~ruther/guix-local

b5d08d7c2834610b5243db1795bd4b0724c8ff2a — Leo Famulari 9 years ago 9da459f 
gnu: gd: Update to 2.2.1 [fixes CVE-2015-{8874, 8877}].

* gnu/packages/patches/gd-CVE-2016-3074.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
* gnu/packages/gd.scm (gd): Update to 2.2.1.
[source]: Remove patch. Update source URL.
patch browse .tar.gz 
3 files changed, 5 insertions(+), 43 deletions(-)

M gnu/local.mk
M gnu/packages/gd.scm
D gnu/packages/patches/gd-CVE-2016-3074.patch

M gnu/local.mk => gnu/local.mk +0 -1
@@ 498,7 498,6 @@ dist_patch_DATA =						\
  %D%/packages/patches/gcc-cross-environment-variables.patch	\
  %D%/packages/patches/gcc-libvtv-runpath.patch			\
  %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
  %D%/packages/patches/gd-CVE-2016-3074.patch			\
  %D%/packages/patches/geoclue-config.patch			\
  %D%/packages/patches/ghostscript-CVE-2015-3228.patch		\
  %D%/packages/patches/ghostscript-runpath.patch		\


M gnu/packages/gd.scm => gnu/packages/gd.scm +5 -6
@@ 37,20 37,19 @@
  (package
    (name "gd")

    ;; Note: With libgd.org now pointing to bitbucket.org, genuine old
    ;; Note: With libgd.org now pointing to github.com, genuine old
    ;; tarballs are no longer available.  Notably, versions 2.0.x are
    ;; missing.
    (version "2.1.1")
    (version "2.2.1")

    (source (origin
             (method url-fetch)
             (uri (string-append
                   "https://bitbucket.org/libgd/gd-libgd/downloads/"
                   "libgd-" version ".tar.xz"))
                   "https://github.com/libgd/libgd/releases/download/gd-"
                   version "/libgd-" version ".tar.xz"))
             (sha256
              (base32
               "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls"))
             (patches (search-patches "gd-CVE-2016-3074.patch"))))
               "0xmrqka1ggqgml84xbmkw1y0r0lg7qn657v5b1my8pry92p651vh"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("pkg-config" ,pkg-config)))


D gnu/packages/patches/gd-CVE-2016-3074.patch => gnu/packages/patches/gd-CVE-2016-3074.patch +0 -36
@@ 1,36 0,0 @@
Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19
(gd2: handle corrupt images better (CVE-2016-3074)).

This patch omits the upstream changes to '.gitignore', and the test
added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and
'tests/gd2/invalid_neg_size.gd2'.

We omit the test because its input data,
'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff,
which is not supported by `patch`.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
---
 .gitignore                     |   1 +
 src/gd_gd2.c                   |   2 ++
 tests/Makefile.am              |   3 ++-
 tests/gd2/gd2_read_corrupt.c   |  25 +++++++++++++++++++++++++
 tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
 5 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 tests/gd2/gd2_read_corrupt.c
 create mode 100644 tests/gd2/invalid_neg_size.gd2

diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index 6f28461..a50b33d 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
 			if (gdGetInt (&cidx[i].size, in) != 1) {
 				goto fail2;
 			};
+			if (cidx[i].offset < 0 || cidx[i].size < 0)
+				goto fail2;
 		};
 		*chunkIdx = cidx;
 	};