mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 05:18:07 -05:00
gnu: gd: Fix-CVE-2016-3074.
* gnu/packages/patches/gd-CVE-2016-3074.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gd.scm (gd)[source]: Use it.
This commit is contained in:
parent
bbb5d8aeea
commit
fb2b0f5c87
3 changed files with 40 additions and 1 deletions
|
@ -494,6 +494,7 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/gcc-cross-environment-variables.patch \
|
||||
gnu/packages/patches/gcc-libvtv-runpath.patch \
|
||||
gnu/packages/patches/gcc-5.0-libvtv-runpath.patch \
|
||||
gnu/packages/patches/gd-CVE-2016-3074.patch \
|
||||
gnu/packages/patches/geoclue-config.patch \
|
||||
gnu/packages/patches/ghostscript-CVE-2015-3228.patch \
|
||||
gnu/packages/patches/ghostscript-runpath.patch \
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
;;; Copyright © 2013, 2016 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
|
||||
;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
|
||||
;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -48,7 +49,8 @@ (define-public gd
|
|||
"libgd-" version ".tar.xz"))
|
||||
(sha256
|
||||
(base32
|
||||
"11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls"))))
|
||||
"11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls"))
|
||||
(patches (search-patches "gd-CVE-2016-3074.patch"))))
|
||||
(build-system gnu-build-system)
|
||||
(native-inputs
|
||||
`(("pkg-config" ,pkg-config)))
|
||||
|
|
36
gnu/packages/patches/gd-CVE-2016-3074.patch
Normal file
36
gnu/packages/patches/gd-CVE-2016-3074.patch
Normal file
|
@ -0,0 +1,36 @@
|
|||
Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19
|
||||
(gd2: handle corrupt images better (CVE-2016-3074)).
|
||||
|
||||
This patch omits the upstream changes to '.gitignore', and the test
|
||||
added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and
|
||||
'tests/gd2/invalid_neg_size.gd2'.
|
||||
|
||||
We omit the test because its input data,
|
||||
'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff,
|
||||
which is not supported by `patch`.
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
|
||||
https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
|
||||
---
|
||||
.gitignore | 1 +
|
||||
src/gd_gd2.c | 2 ++
|
||||
tests/Makefile.am | 3 ++-
|
||||
tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++
|
||||
tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
|
||||
5 files changed, 30 insertions(+), 1 deletion(-)
|
||||
create mode 100644 tests/gd2/gd2_read_corrupt.c
|
||||
create mode 100644 tests/gd2/invalid_neg_size.gd2
|
||||
|
||||
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
||||
index 6f28461..a50b33d 100644
|
||||
--- a/src/gd_gd2.c
|
||||
+++ b/src/gd_gd2.c
|
||||
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
||||
if (gdGetInt (&cidx[i].size, in) != 1) {
|
||||
goto fail2;
|
||||
};
|
||||
+ if (cidx[i].offset < 0 || cidx[i].size < 0)
|
||||
+ goto fail2;
|
||||
};
|
||||
*chunkIdx = cidx;
|
||||
};
|
Loading…
Reference in a new issue