Re: libgd security update / i686 issues

Mark H Weaver writes: > Leo Famulari writes: > >> On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote: >>> I will adapt my patch to the new version. >> >> Unfortunately, this new patch makes libgd fail to build from source on >> x86_64, like this:

Re: libgd security update / i686 issues

On Fri, Jul 29, 2016 at 01:59:15PM -0400, Mark H Weaver wrote: > Bah, sorry about that. I just pushed an updated patch that builds > successfully on x86_64 and i686, and hopefully on the others as well. Thank you!

Re: libgd security update / i686 issues

Leo Famulari writes: > On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote: >> I will adapt my patch to the new version. > > Unfortunately, this new patch makes libgd fail to build from source on > x86_64, like this: > > gdimagecopyresampled/basic_alpha.c: In

Re: libgd security update / i686 issues

On Fri, Jul 29, 2016 at 05:00:38PM +0200, Ludovic Courtès wrote: > Leo Famulari skribis: > > Instead of updating to 2.2.3, we could also try cherry-picking the > > upstream commits that address this bug, as attached. > > Are there any good reasons not to update? > > I would

Re: libgd security update / i686 issues

Leo Famulari skribis: > On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote: >> libgd 2.2.3 has been released [0], which includes fixes for >> CVE-2016-6207. > > Instead of updating to 2.2.3, we could also try cherry-picking the > upstream commits that address this

Re: libgd security update / i686 issues

On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote: > libgd 2.2.3 has been released [0], which includes fixes for > CVE-2016-6207. Instead of updating to 2.2.3, we could also try cherry-picking the upstream commits that address this bug, as attached. >From

Re: libgd security update / i686 issues

On Thu, Jul 28, 2016 at 02:56:06PM -0400, Leo Famulari wrote: > On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote: > > I will adapt my patch to the new version. > > Unfortunately, this new patch makes libgd fail to build from source on > x86_64, like this: I reverted the commit on

Re: libgd security update / i686 issues

On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote: > I will adapt my patch to the new version. Unfortunately, this new patch makes libgd fail to build from source on x86_64, like this: gdimagecopyresampled/basic_alpha.c: In function ‘main’: gdimagecopyresampled/basic_alpha.c:37:23:

Re: libgd security update / i686 issues

On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote: > Not all i686 systems have support for SSE. I don't think we should > apply the upstream suggested workaround, which effectively amounts to > dropping support for older systems. If we want to add a requirement for > SSE for i686

Re: libgd security update / i686 issues

Leo Famulari writes: > On Thu, Jul 28, 2016 at 10:40:49AM +0200, Andreas Enge wrote: >> Well, the bug report states that the result is correct on armv7. Apparently >> i686 is not IEEE compliant by default, while armv7 is. So it should be okay >> to apply the flags only on

Re: libgd security update / i686 issues

On Thu, Jul 28, 2016 at 10:40:49AM +0200, Andreas Enge wrote: > Well, the bug report states that the result is correct on armv7. Apparently > i686 is not IEEE compliant by default, while armv7 is. So it should be okay > to apply the flags only on i686. We assume that SSE, but not SSE2 or later >

Re: libgd security update / i686 issues

On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote: > I built it on x86_64, and also cross-built to i686-linux. The 32-bit rounding > issue that Mark fixed with commit 27326064 was reported upstream [1], > and the suggested workaround is to add "-msse -mfpmath=sse" to CFLAGS > [2].

Re: libgd security update / i686 issues

On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote: > Should these CFLAGS values be applied unconditionally, as in the > attached patch, or should they be applied only while building on or for > specific architectures? Or something else? They only work on x86 processors, almost by

libgd security update / i686 issues

libgd 2.2.3 has been released [0], which includes fixes for CVE-2016-6207. I built it on x86_64, and also cross-built to i686-linux. The 32-bit rounding issue that Mark fixed with commit 27326064 was reported upstream [1], and the suggested workaround is to add "-msse -mfpmath=sse" to CFLAGS [2].