Control: severity -1 grave Control: tags -1 + patch Hi Ondrej,
I uploaded the attached two debdiffs to security-master for jessie- and stretch-security. I wanted to propose as well a NMU unstable, so it's not unfixed there, but currently libgd2 FTBFS. Would it be possible to import those in the packaging repository? I was not entirly sure how you want the respective branches created (guess just branch upstream-stretch and master-stretch from respective tags). Regards, Salvatore
diff -Nru libgd2-2.1.0/debian/changelog libgd2-2.1.0/debian/changelog --- libgd2-2.1.0/debian/changelog 2017-01-18 13:35:12.000000000 +0100 +++ libgd2-2.1.0/debian/changelog 2017-08-12 06:15:41.000000000 +0200 @@ -1,3 +1,11 @@ +libgd2 (2.1.0-5+deb8u10) jessie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2017-7890: Fix unitialized memory read vulnerability in GIF reading + (Closes: #869263) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 12 Aug 2017 06:15:41 +0200 + libgd2 (2.1.0-5+deb8u9) jessie-security; urgency=high * [CVE-2016-6906]: Fix OOB reads of the TGA decompression buffer diff -Nru libgd2-2.1.0/debian/patches/0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch libgd2-2.1.0/debian/patches/0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch --- libgd2-2.1.0/debian/patches/0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch 1970-01-01 01:00:00.000000000 +0100 +++ libgd2-2.1.0/debian/patches/0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch 2017-08-12 06:15:41.000000000 +0200 @@ -0,0 +1,26 @@ +From: "Christoph M. Becker" <cmbecke...@gmx.de> +Date: Thu, 10 Aug 2017 18:31:29 +0200 +Subject: Close #339: Fix unitialized memory read vulnerability in GIF reading +Origin: https://github.com/libgd/libgd/commit/c613bc169802bb4b639ee2e15c61b25b80a88424 +Bug-Debian: https://bugs.debian.org/869263 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7890 + +The stack allocated color map buffers were not zeroed before usage, and +so undefined palette indexes could cause information leakage. + +This issue has been reported by Matviy Kotoniy to secur...@libgd.org in +<cakm_7a-ao++b6cxywm_dtycpeng5wnwk7nsevq5omzzimy_...@mail.gmail.com>. +--- + +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -152,6 +152,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro + + gdImagePtr im = 0; + ++ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE); ++ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE); ++ + if(!ReadOK(fd, buf, 6)) { + return 0; + } diff -Nru libgd2-2.1.0/debian/patches/series libgd2-2.1.0/debian/patches/series --- libgd2-2.1.0/debian/patches/series 2017-01-18 13:35:12.000000000 +0100 +++ libgd2-2.1.0/debian/patches/series 2017-08-12 06:15:41.000000000 +0200 @@ -27,3 +27,4 @@ 0027-Fix-OOB-reads-of-the-TGA-decompression-buffer.patch 0028-Fix-340-System-frozen.patch 0029-Fix-354-Signed-Integer-Overflow-gd_io.c.patch +0030-Close-339-Fix-unitialized-memory-read-vulnerability-.patch
diff -Nru libgd2-2.2.4/debian/changelog libgd2-2.2.4/debian/changelog --- libgd2-2.2.4/debian/changelog 2017-01-18 21:06:46.000000000 +0100 +++ libgd2-2.2.4/debian/changelog 2017-08-12 07:14:26.000000000 +0200 @@ -1,3 +1,11 @@ +libgd2 (2.2.4-2+deb9u1) stretch-security; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2017-7890: Fix unitialized memory read vulnerability in GIF reading + (Closes: #869263) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 12 Aug 2017 07:14:26 +0200 + libgd2 (2.2.4-2) unstable; urgency=medium * Apply correct patch on tiff_invalid_read diff -Nru libgd2-2.2.4/debian/patches/0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch libgd2-2.2.4/debian/patches/0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch --- libgd2-2.2.4/debian/patches/0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch 1970-01-01 01:00:00.000000000 +0100 +++ libgd2-2.2.4/debian/patches/0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch 2017-08-12 07:14:26.000000000 +0200 @@ -0,0 +1,28 @@ +From: "Christoph M. Becker" <cmbecke...@gmx.de> +Date: Thu, 10 Aug 2017 18:31:29 +0200 +Subject: Close #339: Fix unitialized memory read vulnerability in GIF reading +Origin: https://github.com/libgd/libgd/commit/c613bc169802bb4b639ee2e15c61b25b80a88424 +Bug-Debian: https://bugs.debian.org/869263 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7890 + +The stack allocated color map buffers were not zeroed before usage, and +so undefined palette indexes could cause information leakage. + +This issue has been reported by Matviy Kotoniy to secur...@libgd.org in +<cakm_7a-ao++b6cxywm_dtycpeng5wnwk7nsevq5omzzimy_...@mail.gmail.com>. +--- + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index 008d1ec..c195448 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + + gdImagePtr im = 0; + ++ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE); ++ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE); ++ + if(!ReadOK(fd, buf, 6)) { + return 0; + } diff -Nru libgd2-2.2.4/debian/patches/series libgd2-2.2.4/debian/patches/series --- libgd2-2.2.4/debian/patches/series 2017-01-18 21:06:46.000000000 +0100 +++ libgd2-2.2.4/debian/patches/series 2017-08-12 07:14:26.000000000 +0200 @@ -3,3 +3,4 @@ 0004-Fix-error-ISO-C99-requires-at-least-one-argument-for.patch disable-tests-gdimagegrayscale-as-it-breaks-on-32-bit.patch 0005-Fix-tiff_invalid_read-check.patch +0006-Close-339-Fix-unitialized-memory-read-vulnerability-.patch
