fix CVE-2021-38115

backport-CVE-2021-38115.patch

@@ -0,0 +1,30 @@
+From 8b111b2b4a4842179be66db68d84dda91a246032 Mon Sep 17 00:00:00 2001
+From: maryam ebrahimzadeh <maryam.ebr@student.sharif.edu>
+Date: Mon, 19 Jul 2021 10:07:13 +0430
+Subject: [PATCH 1/1] fix read out-of-bands in reading tga header file
+https://github.com/libgd/libgd/commit/8b111b2b4a4842179be66db68d84dda91a246032
+
+---
+ src/gd_tga.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index cae9428..286febb 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -191,7 +191,11 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
+ 			return -1;
+ 		}
+ 
+-		gdGetBuf(tga->ident, tga->identsize, ctx);
++		
++		if (gdGetBuf(tga->ident, tga->identsize, ctx) != tga->identsize) {
++			gd_error("fail to read header ident");
++			return -1;
++		}
+ 	}
+ 
+ 	return 1;
+-- 
+2.30.2
+

gd.spec

@@ -1,6 +1,6 @@
 Name:           gd
 Version:        2.3.0
-Release:        2
+Release:        3
 Summary:        A graphics library for quick creation of PNG or JPEG images
 License:        MIT
 URL:            http://libgd.github.io/
@@ -9,6 +9,8 @@ Source0:        https://github.com/libgd/libgd/releases/download/gd-%{version}/l
 # Missing, temporary workaround, fixed upstream for next version
 Source1:        https://raw.githubusercontent.com/libgd/libgd/gd-%{version}/config/getlib.sh
 
+Patch6000:      backport-CVE-2021-38115.patch
+
 BuildRequires:  freetype-devel fontconfig-devel gettext-devel libjpeg-devel libpng-devel libtiff-devel libwebp-devel
 BuildRequires:  libX11-devel libXpm-devel zlib-devel pkgconfig libtool perl-interpreter perl-generators liberation-sans-fonts
 
@@ -100,6 +102,12 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 %exclude %{_libdir}/libgd.a
 
 %changelog
+* Sat Aug 14 2021 zhanzhimin<zhanzhimin@huawei.com> - 2.3.0-3
+- Type:CVE
+- ID:CVE-2021-38115
+- SUG:NA
+- DESC:fix CVE-2021-38115
+
 * Tue Jul 20 2021 zhanzhimin<zhanzhimin@huawei.com> - 2.3.0-2
 - delete gdb buildrequires