Added a patch to fix CVE-2018-1000222
Change-Id: Ibf7121f04a00f9e7257b4eba193461750609f422
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6085
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,73 @@ |
0 |
+From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Mike Frysinger <vapier@gentoo.org> |
|
2 |
+Date: Sat, 14 Jul 2018 13:54:08 -0400 |
|
3 |
+Subject: [PATCH] bmp: check return value in gdImageBmpPtr |
|
4 |
+ |
|
5 |
+Closes #447. |
|
6 |
+--- |
|
7 |
+ src/gd_bmp.c | 17 ++++++++++++++--- |
|
8 |
+ 1 file changed, 14 insertions(+), 3 deletions(-) |
|
9 |
+ |
|
10 |
+diff --git a/src/gd_bmp.c b/src/gd_bmp.c |
|
11 |
+index bde0b9d3..78f40d9a 100644 |
|
12 |
+--- a/src/gd_bmp.c |
|
13 |
+@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp |
|
14 |
+ static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); |
|
15 |
+ static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); |
|
16 |
+ |
|
17 |
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); |
|
18 |
++ |
|
19 |
+ #define BMP_DEBUG(s) |
|
20 |
+ |
|
21 |
+ static int gdBMPPutWord(gdIOCtx *out, int w) |
|
22 |
+@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) |
|
23 |
+ void *rv; |
|
24 |
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
|
25 |
+ if (out == NULL) return NULL; |
|
26 |
+- gdImageBmpCtx(im, out, compression); |
|
27 |
+- rv = gdDPExtractData(out, size); |
|
28 |
++ if (!_gdImageBmpCtx(im, out, compression)) |
|
29 |
++ rv = gdDPExtractData(out, size); |
|
30 |
++ else |
|
31 |
++ rv = NULL; |
|
32 |
+ out->gd_free(out); |
|
33 |
+ return rv; |
|
34 |
+ } |
|
35 |
+@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) |
|
36 |
+ compression - whether to apply RLE or not. |
|
37 |
+ */ |
|
38 |
+ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
|
39 |
++{ |
|
40 |
++ _gdImageBmpCtx(im, out, compression); |
|
41 |
++} |
|
42 |
++ |
|
43 |
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
|
44 |
+ { |
|
45 |
+ int bitmap_size = 0, info_size, total_size, padding; |
|
46 |
+ int i, row, xpos, pixel; |
|
47 |
+@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
|
48 |
+ unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; |
|
49 |
+ FILE *tmpfile_for_compression = NULL; |
|
50 |
+ gdIOCtxPtr out_original = NULL; |
|
51 |
++ int ret = 1; |
|
52 |
+ |
|
53 |
+ /* No compression if its true colour or we don't support seek */ |
|
54 |
+ if (im->trueColor) { |
|
55 |
+@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
|
56 |
+ out_original = NULL; |
|
57 |
+ } |
|
58 |
+ |
|
59 |
++ ret = 0; |
|
60 |
+ cleanup: |
|
61 |
+ if (tmpfile_for_compression) { |
|
62 |
+ #ifdef _WIN32 |
|
63 |
+@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
|
64 |
+ if (out_original) { |
|
65 |
+ out_original->gd_free(out_original); |
|
66 |
+ } |
|
67 |
+- return; |
|
68 |
++ return ret; |
|
69 |
+ } |
|
70 |
+ |
|
71 |
+ static int compress_row(unsigned char *row, int length) |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: GD is an open source code library for the dynamic creation of images by programmers. |
2 | 2 |
Name: libgd |
3 | 3 |
Version: 2.2.5 |
4 |
-Release: 1%{?dist} |
|
4 |
+Release: 2%{?dist} |
|
5 | 5 |
License: MIT |
6 | 6 |
URL: https://libgd.github.io/ |
7 | 7 |
Group: System/Libraries |
... | ... |
@@ -9,6 +9,7 @@ Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: https://github.com/libgd/libgd/releases/download/gd-%{version}/%{name}-%{version}.tar.xz |
11 | 11 |
%define sha1 libgd=b777b005c401b6fa310ccf09eeb29f6c6e17ab2c |
12 |
+Patch0: CVE-2018-1000222.patch |
|
12 | 13 |
BuildRequires: libjpeg-turbo-devel |
13 | 14 |
BuildRequires: libpng-devel |
14 | 15 |
BuildRequires: libwebp-devel |
... | ... |
@@ -29,6 +30,7 @@ Requires: %{name} = %{version} |
29 | 29 |
Header & Development files |
30 | 30 |
%prep |
31 | 31 |
%setup -q |
32 |
+%patch0 -p1 |
|
32 | 33 |
|
33 | 34 |
%build |
34 | 35 |
./configure --prefix=%{_prefix} --with-webp --with-tiff --with-jpeg --with-png --disable-werror --disable-static |
... | ... |
@@ -51,6 +53,8 @@ make %{?_smp_mflags} -k check |
51 | 51 |
%{_libdir}/pkgconfig/* |
52 | 52 |
|
53 | 53 |
%changelog |
54 |
+* Fri Nov 02 2018 Ankit Jain <ankitja@vmware.com> 2.2.5-2 |
|
55 |
+- Fix for CVE-2018-1000222 |
|
54 | 56 |
* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 2.2.5-1 |
55 | 57 |
- Updated to version 2.2.5 to address CVE-2017-6362 |
56 | 58 |
* Tue Jan 31 2017 Xiaolin Li <xiaolinl@vmware.com> 2.2.4-1 |