Hello community, here is the log from the commit of package gd for openSUSE:Factory checked in at 2020-03-06 21:25:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gd (Old) and /work/SRC/openSUSE:Factory/.gd.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gd" Fri Mar 6 21:25:47 2020 rev:53 rq:781431 version:2.2.5 Changes: -------- --- /work/SRC/openSUSE:Factory/gd/gd.changes 2019-07-21 11:29:18.492828348 +0200 +++ /work/SRC/openSUSE:Factory/.gd.new.26092/gd.changes 2020-03-06 21:25:56.617504007 +0100 @@ -1,0 +2,8 @@ +Wed Mar 4 10:11:14 UTC 2020 - [email protected] + +- security update +- added patches + fix CVE-2018-14553 [bsc#1165471], null pointer dereference in gdImageClone() + + gd-CVE-2018-14553.patch + +------------------------------------------------------------------- New: ---- gd-CVE-2018-14553.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gd.spec ++++++ --- /var/tmp/diff_new_pack.DiMFR7/_old 2020-03-06 21:25:57.773504647 +0100 +++ /var/tmp/diff_new_pack.DiMFR7/_new 2020-03-06 21:25:57.777504648 +0100 @@ -1,7 +1,7 @@ # # spec file for package gd # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ Summary: A Drawing Library for Programs That Use PNG and JPEG Output License: MIT Group: System/Libraries -Url: https://libgd.github.io/ +URL: https://libgd.github.io/ Source: https://github.com/libgd/libgd/releases/download/%{name}-%{version}/%{prjname}-%{version}.tar.xz Source1: baselibs.conf # might be upstreamed, but could be suse specific also (/usr/share/fonts/Type1 font dir) @@ -40,6 +40,8 @@ Patch8: gd-CVE-2019-6977.patch # CVE-2019-11038 [bsc#1140118] Patch9: gd-CVE-2019-11038.patch +# CVE-2018-14553 [bsc#1165471], null pointer dereference in gdImageClone() +Patch10: gd-CVE-2018-14553.patch # needed for tests BuildRequires: dejavu BuildRequires: libjpeg-devel @@ -96,6 +98,7 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 chmod 644 COPYING %build ++++++ gd-CVE-2018-14553.patch ++++++ diff --git a/src/gd.c b/src/gd.c index 592a0286..d564d1f9 100644 --- a/src/gd.c +++ b/src/gd.c @@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { } } - if (src->styleLength > 0) { - dst->styleLength = src->styleLength; - dst->stylePos = src->stylePos; - for (i = 0; i < src->styleLength; i++) { - dst->style[i] = src->style[i]; - } - } - dst->interlace = src->interlace; dst->alphaBlendingFlag = src->alphaBlendingFlag; @@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { if (src->style) { gdImageSetStyle(dst, src->style, src->styleLength); + dst->stylePos = src->stylePos; } for (i = 0; i < gdMaxColors; i++) {
