Hello community, here is the log from the commit of package gd for openSUSE:Factory checked in at 2019-02-08 13:45:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gd (Old) and /work/SRC/openSUSE:Factory/.gd.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gd" Fri Feb 8 13:45:40 2019 rev:50 rq:671007 version:2.2.5 Changes: -------- --- /work/SRC/openSUSE:Factory/gd/gd.changes 2018-12-27 00:23:53.791932482 +0100 +++ /work/SRC/openSUSE:Factory/.gd.new.28833/gd.changes 2019-02-08 13:45:41.970829607 +0100 @@ -1,0 +2,9 @@ +Thu Jan 31 11:23:17 UTC 2019 - Petr Gajdos <[email protected]> + +- security update + * CVE-2019-6978 [bsc#1123522] + + gd-CVE-2019-6978.patch + * CVE-2019-6977 [bsc#1123361] + + gd-CVE-2019-6977.patch + +------------------------------------------------------------------- New: ---- gd-CVE-2019-6977.patch gd-CVE-2019-6978.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gd.spec ++++++ --- /var/tmp/diff_new_pack.kNEaVR/_old 2019-02-08 13:45:42.706829380 +0100 +++ /var/tmp/diff_new_pack.kNEaVR/_new 2019-02-08 13:45:42.714829377 +0100 @@ -1,7 +1,7 @@ # # spec file for package gd # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -36,6 +36,8 @@ Patch4: gd-CVE-2018-5711.patch Patch5: libgd-config.patch Patch6: gd-CVE-2018-1000222.patch +Patch7: gd-CVE-2019-6978.patch +Patch8: gd-CVE-2019-6977.patch # needed for tests BuildRequires: dejavu BuildRequires: libjpeg-devel @@ -86,6 +88,8 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 chmod 644 COPYING %build ++++++ gd-CVE-2019-6977.patch ++++++ Index: libgd-2.2.5/src/gd_color_match.c =================================================================== --- libgd-2.2.5.orig/src/gd_color_match.c 2019-01-31 12:56:44.944336318 +0100 +++ libgd-2.2.5/src/gd_color_match.c 2019-01-31 12:58:11.368836899 +0100 @@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm return -4; /* At least 1 color must be allocated */ } - buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); - memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); + buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); + memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); for (x=0; x < im1->sx; x++) { for( y=0; y<im1->sy; y++ ) { ++++++ gd-CVE-2019-6978.patch ++++++ Index: libgd-2.2.5/src/gd_gif_out.c =================================================================== --- libgd-2.2.5.orig/src/gd_gif_out.c 2017-08-30 13:05:54.000000000 +0200 +++ libgd-2.2.5/src/gd_gif_out.c 2019-01-31 09:47:44.703693790 +0100 @@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); static void char_out(int c, GifCtx *ctx); static void flush_char(GifCtx *ctx); +static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); @@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImag void *rv; gdIOCtx *out = gdNewDynamicCtx(2048, NULL); if (out == NULL) return NULL; - gdImageGifCtx(im, out); - rv = gdDPExtractData(out, size); + if (!_gdImageGifCtx(im, out)) { + rv = gdDPExtractData(out, size); + } else { + rv = NULL; + } out->gd_free(out); return rv; } @@ -221,6 +225,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr */ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) { + _gdImageGifCtx(im, out); +} + +/* returns 0 on success, 1 on failure */ +static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) +{ gdImagePtr pim = 0, tim = im; int interlace, BitsPerPixel; interlace = im->interlace; @@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImageP based temporary image. */ pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); if(!pim) { - return; + return 1; } tim = pim; } @@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImageP /* Destroy palette based temporary image. */ gdImageDestroy( pim); } + + return 0; } Index: libgd-2.2.5/src/gd_jpeg.c =================================================================== --- libgd-2.2.5.orig/src/gd_jpeg.c 2017-08-30 13:05:54.000000000 +0200 +++ libgd-2.2.5/src/gd_jpeg.c 2019-01-31 09:47:44.707693815 +0100 @@ -123,6 +123,8 @@ static void fatal_jpeg_error(j_common_pt exit(99); } +static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); + /* * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality * QUALITY. If QUALITY is in the range 0-100, increasing values @@ -237,8 +239,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdIma void *rv; gdIOCtx *out = gdNewDynamicCtx(2048, NULL); if (out == NULL) return NULL; - gdImageJpegCtx(im, out, quality); - rv = gdDPExtractData(out, size); + if (!_gdImageJpegCtx(im, out, quality)) { + rv = gdDPExtractData(out, size); + } else { + rv = NULL; + } out->gd_free(out); return rv; } @@ -260,6 +265,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr ci */ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) { + _gdImageJpegCtx(im, outfile, quality); +} + +/* returns 0 on success, 1 on failure */ +static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) +{ struct jpeg_compress_struct cinfo; struct jpeg_error_mgr jerr; int i, j, jidx; @@ -293,7 +304,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImage if(row) { gdFree(row); } - return; + return 1; } cinfo.err->emit_message = jpeg_emit_message; @@ -334,7 +345,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImage if(row == 0) { gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); jpeg_destroy_compress(&cinfo); - return; + return 1; } rowptr[0] = row; @@ -411,6 +422,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImage jpeg_finish_compress(&cinfo); jpeg_destroy_compress(&cinfo); gdFree(row); + return 0; } Index: libgd-2.2.5/src/gd_wbmp.c =================================================================== --- libgd-2.2.5.orig/src/gd_wbmp.c 2017-08-30 13:05:54.000000000 +0200 +++ libgd-2.2.5/src/gd_wbmp.c 2019-01-31 09:47:44.707693815 +0100 @@ -88,6 +88,8 @@ int gd_getin(void *in) return (gdGetC((gdIOCtx *)in)); } +static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); + /* Function: gdImageWBMPCtx @@ -101,13 +103,19 @@ int gd_getin(void *in) */ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) { + _gdImageWBMPCtx(image, fg, out); +} + +/* returns 0 on success, 1 on failure */ +static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) +{ int x, y, pos; Wbmp *wbmp; /* create the WBMP */ if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { gd_error("Could not create WBMP\n"); - return; + return 1; } /* fill up the WBMP structure */ @@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImage /* write the WBMP to a gd file descriptor */ if(writewbmp(wbmp, &gd_putout, out)) { + freewbmp(wbmp); gd_error("Could not save WBMP\n"); + return 1; } /* des submitted this bugfix: gdFree the memory. */ freewbmp(wbmp); + + return 0; } /* @@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdIma void *rv; gdIOCtx *out = gdNewDynamicCtx(2048, NULL); if (out == NULL) return NULL; - gdImageWBMPCtx(im, fg, out); - rv = gdDPExtractData(out, size); + if (!_gdImageWBMPCtx(im, fg, out)) { + rv = gdDPExtractData(out, size); + } else { + rv = NULL; + } out->gd_free(out); return rv; }
