--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Two minor security issues fixed in libgd2, not worth a DSA. Debdiff below.
Cheers,
Moritz
diff -Nru libgd2-2.2.4/debian/changelog libgd2-2.2.4/debian/changelog
--- libgd2-2.2.4/debian/changelog 2017-08-31 14:45:16.000000000 +0200
+++ libgd2-2.2.4/debian/changelog 2018-09-07 17:30:40.000000000 +0200
@@ -1,3 +1,10 @@
+libgd2 (2.2.4-2+deb9u3) stretch; urgency=medium
+
+ * CVE-2018-1000222 (Closes: #906886)
+ * CVE-2018-5711 (Closes: #887485)
+
+ -- Moritz Mühlenhoff <j...@debian.org> Fri, 07 Sep 2018 19:29:19 +0200
+
libgd2 (2.2.4-2+deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libgd2-2.2.4/debian/patches/0008-CVE-2018-1000222.patch
libgd2-2.2.4/debian/patches/0008-CVE-2018-1000222.patch
--- libgd2-2.2.4/debian/patches/0008-CVE-2018-1000222.patch 1970-01-01
01:00:00.000000000 +0100
+++ libgd2-2.2.4/debian/patches/0008-CVE-2018-1000222.patch 2018-09-07
17:28:33.000000000 +0200
@@ -0,0 +1,73 @@
+From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vap...@gentoo.org>
+Date: Sat, 14 Jul 2018 13:54:08 -0400
+Subject: [PATCH] bmp: check return value in gdImageBmpPtr
+
+Closes #447.
+---
+ src/gd_bmp.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/src/gd_bmp.c b/src/gd_bmp.c
+index bde0b9d3..78f40d9a 100644
+--- a/src/gd_bmp.c
++++ b/src/gd_bmp.c
+@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile,
bmp_info_t *info, bmp
+ static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info,
bmp_hdr_t *header);
+ static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
+
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
++
+ #define BMP_DEBUG(s)
+
+ static int gdBMPPutWord(gdIOCtx *out, int w)
+@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size,
int compression)
+ void *rv;
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ if (out == NULL) return NULL;
+- gdImageBmpCtx(im, out, compression);
+- rv = gdDPExtractData(out, size);
++ if (!_gdImageBmpCtx(im, out, compression))
++ rv = gdDPExtractData(out, size);
++ else
++ rv = NULL;
+ out->gd_free(out);
+ return rv;
+ }
+@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE
*outFile, int compression)
+ compression - whether to apply RLE or not.
+ */
+ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int
compression)
++{
++ _gdImageBmpCtx(im, out, compression);
++}
++
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ {
+ int bitmap_size = 0, info_size, total_size, padding;
+ int i, row, xpos, pixel;
+@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr
out, int compression)
+ unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
+ FILE *tmpfile_for_compression = NULL;
+ gdIOCtxPtr out_original = NULL;
++ int ret = 1;
+
+ /* No compression if its true colour or we don't support seek */
+ if (im->trueColor) {
+@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr
out, int compression)
+ out_original = NULL;
+ }
+
++ ret = 0;
+ cleanup:
+ if (tmpfile_for_compression) {
+ #ifdef _WIN32
+@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr
out, int compression)
+ if (out_original) {
+ out_original->gd_free(out_original);
+ }
+- return;
++ return ret;
+ }
+
+ static int compress_row(unsigned char *row, int length)
diff -Nru libgd2-2.2.4/debian/patches/0009-CVE-2018-5711.patch
libgd2-2.2.4/debian/patches/0009-CVE-2018-5711.patch
--- libgd2-2.2.4/debian/patches/0009-CVE-2018-5711.patch 1970-01-01
01:00:00.000000000 +0100
+++ libgd2-2.2.4/debian/patches/0009-CVE-2018-5711.patch 2018-09-07
17:28:33.000000000 +0200
@@ -0,0 +1,54 @@
+From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecke...@gmx.de>
+Date: Wed, 29 Nov 2017 19:37:38 +0100
+Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop. Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+
+CVE-2018-5711
+
+See also https://bugs.php.net/bug.php?id=75571.
+---
+ src/gd_gif_in.c | 12 ++++++------
+
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
+index daf26e79..0a8bd717 100644
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr)
gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ return 0;
+ }
+
+- if(!im->colorsTotal) {
+- gdImageDestroy(im);
+- return 0;
+- }
+-
+ /* Check for open colors at the end, so
+ * we can reduce colorsTotal and ultimately
+ * BitsPerPixel */
+@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr)
gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ }
+ }
+
++ if(!im->colorsTotal) {
++ gdImageDestroy(im);
++ return 0;
++ }
++
+ return im;
+ }
+
+@@ -447,7 +447,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int
*ZeroDataBlockP)
+ {
+ int i, j, ret;
+- unsigned char count;
++ int count;
+
+ if(flag) {
+ scd->curbit = 0;
+
diff -Nru libgd2-2.2.4/debian/patches/series libgd2-2.2.4/debian/patches/series
--- libgd2-2.2.4/debian/patches/series 2017-08-31 14:45:16.000000000 +0200
+++ libgd2-2.2.4/debian/patches/series 2018-09-07 17:29:12.000000000 +0200
@@ -5,3 +5,5 @@
0005-Fix-tiff_invalid_read-check.patch
0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch
0007-Fix-381-libgd-double-free-vulnerability.patch
+0008-CVE-2018-1000222.patch
+0009-CVE-2018-5711.patch
--- End Message ---
