From a052ecb5b8bb11a9e882b5a4df6a475877a9b75e Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Mon, 13 Sep 2021 22:44:24 +0200 Subject: [PATCH] package/gd: security bump to version 2.3.3 - Fix CVE-2021-40145: ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes." - Drop patch (already in version) - Update hash of COPYING (duplicate merged and title added with https://github.com/libgd/libgd/commit/82d260950589563a1af9c56f4ce5fde843a695ae https://github.com/libgd/libgd/commit/6013c7bcf6eb795dba584f92d3824ebd3ae60202) https://github.com/libgd/libgd/releases/tag/gd-2.3.3 Signed-off-by: Fabrice Fontaine Signed-off-by: Peter Korsgaard --- ...-of-bands-in-reading-tga-header-file.patch | 29 ------------------- package/gd/gd.hash | 4 +-- package/gd/gd.mk | 5 +--- 3 files changed, 3 insertions(+), 35 deletions(-) delete mode 100644 package/gd/0001-fix-read-out-of-bands-in-reading-tga-header-file.patch diff --git a/package/gd/0001-fix-read-out-of-bands-in-reading-tga-header-file.patch b/package/gd/0001-fix-read-out-of-bands-in-reading-tga-header-file.patch deleted file mode 100644 index a42bfb402e..0000000000 --- a/package/gd/0001-fix-read-out-of-bands-in-reading-tga-header-file.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 8b111b2b4a4842179be66db68d84dda91a246032 Mon Sep 17 00:00:00 2001 -From: maryam ebrahimzadeh -Date: Mon, 19 Jul 2021 10:07:13 +0430 -Subject: [PATCH] fix read out-of-bands in reading tga header file - -[Retrieved from: -https://github.com/libgd/libgd/commit/8b111b2b4a4842179be66db68d84dda91a246032] -Signed-off-by: Fabrice Fontaine ---- - src/gd_tga.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/gd_tga.c b/src/gd_tga.c -index cae9428da..286febb28 100644 ---- a/src/gd_tga.c -+++ b/src/gd_tga.c -@@ -191,7 +191,11 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga) - return -1; - } - -- gdGetBuf(tga->ident, tga->identsize, ctx); -+ -+ if (gdGetBuf(tga->ident, tga->identsize, ctx) != tga->identsize) { -+ gd_error("fail to read header ident"); -+ return -1; -+ } - } - - return 1; diff --git a/package/gd/gd.hash b/package/gd/gd.hash index 25e64e801b..d0b1e97675 100644 --- a/package/gd/gd.hash +++ b/package/gd/gd.hash @@ -1,3 +1,3 @@ # Locally calculated -sha256 478a047084e0d89b83616e4c2cf3c9438175fb0cc55d8c8967f06e0427f7d7fb libgd-2.3.2.tar.xz -sha256 4d80b4af6c38d7a65128c881623dee2a5daee6b3a6ccab74a5cdfa0dfda96da7 COPYING +sha256 3fe822ece20796060af63b7c60acb151e5844204d289da0ce08f8fdf131e5a61 libgd-2.3.3.tar.xz +sha256 005f4b6b0141d1bd11d371bbf7d4f67947f85a4906b7f5465f942204cf918ba3 COPYING diff --git a/package/gd/gd.mk b/package/gd/gd.mk index 90f966c294..55c12e6968 100644 --- a/package/gd/gd.mk +++ b/package/gd/gd.mk @@ -4,7 +4,7 @@ # ################################################################################ -GD_VERSION = 2.3.2 +GD_VERSION = 2.3.3 GD_SOURCE = libgd-$(GD_VERSION).tar.xz GD_SITE = https://github.com/libgd/libgd/releases/download/gd-$(GD_VERSION) GD_INSTALL_STAGING = YES @@ -15,9 +15,6 @@ GD_CPE_ID_PRODUCT = libgd GD_CONF_OPTS = --without-x --disable-rpath --disable-werror GD_DEPENDENCIES = host-pkgconf -# 0001-fix-read-out-of-bands-in-reading-tga-header-file.patch -GD_IGNORE_CVES += CVE-2021-38115 - # gd forgets to link utilities with -pthread even though it uses # pthreads, causing linking errors with static linking ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)