pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2015Q1]: pkgsrc/graphics/gd Pullup ticket #4659 - requested by...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/c401da77d1bc
branches:  pkgsrc-2015Q1
changeset: 649157:c401da77d1bc
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Tue Apr 14 18:19:23 2015 +0000

description:
Pullup ticket #4659 - requested by tnn
graphics/gd - security fix

Revisions pulled up:
- graphics/gd/Makefile                                          1.103
- graphics/gd/distinfo                                          1.36
- graphics/gd/patches/patch-src_gd__gif__in.c                   1.1

---
   Module Name: pkgsrc
   Committed By:        tnn
   Date:                Sun Apr 12 15:09:33 UTC 2015

   Modified Files:
        pkgsrc/graphics/gd: Makefile distinfo
   Added Files:
        pkgsrc/graphics/gd/patches: patch-src_gd__gif__in.c

   Log Message:
   Upstream patch for overflow in gif parser (CVE-2014-9709)

diffstat:

 graphics/gd/Makefile                        |   4 +-
 graphics/gd/distinfo                        |   3 +-
 graphics/gd/patches/patch-src_gd__gif__in.c |  45 +++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 3 deletions(-)

diffs (77 lines):

diff -r 76439ee8e6ea -r c401da77d1bc graphics/gd/Makefile
--- a/graphics/gd/Makefile      Wed Apr 08 20:53:41 2015 +0000
+++ b/graphics/gd/Makefile      Tue Apr 14 18:19:23 2015 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.102 2014/12/09 11:42:10 wiz Exp $
+# $NetBSD: Makefile,v 1.102.4.1 2015/04/14 18:19:23 bsiegert Exp $
 
 DISTNAME=      libgd-2.1.0
 PKGNAME=       ${DISTNAME:S/libgd/gd/}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    graphics
 MASTER_SITES=  http://cdn.bitbucket.org/libgd/gd-libgd/downloads/
 EXTRACT_SUFX=  .tar.xz
diff -r 76439ee8e6ea -r c401da77d1bc graphics/gd/distinfo
--- a/graphics/gd/distinfo      Wed Apr 08 20:53:41 2015 +0000
+++ b/graphics/gd/distinfo      Tue Apr 14 18:19:23 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.35 2013/11/11 21:34:40 dholland Exp $
+$NetBSD: distinfo,v 1.35.12.1 2015/04/14 18:19:23 bsiegert Exp $
 
 SHA1 (libgd-2.1.0.tar.xz) = 66c56fc07246b66ba649c83e996fd2085ea2f9e2
 RMD160 (libgd-2.1.0.tar.xz) = 3fcdf88e1ca653ffd40ddba607dbc317ca87bf63
@@ -6,3 +6,4 @@
 SHA1 (patch-aa) = 00198349dd9cff60f1f5738524096a251057eb16
 SHA1 (patch-ab) = 300ffacf47d7421fc9efb7b3fd9e93f011de1b4b
 SHA1 (patch-src_gd__bmp.c) = 4db300a26cebae6fb6f14564c5648608d7ed6cc5
+SHA1 (patch-src_gd__gif__in.c) = 4c18302fa45b482b28f5b618681354690eaa9b2d
diff -r 76439ee8e6ea -r c401da77d1bc graphics/gd/patches/patch-src_gd__gif__in.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/gd/patches/patch-src_gd__gif__in.c       Tue Apr 14 18:19:23 2015 +0000
@@ -0,0 +1,45 @@
+$NetBSD: patch-src_gd__gif__in.c,v 1.1.2.2 2015/04/14 18:19:23 bsiegert Exp $
+
+CVE-2014-9709
+https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43/raw/
+
+From 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 Mon Sep 17 00:00:00 2001
+From: Remi Collet <fedora%famillecollet.com@localhost>
+Date: Sat, 13 Dec 2014 08:48:18 +0100
+Subject: [PATCH] Fix possible buffer read overflow detected by
+ -fsanitize=address, thanks to Jan Bee
+
+---
+ src/gd_gif_in.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
+index b3b4ca3..13a663c 100644
+--- src/gd_gif_in.c
++++ src/gd_gif_in.c
+@@ -75,8 +75,10 @@ static struct {
+ 
+ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+ 
++#define CSD_BUF_SIZE 280
++
+ typedef struct {
+-      unsigned char buf[280];
++      unsigned char buf[CSD_BUF_SIZE];
+       int curbit;
+       int lastbit;
+       int done;
+@@ -468,7 +470,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
+ 
+       ret = 0;
+       for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+-              ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++              if (i < CSD_BUF_SIZE * 8) {
++                      ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++              } else {
++                      ret = -1;
++                      break;
++              }
+       }
+ 
+       scd->curbit += code_size;



Home | Main Index | Thread Index | Old Index