diff options
author | Leo Famulari <leo@famulari.name> | 2016-05-17 00:20:17 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-05-17 13:18:15 -0400 |
commit | fb2b0f5c87321f5aab0dc13130ef92a76040fbe3 (patch) | |
tree | 79c7c042cd0cb6319122bbefa135942612519fce | |
parent | bbb5d8aeea213f32e51ae18407aa8941f18a010b (diff) |
gnu: gd: Fix-CVE-2016-3074.
* gnu/packages/patches/gd-CVE-2016-3074.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gd.scm (gd)[source]: Use it.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/gd.scm | 4 | ||||
-rw-r--r-- | gnu/packages/patches/gd-CVE-2016-3074.patch | 36 |
3 files changed, 40 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 4bbded90eb..0e461b3209 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -494,6 +494,7 @@ dist_patch_DATA = \ gnu/packages/patches/gcc-cross-environment-variables.patch \ gnu/packages/patches/gcc-libvtv-runpath.patch \ gnu/packages/patches/gcc-5.0-libvtv-runpath.patch \ + gnu/packages/patches/gd-CVE-2016-3074.patch \ gnu/packages/patches/geoclue-config.patch \ gnu/packages/patches/ghostscript-CVE-2015-3228.patch \ gnu/packages/patches/ghostscript-runpath.patch \ diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index 769e7cecf2..e52a030f86 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013, 2016 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org> +;;; Copyright © 2016 Leo Famulari <leo@famulari.name> ;;; ;;; This file is part of GNU Guix. ;;; @@ -48,7 +49,8 @@ "libgd-" version ".tar.xz")) (sha256 (base32 - "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls")))) + "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls")) + (patches (search-patches "gd-CVE-2016-3074.patch")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) diff --git a/gnu/packages/patches/gd-CVE-2016-3074.patch b/gnu/packages/patches/gd-CVE-2016-3074.patch new file mode 100644 index 0000000000..a90c51d77b --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-3074.patch @@ -0,0 +1,36 @@ +Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19 +(gd2: handle corrupt images better (CVE-2016-3074)). + +This patch omits the upstream changes to '.gitignore', and the test +added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and +'tests/gd2/invalid_neg_size.gd2'. + +We omit the test because its input data, +'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff, +which is not supported by `patch`. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074 +https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19 +--- + .gitignore | 1 + + src/gd_gd2.c | 2 ++ + tests/Makefile.am | 3 ++- + tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++ + tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes + 5 files changed, 30 insertions(+), 1 deletion(-) + create mode 100644 tests/gd2/gd2_read_corrupt.c + create mode 100644 tests/gd2/invalid_neg_size.gd2 + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index 6f28461..a50b33d 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + if (gdGetInt (&cidx[i].size, in) != 1) { + goto fail2; + }; ++ if (cidx[i].offset < 0 || cidx[i].size < 0) ++ goto fail2; + }; + *chunkIdx = cidx; + }; |