!47 Update to 5.2.2 for fix CVE-2020-23922 and CVE-2023-48161

From: @starlet-dx Reviewed-by: @open-bot Signed-off-by: @open-bot
2024-06-24 05:31:53 +00:00 · 2024-06-24 05:31:53 +00:00 · f95adbae53
commit f95adbae53
parent 8a0d02e289 6dade95e20
9 changed files with 64 additions and 117 deletions
--- a/CVE-2021-40633.patch
+++ b/CVE-2021-40633.patch
@ -1,8 +1,8 @@
-diff -urN giflib-5.2.1/gif2rgb.c giflib-5.2.1-bak/gif2rgb.c
--- giflib-5.2.1/gif2rgb.c	2024-05-14 16:38:28.259385838 +0800
-+++ giflib-5.2.1-bak/gif2rgb.c	2024-05-14 16:40:04.629090800 +0800
-@@ -498,6 +498,9 @@
- 		   ScreenBuffer, 
+diff -urN giflib-5.2.2/gif2rgb.c giflib-5.2.2-bak/gif2rgb.c
+--- giflib-5.2.2/gif2rgb.c	2024-05-14 16:06:40.098092160 +0800
+++ giflib-5.2.2-bak/gif2rgb.c	2024-05-14 15:53:42.426757251 +0800
+@@ -525,6 +525,9 @@
+ 	DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer,
 	               GifFile->SWidth, GifFile->SHeight);
 
 +	for (i = 0; i < GifFile->SHeight; i++) {
@ -10,4 +10,4 @@ diff -urN giflib-5.2.1/gif2rgb.c giflib-5.2.1-bak/gif2rgb.c
 +	}
 	(void)free(ScreenBuffer);
 
-     if (DGifCloseFile(GifFile, &Error) == GIF_ERROR) {
+ 	{
--- a/CVE-2022-28506.patch
+++ b/CVE-2022-28506.patch
@ -1,31 +0,0 @@
-From c80f2b9f12a9ed0df7a629c9da1c4a82e9e39923 Mon Sep 17 00:00:00 2001
-From: duyiwei <duyiwei@kylinos.cn>
-Date: Wed, 15 Jun 2022 14:46:24 +0800
-Subject: [PATCH] CVE-2022-28506
-
-Signed-off-by: duyiwei <duyiwei@kylinos.cn>
---
- gif2rgb.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/gif2rgb.c b/gif2rgb.c
-index ccbc0aa..87c413e 100644
--- a/gif2rgb.c
-+++ b/gif2rgb.c
-@@ -303,7 +303,12 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
-             GifRow = ScreenBuffer[i];
-             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
-             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
-                ColorMapEntry = &ColorMap->Colors[GifRow[j]];
-+                /* Check if color is within color palete */
-+                if (GifRow[j] >= ColorMap->ColorCount)
-+                {
-+                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
-+                }
-+	       	ColorMapEntry = &ColorMap->Colors[GifRow[j]];
-                 *BufferP++ = ColorMapEntry->Red;
-                 *BufferP++ = ColorMapEntry->Green;
-                 *BufferP++ = ColorMapEntry->Blue;
-- 
-2.33.0
-
--- a/CVE-2023-39742.patch
+++ b/CVE-2023-39742.patch
@ -1,24 +0,0 @@
-Description: Fix segmentation faults due to non correct checking for args
-Author: David Suárez <david.sephirot@gmail.com>
-Origin: vendor
-Bug: https://sourceforge.net/p/giflib/bugs/153/
-Bug-Debian: https://bugs.debian.org/715963
-Bug-Debian: https://bugs.debian.org/715964
-Bug-Debian: https://bugs.debian.org/715967
-Last-Update: 2020-12-20
-
--- a/getarg.c
-+++ b/getarg.c
-@@ -305,6 +305,12 @@
-     int i = 0, ScanRes;
- 
-     while (!(ISSPACE(CtrlStrCopy[i]))) {
-+
-+        if ((*argv) == argv_end) {
-+            GAErrorToken = Option;
-+            return CMD_ERR_NumRead;
-+        }
-+
-         switch (CtrlStrCopy[i + 1]) {
-           case 'd':    /* Get signed integers. */
-               ScanRes = sscanf(*((*argv)++), "%d",
--- a/giflib-5.2.1.tar.gz
+++ b/giflib-5.2.1.tar.gz
--- a/giflib-5.2.2.tar.gz
+++ b/giflib-5.2.2.tar.gz
--- a/giflib.spec
+++ b/giflib.spec
@ -1,8 +1,8 @@
 %define debug_package %{nil}

 Name:          giflib
-Version:       5.2.1
-Release:       8
+Version:       5.2.2
+Release:       1
 Summary:       A library and utilities for processing GIFs
 License:       MIT
 URL:           http://www.sourceforge.net/projects/giflib/
@ -14,11 +14,10 @@ Patch0:giflib_quantize.patch
 Patch1:giflib_coverity.patch
 # Generate HTML docs with consistent section IDs to avoid multilib difference
 Patch2:giflib_html-docs-consistent-ids.patch
-Patch3:CVE-2022-28506.patch
-Patch4:CVE-2023-39742.patch
-Patch5:CVE-2021-40633.patch
+Patch3:CVE-2021-40633.patch

 BuildRequires: make xmlto gcc
+BuildRequires: ImageMagick
 provides:      giflib-utils

 %description
@ -70,12 +69,19 @@ rm -f %{buildroot}/debugsourcefiles.list

 %files help
 %defattr(-,root,root)
-%{_mandir}/man1/gif*.1*
+%{_mandir}/man1/gif*.*

 %files utils
 %{_bindir}/gif*

 %changelog
+* Fri Jun 21 2024 yaoxin <yao_xin001@hoperun.com> - 5.2.2-1
+- Update to 5.2.2
+  * Fixes for CVE-2023-48161 (bsc#1217390), CVE-2022-28506 (bsc#1198880)
+  * Address SF issue #151: A heap-buffer-overflow in gif2rgb.c:294:45
+  * Address SF issue #166: a read zero page leads segment fault in
+    getarg.c and memory leaks in gif2rgb.c and gifmalloc.c
+
 * Tue May 14 2024 liwenjie <liwenjie@kylinos.cn> - 5.2.1-8
 - Fix CVE-2021-40633

--- a/giflib_coverity.patch
+++ b/giflib_coverity.patch
@ -1,7 +1,7 @@
-diff -rupN --no-dereference giflib-5.2.1/gif2rgb.c giflib-5.2.1-new/gif2rgb.c
--- giflib-5.2.1/gif2rgb.c	2019-06-24 09:24:27.000000000 +0200
-+++ giflib-5.2.1-new/gif2rgb.c	2020-02-17 16:51:04.468397502 +0100
-@@ -170,6 +170,8 @@ static void SaveGif(GifByteType *OutputB
+diff -rupN --no-dereference giflib-5.2.2/gif2rgb.c giflib-5.2.2-new/gif2rgb.c
+--- giflib-5.2.2/gif2rgb.c	2024-02-19 04:01:28.000000000 +0100
+++ giflib-5.2.2-new/gif2rgb.c	2024-02-19 09:39:38.750976758 +0100
+@@ -165,6 +165,8 @@ static void SaveGif(GifByteType *OutputB
 	/* Open stdout for the output file: */
 	if ((GifFile = EGifOpenFileHandle(1, &Error)) == NULL) {
 		PrintGifError(Error);
@ -10,29 +10,25 @@ diff -rupN --no-dereference giflib-5.2.1/gif2rgb.c giflib-5.2.1-new/gif2rgb.c
 		exit(EXIT_FAILURE);
 	}
 
-@@ -179,6 +181,8 @@ static void SaveGif(GifByteType *OutputB
- 	EGifPutImageDesc(GifFile,
- 			 0, 0, Width, Height, false, NULL) == GIF_ERROR) {
+@@ -173,6 +175,8 @@ static void SaveGif(GifByteType *OutputB
+ 	    EGifPutImageDesc(GifFile, 0, 0, Width, Height, false, NULL) ==
+ 	        GIF_ERROR) {
 		PrintGifError(Error);
 +		free(OutputBuffer);
 +		GifFreeMapObject(OutputColorMap);
 		exit(EXIT_FAILURE);
 	}
 
-@@ -187,8 +191,11 @@ static void SaveGif(GifByteType *OutputB
- 	       GifFile->Image.Width, GifFile->Image.Height);
+@@ -182,6 +186,8 @@ static void SaveGif(GifByteType *OutputB
 
 	for (i = 0; i < Height; i++) {
-	if (EGifPutLine(GifFile, Ptr, Width) == GIF_ERROR)
-+	if (EGifPutLine(GifFile, Ptr, Width) == GIF_ERROR) {
+ 		if (EGifPutLine(GifFile, Ptr, Width) == GIF_ERROR) {
 +			free(OutputBuffer);
 +			GifFreeMapObject(OutputColorMap);
 			exit(EXIT_FAILURE);
-+        }
+ 		}
 		GifQprintf("\b\b\b\b%-4d", Height - i - 1);
- 
- 	Ptr += Width;
-@@ -196,6 +203,8 @@ static void SaveGif(GifByteType *OutputB
+@@ -191,6 +197,8 @@ static void SaveGif(GifByteType *OutputB
 
 	if (EGifCloseFile(GifFile, &Error) == GIF_ERROR) {
 		PrintGifError(Error);
--- a/giflib_html-docs-consistent-ids.patch
+++ b/giflib_html-docs-consistent-ids.patch
@ -1,8 +1,8 @@
-diff -rupN --no-dereference giflib-5.2.1/doc/Makefile giflib-5.2.1-new/doc/Makefile
--- giflib-5.2.1/doc/Makefile	2019-03-28 18:05:25.000000000 +0100
-+++ giflib-5.2.1-new/doc/Makefile	2020-02-17 16:51:04.489397582 +0100
+diff -rupN --no-dereference giflib-5.2.2/doc/Makefile giflib-5.2.2-new/doc/Makefile
+--- giflib-5.2.2/doc/Makefile	2024-02-18 19:15:05.000000000 +0100
+++ giflib-5.2.2-new/doc/Makefile	2024-02-19 09:39:38.785968237 +0100
@@ -1,7 +1,7 @@
- .SUFFIXES: .xml .html .txt .adoc .1
+ .SUFFIXES: .xml .html .txt .adoc .1 .7
 
 .xml.html:
 -	xmlto xhtml-nochunks $<
--- a/giflib_quantize.patch
+++ b/giflib_quantize.patch
@ -1,6 +1,6 @@
-diff -rupN --no-dereference giflib-5.2.1/Makefile giflib-5.2.1-new/Makefile
--- giflib-5.2.1/Makefile	2019-06-24 18:08:57.000000000 +0200
-+++ giflib-5.2.1-new/Makefile	2020-02-17 16:51:04.450397434 +0100
+diff -rupN --no-dereference giflib-5.2.2/Makefile giflib-5.2.2-new/Makefile
+--- giflib-5.2.2/Makefile	2024-02-19 02:01:50.000000000 +0100
+++ giflib-5.2.2-new/Makefile	2024-02-19 09:39:38.715985279 +0100
@@ -29,11 +29,11 @@ LIBPOINT=0
 LIBVER=$(LIBMAJOR).$(LIBMINOR).$(LIBPOINT)