main/gd: patch CVE-2018-14553 and CVE-2019-11038

2026-05-05 20:36:40 +02:00 · 2020-04-08 16:04:31 +02:00 · 2020-04-08 16:04:31 +02:00 · 2a81285037
commit 2a81285037
parent 7ebd962811
3 changed files with 80 additions and 5 deletions
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=gd
 pkgver=2.2.5
-pkgrel=2
+pkgrel=3
 _pkgreal=lib$pkgname
 pkgdesc="Library for the dynamic creation of images by programmers"
 url="https://libgd.github.io/"
@ -13,7 +13,9 @@ makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev
 subpackages="$pkgname-dev $_pkgreal:libs"
 source="https://github.com/$_pkgreal/$_pkgreal/releases/download/$pkgname-$pkgver/$_pkgreal-$pkgver.tar.xz
 	CVE-2018-1000222.patch
+	CVE-2018-14553.patch
 	CVE-2018-5711.patch
+	CVE-2019-11038.patch
 	CVE-2019-6977.patch
 	CVE-2019-6978.patch
 	"
@ -23,12 +25,15 @@ case "$CARCH" in
 esac

 # secfixes:
+#   2.2.5-r3:
+#     - CVE-2018-14553
+#     - CVE-2019-11038
 #   2.2.5-r2:
-#   - CVE-2018-5711
-#   - CVE-2019-6977
-#   - CVE-2019-6978
+#     - CVE-2018-5711
+#     - CVE-2019-6977
+#     - CVE-2019-6978
 #   2.2.5-r1:
-#   - CVE-2018-1000222
+#     - CVE-2018-1000222

 build() {
 	cd "$builddir"
@ -62,6 +67,8 @@ dev() {

 sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b  libgd-2.2.5.tar.xz
 d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b  CVE-2018-1000222.patch
+9bf1677d69d04f41eba48b48e853ad706f3097edb1a96c3b681b516708be0ba199c463e7b3e44f52921e14028a7c4d74977d66e7f456b9f96d935ce9db342c0e  CVE-2018-14553.patch
 b23929f10ad75fa97d2ff797ef44d185cfe6de4f26b649e8e507b6fc41ebdb527ab4633d10df955c92d677428d9ed1707d9997954a1bcfb0070995191211d886  CVE-2018-5711.patch
+a56397fb310c94d4dc9c565dcec17ffd7411e1957ba45f1093e9fffad74192c244b1ef4f9d954c052f589fd5b4d1cc37ca5d53d8db569cee09a7bdc38bfc4eaf  CVE-2019-11038.patch
 5214ac4148c618f3fef3bb3b6675e41a76e31465cd8dac326ee99dc1ae4cfe760749997d2941743efa48e79b8dbdb536d6b6d79d9bc4e5363f2c50da52ab5cac  CVE-2019-6977.patch
 2f70f041b531a23d0bac5c5370a3fb135ca8facaa7baf1554baf35135cc9c6e21de9c09400d939e133ad090b9aa23fa901ea7b5cd9ea20d11edc38257601eb97  CVE-2019-6978.patch"
--- a/main/gd/CVE-2018-14553.patch
+++ b/main/gd/CVE-2018-14553.patch
@ -0,0 +1,32 @@
+From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
+Date: Fri, 20 Dec 2019 12:03:33 -0300
+Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
+
+diff --git a/src/gd.c b/src/gd.c
+index 592a0286..d564d1f9 100644
+--- a/src/gd.c
+++ b/src/gd.c
+@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ 		}
+ 	}
+ 
+-	if (src->styleLength > 0) {
+-		dst->styleLength = src->styleLength;
+-		dst->stylePos    = src->stylePos;
+-		for (i = 0; i < src->styleLength; i++) {
+-			dst->style[i] = src->style[i];
+-		}
+-	}
+-
+ 	dst->interlace   = src->interlace;
+ 
+ 	dst->alphaBlendingFlag = src->alphaBlendingFlag;
+@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ 
+ 	if (src->style) {
+ 		gdImageSetStyle(dst, src->style, src->styleLength);
+		dst->stylePos = src->stylePos;
+ 	}
+ 
+ 	for (i = 0; i < gdMaxColors; i++) {
--- a/main/gd/CVE-2019-11038.patch
+++ b/main/gd/CVE-2019-11038.patch
@ -0,0 +1,36 @@
+From e13a342c079aeb73e31dfa19eaca119761bac3f3 Mon Sep 17 00:00:00 2001
+From: Jonas Meurer <jonas@freesources.org>
+Date: Tue, 11 Jun 2019 12:16:46 +0200
+Subject: [PATCH] Fix #501: Uninitialized read in gdImageCreateFromXbm
+ (CVE-2019-11038)
+
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
+Bug-Debian: https://bugs.debian.org/929821
+Bug: https://github.com/libgd/libgd/issues/501
+
+We have to ensure that `sscanf()` does indeed read a hex value here,
+and bail out otherwise.
+
+Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
+https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
+---
+ src/gd_xbm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 4ca41acf..cf0545ef 100644
+--- a/src/gd_xbm.c
+++ b/src/gd_xbm.c
+@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ 			}
+ 			h[3] = ch;
+ 		}
+-		sscanf(h, "%x", &b);
+		if (sscanf(h, "%x", &b) != 1) {
+			gd_error("invalid XBM");
+			gdImageDestroy(im);
+			return 0;
+		}
+ 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
+ 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+ 			if (x == im->sx) {