commit 3d2edb6ecfc0071aa61306850bcb38e2c44e480e Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:39:22 2019 -0400 Package init diff --git a/CVE-2018-1000222.patch b/CVE-2018-1000222.patch new file mode 100644 index 0000000..80f9712 --- /dev/null +++ b/CVE-2018-1000222.patch @@ -0,0 +1,73 @@ +From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sat, 14 Jul 2018 13:54:08 -0400 +Subject: [PATCH] bmp: check return value in gdImageBmpPtr + +Closes #447. +--- + src/gd_bmp.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/src/gd_bmp.c b/src/gd_bmp.c +index bde0b9d3..78f40d9a 100644 +--- a/src/gd_bmp.c ++++ b/src/gd_bmp.c +@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp + static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); + static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); + ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); ++ + #define BMP_DEBUG(s) + + static int gdBMPPutWord(gdIOCtx *out, int w) +@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageBmpCtx(im, out, compression); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageBmpCtx(im, out, compression)) ++ rv = gdDPExtractData(out, size); ++ else ++ rv = NULL; + out->gd_free(out); + return rv; + } +@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) + compression - whether to apply RLE or not. + */ + BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) ++{ ++ _gdImageBmpCtx(im, out, compression); ++} ++ ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + { + int bitmap_size = 0, info_size, total_size, padding; + int i, row, xpos, pixel; +@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; + FILE *tmpfile_for_compression = NULL; + gdIOCtxPtr out_original = NULL; ++ int ret = 1; + + /* No compression if its true colour or we don't support seek */ + if (im->trueColor) { +@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + out_original = NULL; + } + ++ ret = 0; + cleanup: + if (tmpfile_for_compression) { + #ifdef _WIN32 +@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + if (out_original) { + out_original->gd_free(out_original); + } +- return; ++ return ret; + } + + static int compress_row(unsigned char *row, int length) diff --git a/CVE-2019-11038.patch b/CVE-2019-11038.patch new file mode 100644 index 0000000..f535c6b --- /dev/null +++ b/CVE-2019-11038.patch @@ -0,0 +1,36 @@ +From c76ed17aee1f88e1bf9b9fc2c9b29a9a462aa347 Mon Sep 17 00:00:00 2001 +From: Jonas Meurer +Date: Tue, 11 Jun 2019 12:16:46 +0200 +Subject: [PATCH] Fix #501: Uninitialized read in gdImageCreateFromXbm + (CVE-2019-11038) + +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038 +Bug-Debian: https://bugs.debian.org/929821 +Bug: https://github.com/libgd/libgd/issues/501 + +We have to ensure that `sscanf()` does indeed read a hex value here, +and bail out otherwise. + +Original patch by Christoph M. Becker for PHP libgd ext. +https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184 +--- + src/gd_xbm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/gd_xbm.c b/src/gd_xbm.c +index 4ca41acf..cf0545ef 100644 +--- a/src/gd_xbm.c ++++ b/src/gd_xbm.c +@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd) + } + h[3] = ch; + } +- sscanf(h, "%x", &b); ++ if (sscanf(h, "%x", &b) != 1) { ++ gd_error("invalid XBM"); ++ gdImageDestroy(im); ++ return 0; ++ } + for (bit = 1; bit <= max_bit; bit = bit << 1) { + gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); + if (x == im->sx) { diff --git a/CVE-2019-6977.patch b/CVE-2019-6977.patch new file mode 100644 index 0000000..0434976 --- /dev/null +++ b/CVE-2019-6977.patch @@ -0,0 +1,13 @@ +--- a/src/gd_color_match.c 2017-08-30 07:05:54.000000000 -0400 ++++ b/src/gd_color_match.c 2019-06-05 07:53:47.058000000 -0400 +@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm + return -4; /* At least 1 color must be allocated */ + } + +- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); +- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); ++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); ++ memset( buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); + + for (x=0; x < im1->sx; x++) { + for( y=0; ysy; y++ ) { diff --git a/CVE-2019-6978.patch b/CVE-2019-6978.patch new file mode 100644 index 0000000..e881885 --- /dev/null +++ b/CVE-2019-6978.patch @@ -0,0 +1,216 @@ +From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Thu, 17 Jan 2019 11:54:55 +0100 +Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr() + +Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we +must not call `gdDPExtractData()`; otherwise a double-free would +happen. Since `gdImage*Ctx()` are void functions, and we can't change +that for BC reasons, we're introducing static helpers which are used +internally. + +We're adding a regression test for `gdImageJpegPtr()`, but not for +`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to +trigger failure of the respective `gdImage*Ctx()` calls. + +This potential security issue has been reported by Solmaz Salimi (aka. +Rooney). +--- + src/gd_gif_out.c | 18 +++++++++++++++--- + src/gd_jpeg.c | 20 ++++++++++++++++---- + src/gd_wbmp.c | 21 ++++++++++++++++++--- + tests/jpeg/.gitignore | 1 + + tests/jpeg/CMakeLists.txt | 1 + + tests/jpeg/Makemodule.am | 3 ++- + tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ + 7 files changed, 84 insertions(+), 11 deletions(-) + create mode 100644 tests/jpeg/jpeg_ptr_double_free.c + +diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c +index 298a5812..d5a95346 100644 +--- a/src/gd_gif_out.c ++++ b/src/gd_gif_out.c +@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); + static void char_out(int c, GifCtx *ctx); + static void flush_char(GifCtx *ctx); + ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); + + + +@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageGifCtx(im, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageGifCtx(im, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) + + */ + BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) ++{ ++ _gdImageGifCtx(im, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + { + gdImagePtr pim = 0, tim = im; + int interlace, BitsPerPixel; +@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + based temporary image. */ + pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); + if(!pim) { +- return; ++ return 1; + } + tim = pim; + } +@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + /* Destroy palette based temporary image. */ + gdImageDestroy( pim); + } ++ ++ return 0; + } + + +diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c +index fc058420..96ef4302 100644 +--- a/src/gd_jpeg.c ++++ b/src/gd_jpeg.c +@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) + exit(99); + } + ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); ++ + /* + * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality + * QUALITY. If QUALITY is in the range 0-100, increasing values +@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageJpegCtx(im, out, quality); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageJpegCtx(im, out, quality)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); + + */ + BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) ++{ ++ _gdImageJpegCtx(im, outfile, quality); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + { + struct jpeg_compress_struct cinfo; + struct jpeg_error_mgr jerr; +@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + if(row) { + gdFree(row); + } +- return; ++ return 1; + } + + cinfo.err->emit_message = jpeg_emit_message; +@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + if(row == 0) { + gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); + jpeg_destroy_compress(&cinfo); +- return; ++ return 1; + } + + rowptr[0] = row; +@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + jpeg_finish_compress(&cinfo); + jpeg_destroy_compress(&cinfo); + gdFree(row); ++ return 0; + } + + +diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c +index f19a1c96..a49bdbec 100644 +--- a/src/gd_wbmp.c ++++ b/src/gd_wbmp.c +@@ -88,6 +88,8 @@ int gd_getin(void *in) + return (gdGetC((gdIOCtx *)in)); + } + ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); ++ + /* + Function: gdImageWBMPCtx + +@@ -100,6 +102,12 @@ int gd_getin(void *in) + out - the stream where to write + */ + BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) ++{ ++ _gdImageWBMPCtx(image, fg, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + { + int x, y, pos; + Wbmp *wbmp; +@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + /* create the WBMP */ + if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { + gd_error("Could not create WBMP\n"); +- return; ++ return 1; + } + + /* fill up the WBMP structure */ +@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + + /* write the WBMP to a gd file descriptor */ + if(writewbmp(wbmp, &gd_putout, out)) { ++ freewbmp(wbmp); + gd_error("Could not save WBMP\n"); ++ return 1; + } + + /* des submitted this bugfix: gdFree the memory. */ + freewbmp(wbmp); ++ ++ return 0; + } + + /* +@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageWBMPCtx(im, fg, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageWBMPCtx(im, fg, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } diff --git a/gd-2.1.0-multilib.patch b/gd-2.1.0-multilib.patch new file mode 100644 index 0000000..c4fdc63 --- /dev/null +++ b/gd-2.1.0-multilib.patch @@ -0,0 +1,33 @@ +diff -up gd-2.1.0/config/gdlib-config.in.multilib gd-2.1.0/config/gdlib-config.in +--- gd-2.1.0/config/gdlib-config.in.multilib 2013-04-21 16:58:17.820010758 +0200 ++++ gd-2.1.0/config/gdlib-config.in 2013-04-21 16:59:27.896317922 +0200 +@@ -7,9 +7,10 @@ + # installation directories + prefix=@prefix@ + exec_prefix=@exec_prefix@ +-libdir=@libdir@ ++libdir=`pkg-config gdlib --variable=libdir` + includedir=@includedir@ + bindir=@bindir@ ++ldflags=`pkg-config gdlib --variable=ldflags` + + usage() + { +@@ -68,7 +69,7 @@ while test $# -gt 0; do + echo @GDLIB_REVISION@ + ;; + --ldflags) +- echo @LDFLAGS@ ++ echo $ldflags + ;; + --libs) + echo -lgd @LIBS@ @LIBICONV@ +@@ -83,7 +84,7 @@ while test $# -gt 0; do + echo "GD library @VERSION@" + echo "includedir: $includedir" + echo "cflags: -I@includedir@" +- echo "ldflags: @LDFLAGS@" ++ echo "ldflags: $ldflags" + echo "libs: @LIBS@ @LIBICONV@" + echo "libdir: $libdir" + echo "features: @FEATURES@" diff --git a/gd-2.2.5-upstream.patch b/gd-2.2.5-upstream.patch new file mode 100644 index 0000000..0bc1bcb --- /dev/null +++ b/gd-2.2.5-upstream.patch @@ -0,0 +1,62 @@ +From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 29 Nov 2017 19:37:38 +0100 +Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +CVE-2018-5711 + +See also https://bugs.php.net/bug.php?id=75571. +--- + src/gd_gif_in.c | 12 ++++++------ + tests/gif/.gitignore | 1 + + tests/gif/CMakeLists.txt | 1 + + tests/gif/Makemodule.am | 2 ++ + tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ + tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes + 6 files changed, 38 insertions(+), 6 deletions(-) + create mode 100644 tests/gif/php_bug_75571.c + create mode 100644 tests/gif/php_bug_75571.gif + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index daf26e79..0a8bd717 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + return 0; + } + +- if(!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } +- + /* Check for open colors at the end, so + * we can reduce colorsTotal and ultimately + * BitsPerPixel */ +@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + } + } + ++ if(!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } ++ + return im; + } + +@@ -447,7 +447,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if(flag) { + scd->curbit = 0; + diff --git a/gd.spec b/gd.spec new file mode 100644 index 0000000..978122c --- /dev/null +++ b/gd.spec @@ -0,0 +1,110 @@ +Name: gd +Version: 2.2.5 +Release: 5 +Summary: A graphics library for quick creation of PNG or JPEG images +License: MIT +URL: http://libgd.github.io/ +Source0: https://github.com/libgd/libgd/releases/download/gd-%{version}/libgd-%{version}.tar.xz + +#PATCH-FIX-https://github.com/pisilinux/main/tree/master/multimedia/misc/gd/files +Patch0001: gd-2.1.0-multilib.patch +#PATCH-CVE-2018-5711 - https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04 +Patch0002: gd-2.2.5-upstream.patch +#PATCH-FIX-OPENEULER +Patch6000: CVE-2019-6977.patch +Patch6001: CVE-2019-6978.patch +Patch6002: CVE-2018-1000222.patch +Patch6003: CVE-2019-11038.patch + +BuildRequires: freetype-devel fontconfig-devel gettext-devel libjpeg-devel libpng-devel libtiff-devel libwebp-devel +BuildRequires: libX11-devel libXpm-devel zlib-devel pkgconfig libtool perl-interpreter perl-generators liberation-sans-fonts + +Provides: %{name}-progs +Obsoletes: %{name}-progs + +%description +The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, +multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or +JPEG file. The most common applications of GD involve website development, +although it can be used with any standalone application! + +%package devel +Summary: The development libraries and header files for gd +Requires: %{name}%{?_isa} = %{version}-%{release} freetype-devel%{?_isa} fontconfig-devel%{?_isa} libjpeg-devel%{?_isa} +Requires: libpng-devel%{?_isa} libtiff-devel%{?_isa} libwebp-devel%{?_isa} libX11-devel%{?_isa} +Requires: libXpm-devel%{?_isa} zlib-devel%{?_isa} + +%description devel +The gd-devel package contains the development libraries and header files for gd, a graphics +library for creating PNG and JPEG graphics.The gd-progs package includes utility programs supplied with gd, a +graphics library for creating PNG and JPEG images. + +%prep +%autosetup -n libgd-%{version} -p1 + +: $(perl config/getver.pl) + +: regenerate autotool stuff +if [ -f configure ]; then + libtoolize --copy --force + autoreconf -vif +else + ./bootstrap.sh +fi + +%build +CFLAGS="$RPM_OPT_FLAGS -DDEFAULT_FONTPATH='\"\ +/usr/share/fonts/bitstream-vera:\ +/usr/share/fonts/dejavu:\ +/usr/share/fonts/default/Type1:\ +/usr/share/X11/fonts/Type1:\ +/usr/share/fonts/liberation\"'" + + +%ifarch aarch64 +# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1359680 +export CFLAGS="$CFLAGS -ffp-contract=off" +%endif + +%configure \ + --with-tiff=%{_prefix} \ + --disable-rpath +%make_build + +%install +%make_install + +%check +export XFAIL_TESTS +make check + +grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%license COPYING +%{_libdir}/*.so.* +%{_bindir}/* +%exclude %{_bindir}/gdlib-config + +%files devel +%{_bindir}/gdlib-config +%{_includedir}/* +%{_libdir}/*.so +%{_libdir}/pkgconfig/gdlib.pc +%exclude %{_libdir}/libgd.la +%exclude %{_libdir}/libgd.a + +%changelog +* Wed Sep 25 2019 wangli 2.2.5-5 +- Type:cves +- ID:CVE-2019-11038 +- SUG:NA +- DESC:fix cves + +* Wed Sep 11 2019 openEuler jimmy - 2.2.5-4 +- Package init jimmy diff --git a/libgd-2.2.5.tar.xz b/libgd-2.2.5.tar.xz new file mode 100644 index 0000000..0a9aeac Binary files /dev/null and b/libgd-2.2.5.tar.xz differ