Bug#906840: libgd2: diff for NMU version 2.2.5-4.1

Fri, 05 Oct 2018 15:36:23 -0700 

Control: tags 887485 + patch
Control: tags 887485 + pending
Control: tags 906840 + pending
Control: tags 906886 + pending


Dear maintainer,

I've prepared an NMU for libgd2 (versioned as 2.2.5-4.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

I'm aware though that this upload will not allow the fixes go to
testing, as there are two more RC bugs (#899928, needing decision for
maintainer address, and a second one #883760).

The main purpose for this still incomplete NMU is to allow #910396
("stretch-pu: package libgd2/2.2.4-2+deb9u3") to be possible to be
included for 9.6.

Regards,
Salvatore

diff -Nru libgd2-2.2.5/debian/changelog libgd2-2.2.5/debian/changelog
--- libgd2-2.2.5/debian/changelog	2017-10-22 11:14:32.000000000 +0200
+++ libgd2-2.2.5/debian/changelog	2018-10-06 00:22:59.000000000 +0200
@@ -1,3 +1,17 @@
+libgd2 (2.2.5-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Potential infinite loop in gdImageCreateFromGifCtx (CVE-2018-5711)
+    (Closes: #887485)
+  * bmp: check return value in gdImageBmpPtr (CVE-2018-1000222)
+    (Closes: #906886)
+  * Remove src/Makefile.am patching in
+    tests-make-a-little-change-for-autopkgtest.patch.  Fixes "libgd2 FTBFS:
+    cannot find -lgd".
+    Thanks to Helmut Grohne and Adrian Bunk (Closes: #906840)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 06 Oct 2018 00:22:59 +0200
+
 libgd2 (2.2.5-4) unstable; urgency=medium
 
   [ Ji???? Pale??ek ]
diff -Nru libgd2-2.2.5/debian/patches/Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch libgd2-2.2.5/debian/patches/Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch
--- libgd2-2.2.5/debian/patches/Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.2.5/debian/patches/Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch	2018-10-06 00:22:59.000000000 +0200
@@ -0,0 +1,53 @@
+From: "Christoph M. Becker" <cmbecke...@gmx.de>
+Date: Wed, 29 Nov 2017 19:37:38 +0100
+Subject: Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
+origin: https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5711
+Bug-Debian: https://bugs.debian.org/887485
+Bug: https://github.com/libgd/libgd/issues/420
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+
+CVE-2018-5711
+
+See also https://bugs.php.net/bug.php?id=75571.
+---
+
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -335,11 +335,6 @@ terminated:
+ 		return 0;
+ 	}
+ 
+-	if(!im->colorsTotal) {
+-		gdImageDestroy(im);
+-		return 0;
+-	}
+-
+ 	/* Check for open colors at the end, so
+ 	 * we can reduce colorsTotal and ultimately
+ 	 * BitsPerPixel */
+@@ -351,6 +346,11 @@ terminated:
+ 		}
+ 	}
+ 
++	if(!im->colorsTotal) {
++		gdImageDestroy(im);
++		return 0;
++	}
++
+ 	return im;
+ }
+ 
+@@ -447,7 +447,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+ 	int i, j, ret;
+-	unsigned char count;
++	int count;
+ 
+ 	if(flag) {
+ 		scd->curbit = 0;
diff -Nru libgd2-2.2.5/debian/patches/bmp-check-return-value-in-gdImageBmpPtr.patch libgd2-2.2.5/debian/patches/bmp-check-return-value-in-gdImageBmpPtr.patch
--- libgd2-2.2.5/debian/patches/bmp-check-return-value-in-gdImageBmpPtr.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.2.5/debian/patches/bmp-check-return-value-in-gdImageBmpPtr.patch	2018-10-06 00:22:59.000000000 +0200
@@ -0,0 +1,79 @@
+From: Mike Frysinger <vap...@gentoo.org>
+Date: Sat, 14 Jul 2018 13:54:08 -0400
+Subject: bmp: check return value in gdImageBmpPtr
+Origin: https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000222
+Bug-Debian: https://bugs.debian.org/906886
+Bug: https://github.com/libgd/libgd/issues/447
+
+Closes #447.
+---
+ src/gd_bmp.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/src/gd_bmp.c b/src/gd_bmp.c
+index bde0b9d3abbd..78f40d9a475e 100644
+--- a/src/gd_bmp.c
++++ b/src/gd_bmp.c
+@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
+ static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
+ static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
+ 
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
++
+ #define BMP_DEBUG(s)
+ 
+ static int gdBMPPutWord(gdIOCtx *out, int w)
+@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageBmpCtx(im, out, compression);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageBmpCtx(im, out, compression))
++		rv = gdDPExtractData(out, size);
++	else
++		rv = NULL;
+ 	out->gd_free(out);
+ 	return rv;
+ }
+@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
+ 		compression - whether to apply RLE or not.
+ */
+ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
++{
++	_gdImageBmpCtx(im, out, compression);
++}
++
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ {
+ 	int bitmap_size = 0, info_size, total_size, padding;
+ 	int i, row, xpos, pixel;
+@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 	unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
+ 	FILE *tmpfile_for_compression = NULL;
+ 	gdIOCtxPtr out_original = NULL;
++	int ret = 1;
+ 
+ 	/* No compression if its true colour or we don't support seek */
+ 	if (im->trueColor) {
+@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 		out_original = NULL;
+ 	}
+ 
++	ret = 0;
+ cleanup:
+ 	if (tmpfile_for_compression) {
+ #ifdef _WIN32
+@@ -338,7 +349,7 @@ cleanup:
+ 	if (out_original) {
+ 		out_original->gd_free(out_original);
+ 	}
+-	return;
++	return ret;
+ }
+ 
+ static int compress_row(unsigned char *row, int length)
+-- 
+2.19.1
+
diff -Nru libgd2-2.2.5/debian/patches/series libgd2-2.2.5/debian/patches/series
--- libgd2-2.2.5/debian/patches/series	2017-10-22 11:14:32.000000000 +0200
+++ libgd2-2.2.5/debian/patches/series	2018-10-06 00:22:59.000000000 +0200
@@ -5,3 +5,5 @@
 0005-Disable-failing-test-that-breaks-some-builds.patch
 0006-Disable-gdimagerotate-bug00067-because-it-FTBFS-on-i.patch
 tests-make-a-little-change-for-autopkgtest.patch
+Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch
+bmp-check-return-value-in-gdImageBmpPtr.patch
diff -Nru libgd2-2.2.5/debian/patches/tests-make-a-little-change-for-autopkgtest.patch libgd2-2.2.5/debian/patches/tests-make-a-little-change-for-autopkgtest.patch
--- libgd2-2.2.5/debian/patches/tests-make-a-little-change-for-autopkgtest.patch	2017-10-22 11:14:32.000000000 +0200
+++ libgd2-2.2.5/debian/patches/tests-make-a-little-change-for-autopkgtest.patch	2018-10-06 00:22:59.000000000 +0200
@@ -11,14 +11,3 @@
  AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/tests/gdtest
  
  check_PROGRAMS = $(libgd_test_programs) $(libgd_helper_programs)
-Index: libgd2/src/Makefile.am
-===================================================================
---- libgd2.orig/src/Makefile.am
-+++ libgd2/src/Makefile.am
-@@ -113,5 +113,5 @@ libgd_la_LDFLAGS = -version-info $(GDLIB
- 
- libgd_la_LIBADD = $(LTLIBICONV)
- 
--LDADD = libgd.la $(LIBICONV)
-+LDADD = -lgd $(LIBICONV)
-

Reply via email to