests-on-i686.patch" + "gd-freetype-test-failure.patch" + "gd-CVE-2018-5711.patch")))))) + (define-public php (package (name "php") @@ -278,11 +287,7 @@ (define-public php "ext/mbstring/tests/mb_ereg_variation3.phpt" "ext/mbstring/tests/mb_ereg_replace_variation1.phpt" "ext/mbstring/tests/bug72994.phpt" - "ext/ldap/tests/ldap_set_option_error.phpt" - - ;; XXX: This is CVE-2018-5711. There is no fix yet in libgd. - ;; See https://github.com/libgd/libgd/issues/420 - "ext/gd/tests/bug75571.phpt")) + "ext/ldap/tests/ldap_set_option_error.phpt")) ;; Skip tests requiring network access. (setenv "SKIP_ONLINE_TESTS" "1") @@ -299,7 +304,7 @@ (define-public php ("curl" ,curl) ("cyrus-sasl" ,cyrus-sasl) ("freetype" ,freetype) - ("gd" ,gd) + ("gd" ,gd-for-php) ("gdbm" ,gdbm) ("glibc" ,glibc) ("gmp" ,gmp)