From 1b11443e99c3247957ec38cd317c49d497d5a2d7 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 28 Mar 2018 16:32:48 +0200 Subject: Sync with fedora: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Mon Mar 26 2018 Marek Skalický - 2.2.5-2 - Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx --- gd-2.2.5-upstream.patch | 62 +++++++++++++++++++++++++++++++++++++++++++++++++ gd.spec | 11 +++++---- 2 files changed, 69 insertions(+), 4 deletions(-) create mode 100644 gd-2.2.5-upstream.patch diff --git a/gd-2.2.5-upstream.patch b/gd-2.2.5-upstream.patch new file mode 100644 index 0000000..0bc1bcb --- /dev/null +++ b/gd-2.2.5-upstream.patch @@ -0,0 +1,62 @@ +From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 29 Nov 2017 19:37:38 +0100 +Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +CVE-2018-5711 + +See also https://bugs.php.net/bug.php?id=75571. +--- + src/gd_gif_in.c | 12 ++++++------ + tests/gif/.gitignore | 1 + + tests/gif/CMakeLists.txt | 1 + + tests/gif/Makemodule.am | 2 ++ + tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ + tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes + 6 files changed, 38 insertions(+), 6 deletions(-) + create mode 100644 tests/gif/php_bug_75571.c + create mode 100644 tests/gif/php_bug_75571.gif + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index daf26e79..0a8bd717 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + return 0; + } + +- if(!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } +- + /* Check for open colors at the end, so + * we can reduce colorsTotal and ultimately + * BitsPerPixel */ +@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + } + } + ++ if(!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } ++ + return im; + } + +@@ -447,7 +447,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if(flag) { + scd->curbit = 0; + diff --git a/gd.spec b/gd.spec index 439a994..e3e6234 100644 --- a/gd.spec +++ b/gd.spec @@ -28,7 +28,7 @@ Name: gd Name: gd-last %endif Version: 2.2.5 -Release: 1%{?prever}%{?short}%{?dist} +Release: 2%{?prever}%{?short}%{?dist} Group: System Environment/Libraries License: MIT URL: http://libgd.github.io/ @@ -41,6 +41,8 @@ Source0: https://github.com/libgd/libgd/releases/download/gd-%{version}/li %endif Patch1: gd-2.1.0-multilib.patch +# CVE-2018-5711 - https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04 +Patch2: gd-2.2.5-upstream.patch BuildRequires: freetype-devel BuildRequires: fontconfig-devel @@ -126,6 +128,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics. %prep %setup -q -n libgd-%{version}%{?prever:-%{prever}} %patch1 -p1 -b .mlib +%patch2 -p1 -b .upstream : $(perl config/getver.pl) @@ -185,9 +188,6 @@ XFAIL_TESTS="gdimagegrayscale/basic $XFAIL_TESTS" # See https://github.com/libgd/libgd/issues/363 XFAIL_TESTS="freetype/bug00132 $XFAIL_TESTS" %endif -%if 0%{?rhel} > 0 && 0%{?rhel} <= 5 -XFAIL_TESTS="gdimagestringft/gdimagestringft_bbox $XFAIL_TESTS" -%endif export XFAIL_TESTS @@ -221,6 +221,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc %changelog +* Mon Mar 26 2018 Marek Skalický - 2.2.5-2 +- Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx + * Wed Aug 30 2017 Remi Collet - 2.2.5-1 - Update to 2.2.5 - fix double-free in gdImagePngPtr(). CVE-2017-6362 -- cgit