Hello community,
here is the log from the commit of package gd for openSUSE:Factory checked in
at 2016-08-26 23:14:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gd (Old)
and /work/SRC/openSUSE:Factory/.gd.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gd"
Changes:
--------
--- /work/SRC/openSUSE:Factory/gd/gd.changes 2016-06-03 16:36:03.000000000
+0200
+++ /work/SRC/openSUSE:Factory/.gd.new/gd.changes 2016-08-26
23:14:33.000000000 +0200
@@ -1,0 +2,11 @@
+Tue Aug 23 11:16:25 UTC 2016 - pgaj...@suse.com
+
+- security update:
+ * CVE-2016-6132 [bsc#987577]
+ + gd-CVE-2016-6132.patch
+ * CVE-2016-6214 [bsc#991436]
+ + gd-CVE-2016-6214.patch
+ * CVE-2016-6905 [bsc#995034]
+ + gd-CVE-2016-6905.patch
+
+-------------------------------------------------------------------
New:
----
gd-CVE-2016-6132.patch
gd-CVE-2016-6214.patch
gd-CVE-2016-6905.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gd.spec ++++++
--- /var/tmp/diff_new_pack.SBx55Y/_old 2016-08-26 23:14:34.000000000 +0200
+++ /var/tmp/diff_new_pack.SBx55Y/_new 2016-08-26 23:14:34.000000000 +0200
@@ -41,6 +41,9 @@
# could be upstreamed
Patch4: gd-libvpx.patch
Patch5: gd-CVE-2016-5116.patch
+Patch6: gd-CVE-2016-6132.patch
+Patch7: gd-CVE-2016-6214.patch
+Patch8: gd-CVE-2016-6905.patch
BuildRequires: fontconfig-devel
BuildRequires: freetype2-devel
BuildRequires: libjpeg-devel
@@ -98,6 +101,9 @@
%patch3
%patch4
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
%build
# this file is errorneously forgotten from the tarball
++++++ gd-CVE-2016-6132.patch ++++++
>From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ond...@sury.org>
Date: Tue, 12 Jul 2016 11:24:09 +0200
Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
files
---
src/gd_tga.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/gd_tga.c b/src/gd_tga.c
index ef20f86..07f3c86 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -237,7 +237,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
return -1;
}
- gdGetBuf(conversion_buffer, image_block_size, ctx);
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) !=
image_block_size) {
+ gdFree(conversion_buffer);
+ return -1;
+ }
while (buffer_caret < image_block_size) {
tga->bitmap[buffer_caret] = (int)
conversion_buffer[buffer_caret];
@@ -261,7 +264,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
return -1;
}
- gdGetBuf( conversion_buffer, image_block_size, ctx );
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) !=
image_block_size) {
+ gdFree(conversion_buffer);
+ gdFree(decompression_buffer);
+ return -1;
+ }
buffer_caret = 0;
++++++ gd-CVE-2016-6214.patch ++++++
>From 10ef1dca63d62433fda13309b4a228782db823f7 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecke...@gmx.de>
Date: Tue, 12 Jul 2016 19:23:13 +0200
Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
gracefully
Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
really supported. All other combinations will be rejected with a warning.
---
src/gd_tga.c | 16 ++++++----------
tests/tga/.gitignore | 1 +
tests/tga/CMakeLists.txt | 1 +
tests/tga/Makemodule.am | 4 +++-
tests/tga/bug00247a.c | 19 +++++++++++++++++++
tests/tga/bug00247a.tga | Bin 0 -> 36 bytes
6 files changed, 30 insertions(+), 11 deletions(-)
create mode 100644 tests/tga/bug00247a.c
create mode 100644 tests/tga/bug00247a.tga
diff --git a/src/gd_tga.c b/src/gd_tga.c
index 20fe2d2..b4f8fa6 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
if (tga->bits == TGA_BPP_24) {
*tpix = gdTrueColor(tga->bitmap[bitmap_caret +
2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
bitmap_caret += 3;
- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
+ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
register int a = tga->bitmap[bitmap_caret + 3];
*tpix =
gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1],
tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
printf("wxh: %i %i\n", tga->width, tga->height);
#endif
- switch(tga->bits) {
- case 8:
- case 16:
- case 24:
- case 32:
- break;
- default:
- gd_error("bps %i not supported", tga->bits);
+ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
+ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
+ {
+ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u
alpha bits not supported\n",
+ tga->bits, tga->alphabits);
return -1;
- break;
}
tga->ident = NULL;
++++++ gd-CVE-2016-6905.patch ++++++
>From 3c2b605d72e8b080dace1d98a6e50b46c1d12186 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ond...@sury.org>
Date: Tue, 12 Jul 2016 14:20:16 +0200
Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga
---
src/gd_tga.c | 34 ++++++++++++++++++++++++++--------
1 file changed, 26 insertions(+), 8 deletions(-)
Index: libgd-2.1.1/src/gd_tga.c
===================================================================
--- libgd-2.1.1.orig/src/gd_tga.c 2015-01-06 10:16:03.000000000 +0100
+++ libgd-2.1.1/src/gd_tga.c 2016-08-23 13:15:45.975724158 +0200
@@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga *
int buffer_caret = 0;
int bitmap_caret = 0;
int i = 0;
- int j = 0;
uint8_t encoded_pixels;
if(overflow2(tga->width, tga->height)) {
@@ -287,25 +286,34 @@ int read_image_tga( gdIOCtx *ctx, oTga *
while( bitmap_caret < image_block_size ) {
if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG)
== TGA_RLE_FLAG) {
- encoded_pixels = ( ( decompression_buffer[
buffer_caret ] & 127 ) + 1 );
+ encoded_pixels = ( ( decompression_buffer[
buffer_caret ] & !TGA_RLE_FLAG ) + 1 );
buffer_caret++;
+ if ((bitmap_caret + (encoded_pixels *
pixel_block_size)) >= image_block_size) {
+ gdFree( decompression_buffer );
+ gdFree( conversion_buffer );
+ return -1;
+ }
+
for (i = 0; i < encoded_pixels; i++) {
- for (j = 0; j < pixel_block_size; j++,
bitmap_caret++) {
- tga->bitmap[ bitmap_caret ] =
decompression_buffer[ buffer_caret + j ];
- }
+ memcpy(tga->bitmap + bitmap_caret,
decompression_buffer + buffer_caret, pixel_block_size);
+ bitmap_caret += pixel_block_size;
}
buffer_caret += pixel_block_size;
+
} else {
encoded_pixels = decompression_buffer[
buffer_caret ] + 1;
buffer_caret++;
- for (i = 0; i < encoded_pixels; i++) {
- for( j = 0; j < pixel_block_size; j++,
bitmap_caret++ ) {
- tga->bitmap[ bitmap_caret ] =
decompression_buffer[ buffer_caret + j ];
- }
- buffer_caret += pixel_block_size;
+ if ((bitmap_caret + (encoded_pixels *
pixel_block_size)) >= image_block_size) {
+ gdFree( decompression_buffer );
+ gdFree( conversion_buffer );
+ return -1;
}
+
+ memcpy(tga->bitmap + bitmap_caret,
decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size);
+ bitmap_caret += (encoded_pixels *
pixel_block_size);
+ buffer_caret += (encoded_pixels *
pixel_block_size);
}
}
