Hello community, here is the log from the commit of package gd for openSUSE:Factory checked in at 2016-08-26 23:14:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gd (Old) and /work/SRC/openSUSE:Factory/.gd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gd" Changes: -------- --- /work/SRC/openSUSE:Factory/gd/gd.changes 2016-06-03 16:36:03.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gd.new/gd.changes 2016-08-26 23:14:33.000000000 +0200 @@ -1,0 +2,11 @@ +Tue Aug 23 11:16:25 UTC 2016 - pgaj...@suse.com + +- security update: + * CVE-2016-6132 [bsc#987577] + + gd-CVE-2016-6132.patch + * CVE-2016-6214 [bsc#991436] + + gd-CVE-2016-6214.patch + * CVE-2016-6905 [bsc#995034] + + gd-CVE-2016-6905.patch + +------------------------------------------------------------------- New: ---- gd-CVE-2016-6132.patch gd-CVE-2016-6214.patch gd-CVE-2016-6905.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gd.spec ++++++ --- /var/tmp/diff_new_pack.SBx55Y/_old 2016-08-26 23:14:34.000000000 +0200 +++ /var/tmp/diff_new_pack.SBx55Y/_new 2016-08-26 23:14:34.000000000 +0200 @@ -41,6 +41,9 @@ # could be upstreamed Patch4: gd-libvpx.patch Patch5: gd-CVE-2016-5116.patch +Patch6: gd-CVE-2016-6132.patch +Patch7: gd-CVE-2016-6214.patch +Patch8: gd-CVE-2016-6905.patch BuildRequires: fontconfig-devel BuildRequires: freetype2-devel BuildRequires: libjpeg-devel @@ -98,6 +101,9 @@ %patch3 %patch4 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build # this file is errorneously forgotten from the tarball ++++++ gd-CVE-2016-6132.patch ++++++ >From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ond...@sury.org> Date: Tue, 12 Jul 2016 11:24:09 +0200 Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA files --- src/gd_tga.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/gd_tga.c b/src/gd_tga.c index ef20f86..07f3c86 100644 --- a/src/gd_tga.c +++ b/src/gd_tga.c @@ -237,7 +237,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) return -1; } - gdGetBuf(conversion_buffer, image_block_size, ctx); + if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { + gdFree(conversion_buffer); + return -1; + } while (buffer_caret < image_block_size) { tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret]; @@ -261,7 +264,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) return -1; } - gdGetBuf( conversion_buffer, image_block_size, ctx ); + if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { + gdFree(conversion_buffer); + gdFree(decompression_buffer); + return -1; + } buffer_caret = 0; ++++++ gd-CVE-2016-6214.patch ++++++ >From 10ef1dca63d62433fda13309b4a228782db823f7 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" <cmbecke...@gmx.de> Date: Tue, 12 Jul 2016 19:23:13 +0200 Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error gracefully Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are really supported. All other combinations will be rejected with a warning. --- src/gd_tga.c | 16 ++++++---------- tests/tga/.gitignore | 1 + tests/tga/CMakeLists.txt | 1 + tests/tga/Makemodule.am | 4 +++- tests/tga/bug00247a.c | 19 +++++++++++++++++++ tests/tga/bug00247a.tga | Bin 0 -> 36 bytes 6 files changed, 30 insertions(+), 11 deletions(-) create mode 100644 tests/tga/bug00247a.c create mode 100644 tests/tga/bug00247a.tga diff --git a/src/gd_tga.c b/src/gd_tga.c index 20fe2d2..b4f8fa6 100644 --- a/src/gd_tga.c +++ b/src/gd_tga.c @@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx) if (tga->bits == TGA_BPP_24) { *tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]); bitmap_caret += 3; - } else if (tga->bits == TGA_BPP_32 || tga->alphabits) { + } else if (tga->bits == TGA_BPP_32 && tga->alphabits) { register int a = tga->bitmap[bitmap_caret + 3]; *tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1)); @@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga) printf("wxh: %i %i\n", tga->width, tga->height); #endif - switch(tga->bits) { - case 8: - case 16: - case 24: - case 32: - break; - default: - gd_error("bps %i not supported", tga->bits); + if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0) + || (tga->bits == TGA_BPP_32 && tga->alphabits == 8))) + { + gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n", + tga->bits, tga->alphabits); return -1; - break; } tga->ident = NULL; ++++++ gd-CVE-2016-6905.patch ++++++ >From 3c2b605d72e8b080dace1d98a6e50b46c1d12186 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ond...@sury.org> Date: Tue, 12 Jul 2016 14:20:16 +0200 Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga --- src/gd_tga.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) Index: libgd-2.1.1/src/gd_tga.c =================================================================== --- libgd-2.1.1.orig/src/gd_tga.c 2015-01-06 10:16:03.000000000 +0100 +++ libgd-2.1.1/src/gd_tga.c 2016-08-23 13:15:45.975724158 +0200 @@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga * int buffer_caret = 0; int bitmap_caret = 0; int i = 0; - int j = 0; uint8_t encoded_pixels; if(overflow2(tga->width, tga->height)) { @@ -287,25 +286,34 @@ int read_image_tga( gdIOCtx *ctx, oTga * while( bitmap_caret < image_block_size ) { if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) { - encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 ); + encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 ); buffer_caret++; + if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { + gdFree( decompression_buffer ); + gdFree( conversion_buffer ); + return -1; + } + for (i = 0; i < encoded_pixels; i++) { - for (j = 0; j < pixel_block_size; j++, bitmap_caret++) { - tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ]; - } + memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size); + bitmap_caret += pixel_block_size; } buffer_caret += pixel_block_size; + } else { encoded_pixels = decompression_buffer[ buffer_caret ] + 1; buffer_caret++; - for (i = 0; i < encoded_pixels; i++) { - for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) { - tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ]; - } - buffer_caret += pixel_block_size; + if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { + gdFree( decompression_buffer ); + gdFree( conversion_buffer ); + return -1; } + + memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size); + bitmap_caret += (encoded_pixels * pixel_block_size); + buffer_caret += (encoded_pixels * pixel_block_size); } }