Hello community, here is the log from the commit of package gd for openSUSE:Factory checked in at 2019-07-21 11:29:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gd (Old) and /work/SRC/openSUSE:Factory/.gd.new.4126 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gd" Sun Jul 21 11:29:17 2019 rev:52 rq:715653 version:2.2.5 Changes: -------- --- /work/SRC/openSUSE:Factory/gd/gd.changes 2019-06-02 15:17:15.430055563 +0200 +++ /work/SRC/openSUSE:Factory/.gd.new.4126/gd.changes 2019-07-21 11:29:18.492828348 +0200 @@ -1,0 +2,8 @@ +Tue Jul 16 09:12:06 UTC 2019 - [email protected] + +- security update +- added patches + CVE-2019-11038 [bsc#1140120] + + gd-CVE-2019-11038.patch + +------------------------------------------------------------------- New: ---- gd-CVE-2019-11038.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gd.spec ++++++ --- /var/tmp/diff_new_pack.5K3aGW/_old 2019-07-21 11:29:18.976828266 +0200 +++ /var/tmp/diff_new_pack.5K3aGW/_new 2019-07-21 11:29:18.980828266 +0200 @@ -38,6 +38,8 @@ Patch6: gd-CVE-2018-1000222.patch Patch7: gd-CVE-2019-6978.patch Patch8: gd-CVE-2019-6977.patch +# CVE-2019-11038 [bsc#1140118] +Patch9: gd-CVE-2019-11038.patch # needed for tests BuildRequires: dejavu BuildRequires: libjpeg-devel @@ -93,6 +95,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 chmod 644 COPYING %build ++++++ gd-CVE-2019-11038.patch ++++++ diff --git a/src/gd_xbm.c b/src/gd_xbm.c index 4ca41acf..cf0545ef 100644 --- a/src/gd_xbm.c +++ b/src/gd_xbm.c @@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd) } h[3] = ch; } - sscanf(h, "%x", &b); + if (sscanf(h, "%x", &b) != 1) { + gd_error("invalid XBM"); + gdImageDestroy(im); + return 0; + } for (bit = 1; bit <= max_bit; bit = bit << 1) { gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); if (x == im->sx) {
