Hello community, here is the log from the commit of package gd for openSUSE:Factory checked in at 2016-10-10 16:18:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gd (Old) and /work/SRC/openSUSE:Factory/.gd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gd" Changes: -------- --- /work/SRC/openSUSE:Factory/gd/gd.changes 2016-08-26 23:14:33.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gd.new/gd.changes 2016-10-10 16:18:18.000000000 +0200 @@ -1,0 +2,51 @@ +Fri Sep 30 14:59:25 UTC 2016 - badshah...@gmail.com + +- Update to version 2.2.3: + + Security fixes: + - Php bug#72339, Integer Overflow in _gd2GetHeader + (CVE-2016-5766) + - Issue gh/libgd/libgd#247: A read out-of-bands was found in + the parsing of TGA files (CVE-2016-6132) + - Issue gh/libgd/libgd#247: Buffer over-read issue when + parsing crafted TGA file (CVE-2016-6214) + - Issue gh/libgd/libgd#248: fix Out-Of-Bounds Read in + read_image_tga + - Integer overflow error within _gdContributionsAlloc() + (CVE-2016-6207) + - Fix php bug#72494, invalid color index not handled, can lead + to crash (CVE-2016-6128) + + Improve color check for CropThreshold + + gdImageCopyResampled has been improved. Better handling of + images with alpha channel, also brings libgd in sync with + php's bundled gd. +- Drop patches: + + gd-CVE-2016-5116.patch: upstreamed + + gd-CVE-2016-6132.patch: upstreamed + + gd-CVE-2016-6214.patch: upstreamed + + gd-CVE-2016-6905.patch: upstreamed + + gd-libvpx.patch: vpx support dropped. +- Add BuildRequires for automake and autoconf since + gd-disable-freetype27-failed-tests.patch touches makefiles. +- Drop getver.pl from source: included in upstream tarball. +- Add "-msse -mfpmath=sse" to CFLAGS to fix tests on ix86 + architectures. +- Add "-ffp-contract=off" to CFLAGS for non-ix86 arch (ppc, arm) + to fix a test: see gh#libgd/libgd#278. +- Add gd-test-unintialized-var.patch to fix an uninitialised + variable in tests/gd2/gd2_read.c to prevent it from compiling + with -Werror (only causes problems in no ix86 arch + surprisingly); patch sent upstream. +- Rebase gd-disable-freetype27-failed-tests.patch for updated + version. +- Update URL and Source to project's new github URL's. + +------------------------------------------------------------------- +Thu Sep 29 14:06:53 UTC 2016 - badshah...@gmail.com + +- Add gd-disable-freetype27-failed-tests.patch: Disable for now + tests failing against freetype >= 2.7 for being too exact + (gh#libgd/libgd#302). The failures have been understood by + upstream to be due to minor differences between test images and + those generated when freeetype >= 2.7 is used to build gd. + +------------------------------------------------------------------- Old: ---- gd-CVE-2016-5116.patch gd-CVE-2016-6132.patch gd-CVE-2016-6214.patch gd-CVE-2016-6905.patch gd-libvpx.patch getver.pl libgd-2.1.1.tar.xz New: ---- gd-disable-freetype27-failed-tests.patch gd-test-unintialized-var.patch libgd-2.2.3.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gd.spec ++++++ --- /var/tmp/diff_new_pack.PJI6yq/_old 2016-10-10 16:18:20.000000000 +0200 +++ /var/tmp/diff_new_pack.PJI6yq/_new 2016-10-10 16:18:20.000000000 +0200 @@ -21,15 +21,14 @@ %define lname libgd3 Name: gd -Version: 2.1.1 +Version: 2.2.3 Release: 0 Summary: A Drawing Library for Programs That Use PNG and JPEG Output License: MIT Group: System/Libraries -Url: http://libgd.bitbucket.org/ -Source: https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}.tar.xz +Url: https://libgd.github.io/ +Source: https://github.com/libgd/libgd/releases/download/%{name}-%{version}/%{prjname}-%{version}.tar.xz Source1: baselibs.conf -Source2: getver.pl # to be upstreamed, gdlib-config --libs to return the same as pkg-config --libs gdlib Patch0: gd-config.patch # might be upstreamed, but could be suse specific also (/usr/share/fonts/Type1 font dir) @@ -38,19 +37,18 @@ Patch2: gd-format.patch # could be upstreamed Patch3: gd-aliasing.patch -# could be upstreamed -Patch4: gd-libvpx.patch -Patch5: gd-CVE-2016-5116.patch -Patch6: gd-CVE-2016-6132.patch -Patch7: gd-CVE-2016-6214.patch -Patch8: gd-CVE-2016-6905.patch +# PATCH-FIX-UPSTREAM gd-disable-freetype27-failed-tests.patch gh#libgd/libgd#302 badshah...@gmail.com -- Disable for now tests failing against freetype >= 2.7 for being too exact. +Patch5: gd-disable-freetype27-failed-tests.patch +# PATCH-FIX-UPSTREAM gd-test-unintialized-var.patch badshah...@gmail.com -- Initialise a variable in tests/gd2/gd2_read.c to 0 to prevent it from failing to compile with -Werror (only causes problems in no ix86 arch surprisingly); patch sent upstream +Patch6: gd-test-unintialized-var.patch +BuildRequires: autoconf +BuildRequires: automake BuildRequires: fontconfig-devel BuildRequires: freetype2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel BuildRequires: libtiff-devel BuildRequires: libtool -BuildRequires: libvpx-devel BuildRequires: pkg-config BuildRequires: xorg-x11-libX11-devel BuildRequires: xorg-x11-libXau-devel @@ -99,18 +97,20 @@ %patch1 %patch2 %patch3 -%patch4 %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 %build -# this file is errorneously forgotten from the tarball -# remove in next release to 2.1.1 -cp %{SOURCE2} config/getver.pl -perl config/getver.pl autoreconf -fiv + +# ADDITIONAL CFLAGS ARE NEEDED TO FIX TEST FAILURES IN CASE OF i586, BUT HARMLESS TO APPLY GENERALLY FOR ALL ix86 +%ifarch %{ix86} +CFLAGS="$CFLAGS -msse -mfpmath=sse" +export CFLAGS +%else +CFLAGS="$CFLAGS -ffp-contract=off" +%endif + # without-x -- useless switch which just mangles cflags %configure \ --without-x \ @@ -121,6 +121,7 @@ --with-xpm \ --disable-static \ --with-pic + make %{?_smp_mflags} %check @@ -128,6 +129,7 @@ %install make DESTDIR=%{buildroot} install %{?_smp_mflags} + find %{buildroot} -type f -name "*.la" -delete -print %post -n %lname -p /sbin/ldconfig ++++++ gd-disable-freetype27-failed-tests.patch ++++++ Two tests: freetype/bug00132 and gdimagestringft fail with freetype >= 2.7 for being too exact/strict, as acknowledged by upstream. Let us disable these tests for now, as the impact is understood to be "slight". See discussion in the issue tracker. Issue: https://github.com/libgd/libgd/issues/302 Index: libgd-2.2.3/tests/CMakeLists.txt =================================================================== --- libgd-2.2.3.orig/tests/CMakeLists.txt +++ libgd-2.2.3/tests/CMakeLists.txt @@ -19,7 +19,6 @@ if (BUILD_TEST) SET(TESTS_DIRS bmp - freetype gd gd2 gdimagearc @@ -50,7 +49,6 @@ if (BUILD_TEST) gdimagescale gdimagescatterex gdimagesetpixel - gdimagestringft gdimagestringftex gdimagetruecolortopalette gdinterpolatedscale Index: libgd-2.2.3/tests/Makefile.am =================================================================== --- libgd-2.2.3.orig/tests/Makefile.am +++ libgd-2.2.3/tests/Makefile.am @@ -13,7 +13,6 @@ EXTRA_DIST = TESTS = include bmp/Makemodule.am -include freetype/Makemodule.am include gd/Makemodule.am include gd2/Makemodule.am include gdimagearc/Makemodule.am @@ -44,7 +43,6 @@ include gdimagerotate/Makemodule.am include gdimagescale/Makemodule.am include gdimagescatterex/Makemodule.am include gdimagesetpixel/Makemodule.am -include gdimagestringft/Makemodule.am include gdimagestringftex/Makemodule.am include gdimagetruecolortopalette/Makemodule.am include gdinterpolatedscale/Makemodule.am ++++++ gd-test-unintialized-var.patch ++++++ Index: libgd-2.2.3/tests/gd2/gd2_read.c =================================================================== --- libgd-2.2.3.orig/tests/gd2/gd2_read.c +++ libgd-2.2.3/tests/gd2/gd2_read.c @@ -5,7 +5,7 @@ int main(int argc, char *argv[]) { - int error, i = 0; + int error = 0, i = 0; gdImagePtr im, exp; FILE *fp; char *path[] = { ++++++ libgd-2.1.1.tar.xz -> libgd-2.2.3.tar.xz ++++++ ++++ 38005 lines of diff (skipped)