[oe] [zeus][PATCH] gd: fix CVE-2017-6363

akuster808 akuster808 at gmail.com
Wed Mar 4 05:06:23 UTC 2020 


On 3/3/20 7:20 PM, Haiqing Bai wrote:
> Backport the CVE patch from the upstream to fix the heap-based buffer
> over-read in tiffWriter.
Did I miss the patch for master?

- armin
>
> Signed-off-by: Haiqing Bai <Haiqing.Bai at windriver.com>
> ---
>  .../recipes-support/gd/gd/CVE-2017-6363.patch | 35 +++++++++++++++++++
>  meta-oe/recipes-support/gd/gd_2.2.5.bb        |  1 +
>  2 files changed, 36 insertions(+)
>  create mode 100644 meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
>
> diff --git a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
> new file mode 100644
> index 000000000..25b5880ff
> --- /dev/null
> +++ b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
> @@ -0,0 +1,35 @@
> +From 8f7b60ea7db87de5df76169e3f3918e401ef8bf7 Mon Sep 17 00:00:00 2001
> +From: Mike Frysinger <vapier at gentoo.org>
> +Date: Wed, 31 Jan 2018 14:50:16 -0500
> +Subject: [PATCH] gd/gd2: make sure transparent palette index is within bounds
> + #383
> +
> +The gd image formats allow for a palette of 256 colors,
> +so if the transparent index is out of range, disable it.
> +
> +Upstream-Status: Backport
> +[https://github.com/libgd/libgd.git commit:0be86e1926939a98afbd2f3a23c673dfc4df2a7c]
> +CVE-2017-6363
> +
> +Signed-off-by: Haiqing Bai <Haiqing.Bai at windriver.com>
> +---
> + src/gd_gd.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/gd_gd.c b/src/gd_gd.c
> +index f8d39cb..5a86fc3 100644
> +--- a/src/gd_gd.c
> ++++ b/src/gd_gd.c
> +@@ -54,7 +54,8 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
> + 		if (!gdGetWord (&im->transparent, in)) {
> + 			goto fail1;
> + 		}
> +-		if (im->transparent == 257) {
> ++		/* Make sure transparent index is within bounds of the palette. */
> ++		if (im->transparent >= 256 || im->transparent < 0) {
> + 			im->transparent = (-1);
> + 		}
> + 	}
> +-- 
> +1.9.1
> +
> diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb
> index 35f9bb251..dda2e67d6 100644
> --- a/meta-oe/recipes-support/gd/gd_2.2.5.bb
> +++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb
> @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
>             file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
>             file://CVE-2018-1000222.patch \
>             file://CVE-2019-6978.patch \
> +           file://CVE-2017-6363.patch \
>            "
>  
>  SRCREV = "8255231b68889597d04d451a72438ab92a405aba"

More information about the Openembedded-devel mailing list