From fb2b0f5c87321f5aab0dc13130ef92a76040fbe3 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 17 May 2016 00:20:17 -0400 Subject: [PATCH] gnu: gd: Fix-CVE-2016-3074. * gnu/packages/patches/gd-CVE-2016-3074.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gd.scm (gd)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/gd.scm | 4 ++- gnu/packages/patches/gd-CVE-2016-3074.patch | 36 +++++++++++++++++++++ 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/gd-CVE-2016-3074.patch diff --git a/gnu/local.mk b/gnu/local.mk index 4bbded90eb..0e461b3209 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -494,6 +494,7 @@ dist_patch_DATA = \ gnu/packages/patches/gcc-cross-environment-variables.patch \ gnu/packages/patches/gcc-libvtv-runpath.patch \ gnu/packages/patches/gcc-5.0-libvtv-runpath.patch \ + gnu/packages/patches/gd-CVE-2016-3074.patch \ gnu/packages/patches/geoclue-config.patch \ gnu/packages/patches/ghostscript-CVE-2015-3228.patch \ gnu/packages/patches/ghostscript-runpath.patch \ diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index 769e7cecf2..e52a030f86 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013, 2016 Ludovic Courtès ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2015 Eric Bavier +;;; Copyright © 2016 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -48,7 +49,8 @@ "libgd-" version ".tar.xz")) (sha256 (base32 - "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls")))) + "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls")) + (patches (search-patches "gd-CVE-2016-3074.patch")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) diff --git a/gnu/packages/patches/gd-CVE-2016-3074.patch b/gnu/packages/patches/gd-CVE-2016-3074.patch new file mode 100644 index 0000000000..a90c51d77b --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-3074.patch @@ -0,0 +1,36 @@ +Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19 +(gd2: handle corrupt images better (CVE-2016-3074)). + +This patch omits the upstream changes to '.gitignore', and the test +added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and +'tests/gd2/invalid_neg_size.gd2'. + +We omit the test because its input data, +'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff, +which is not supported by `patch`. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074 +https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19 +--- + .gitignore | 1 + + src/gd_gd2.c | 2 ++ + tests/Makefile.am | 3 ++- + tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++ + tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes + 5 files changed, 30 insertions(+), 1 deletion(-) + create mode 100644 tests/gd2/gd2_read_corrupt.c + create mode 100644 tests/gd2/invalid_neg_size.gd2 + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index 6f28461..a50b33d 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + if (gdGetInt (&cidx[i].size, in) != 1) { + goto fail2; + }; ++ if (cidx[i].offset < 0 || cidx[i].size < 0) ++ goto fail2; + }; + *chunkIdx = cidx; + };