diff --git a/gd-2.2.3-dynamicGetbuf-negative-rlen.patch b/gd-2.2.3-dynamicGetbuf-negative-rlen.patch new file mode 100644 index 0000000..24ebd9b --- /dev/null +++ b/gd-2.2.3-dynamicGetbuf-negative-rlen.patch @@ -0,0 +1,26 @@ +From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 12 Oct 2016 11:15:32 +0200 +Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion + +We make sure to never pass a negative `rlen` as size to memcpy(). See +also . + +Patch provided by Emmanuel Law. +--- + src/gd_io_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c +index 135eda3..228bfa5 100644 +--- a/src/gd_io_dp.c ++++ b/src/gd_io_dp.c +@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) + if(remain >= len) { + rlen = len; + } else { +- if(remain == 0) { ++ if(remain <= 0) { + /* 2.0.34: EOF is incorrect. We use 0 for + * errors and EOF, just like fileGetbuf, + * which is a simple fread() wrapper. diff --git a/gd-2.2.3-overflow-in-gdImageWebpCtx.patch b/gd-2.2.3-overflow-in-gdImageWebpCtx.patch new file mode 100644 index 0000000..84fa82e --- /dev/null +++ b/gd-2.2.3-overflow-in-gdImageWebpCtx.patch @@ -0,0 +1,27 @@ +diff --git a/src/gd_webp.c b/src/gd_webp.c +index fae3861..a7ed222 100644 +--- a/src/gd_webp.c ++++ b/src/gd_webp.c +@@ -179,6 +179,22 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantiza + /* Conversion to Y,U,V buffer */ + yuv_width = (width + 1) >> 1; + yuv_height = (height + 1) >> 1; ++ ++ if (overflow2(width, height)) { ++ return; ++ } ++ ++ if (overflow2(2, yuv_width)) { ++ return; ++ } ++ ++ if (overflow2(2 * yuv_width, yuv_height)) { ++ return; ++ } ++ ++ if (overflow2(width * height + 2 * yuv_width * yuv_height, 1)) { ++ return; ++ } + yuv_nbytes = width * height + 2 * yuv_width * yuv_height; + + if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) { diff --git a/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch b/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch new file mode 100644 index 0000000..78a80b4 Binary files /dev/null and b/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch differ diff --git a/gd.spec b/gd.spec index 436c2ce..8ddfc8c 100644 --- a/gd.spec +++ b/gd.spec @@ -5,7 +5,7 @@ Summary: A graphics library for quick creation of PNG or JPEG images Name: gd Version: 2.1.1 -Release: 10%{?prever}%{?short}%{?dist} +Release: 11%{?prever}%{?short}%{?dist} Group: System Environment/Libraries License: MIT URL: http://libgd.bitbucket.org/ @@ -41,6 +41,14 @@ Patch8: gd-2.2.3-CVE-2016-6161.patch # CVE-2016-6207 # cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master Patch9: gd-2.2.3-CVE-2016-6207.patch +# CVE-2016-7568 +Patch10: gd-2.2.3-overflow-in-gdImageWebpCtx.patch +# CVE-2016-8670 +Patch11: gd-2.2.3-dynamicGetbuf-negative-rlen.patch +# CVE-2016-6911 +# TODO - created by one of upstream maintainers, but not in upstream yet +# https://github.com/libgd/libgd/pull/353 +Patch12: gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch BuildRequires: freetype-devel @@ -107,6 +115,10 @@ files for gd, a graphics library for creating PNG and JPEG graphics. %patch7 -p1 -b .cve-2016-5766 %patch8 -p1 -b .cve-2016-6161 %patch9 -p1 -b .cve-2016-6207 +%patch10 -p1 -b .gdImageWebpCtx +%patch11 -p1 -b .dynamicGetbuf +# Patch5 adds some non-text files (.tiff) +patch -p1 --binary < %{PATCH12} # Workaround for missing file cp %{SOURCE2} config/getver.pl @@ -179,6 +191,12 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc %changelog +* Tue Dec 06 2016 Marek Skalický - 2.1.1-11 +- Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911) +- Fix stack based buffer overflow when passing negative `rlen` as size to + memcpy() (CVE-2016-8670) +- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568) + * Mon Sep 19 2016 Marek Skalický - 2.1.1-10 - Fix CVE-2016-6207