Hello community,
here is the log from the commit of package gd for openSUSE:Factory checked in
at 2018-09-11 17:13:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gd (Old)
and /work/SRC/openSUSE:Factory/.gd.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gd"
Tue Sep 11 17:13:21 2018 rev:48 rq:631813 version:2.2.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/gd/gd.changes 2018-01-26 13:34:28.327383444
+0100
+++ /work/SRC/openSUSE:Factory/.gd.new/gd.changes 2018-09-11
17:13:25.207768737 +0200
@@ -1,0 +2,14 @@
+Mon Aug 27 13:45:14 UTC 2018 - pgaj...@suse.com
+
+- security update:
+ * CVE-2018-1000222 [bsc#1105434]
+ + gd-CVE-2018-1000222.patch
+
+-------------------------------------------------------------------
+Tue Mar 13 13:31:37 UTC 2018 - crrodrig...@opensuse.org
+
+- libgd-config.patch: do not inject false dependencies into
+ packages, GD does not need extra libs to be used.
+ this also allows us to clean up -devel package dependencies.
+
+-------------------------------------------------------------------
New:
----
gd-CVE-2018-1000222.patch
libgd-config.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gd.spec ++++++
--- /var/tmp/diff_new_pack.uQjaa5/_old 2018-09-11 17:13:25.739767914 +0200
+++ /var/tmp/diff_new_pack.uQjaa5/_new 2018-09-11 17:13:25.743767907 +0200
@@ -34,6 +34,8 @@
# could be upstreamed
Patch3: gd-aliasing.patch
Patch4: gd-CVE-2018-5711.patch
+Patch5: libgd-config.patch
+Patch6: gd-CVE-2018-1000222.patch
# needed for tests
BuildRequires: dejavu
BuildRequires: libjpeg-devel
@@ -43,9 +45,6 @@
BuildRequires: pkgconfig(freetype2)
BuildRequires: pkgconfig(libtiff-4)
BuildRequires: pkgconfig(libwebp)
-BuildRequires: pkgconfig(x11)
-BuildRequires: pkgconfig(xau)
-BuildRequires: pkgconfig(xdmcp)
BuildRequires: pkgconfig(xpm)
Provides: gdlib = %{version}
Obsoletes: gdlib < %{version}
@@ -71,15 +70,6 @@
Group: Development/Libraries/C and C++
Requires: %{lname} = %{version}
Requires: glibc-devel
-Requires: libjpeg-devel
-Requires: libpng-devel
-Requires: pkgconfig(libtiff-4)
-Requires: pkgconfig(libwebp)
-Requires: pkgconfig(libwebpdecoder)
-Requires: pkgconfig(libwebpdemux)
-Requires: pkgconfig(libwebpmux)
-Requires: pkgconfig(vpx)
-Requires: pkgconfig(zlib)
%description devel
gd allows code to quickly draw images complete with lines, arcs, text,
@@ -94,6 +84,8 @@
%patch2
%patch3
%patch4 -p1
+%patch5 -p1
+%patch6 -p1
chmod 644 COPYING
%build
++++++ gd-CVE-2018-1000222.patch ++++++
diff --git a/src/gd_bmp.c b/src/gd_bmp.c
index bde0b9d3..78f40d9a 100644
--- a/src/gd_bmp.c
+++ b/src/gd_bmp.c
@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile,
bmp_info_t *info, bmp
static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info,
bmp_hdr_t *header);
static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
+
#define BMP_DEBUG(s)
static int gdBMPPutWord(gdIOCtx *out, int w)
@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size,
int compression)
void *rv;
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
if (out == NULL) return NULL;
- gdImageBmpCtx(im, out, compression);
- rv = gdDPExtractData(out, size);
+ if (!_gdImageBmpCtx(im, out, compression))
+ rv = gdDPExtractData(out, size);
+ else
+ rv = NULL;
out->gd_free(out);
return rv;
}
@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile,
int compression)
compression - whether to apply RLE or not.
*/
BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+{
+ _gdImageBmpCtx(im, out, compression);
+}
+
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
{
int bitmap_size = 0, info_size, total_size, padding;
int i, row, xpos, pixel;
@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr
out, int compression)
unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
FILE *tmpfile_for_compression = NULL;
gdIOCtxPtr out_original = NULL;
+ int ret = 1;
/* No compression if its true colour or we don't support seek */
if (im->trueColor) {
@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr
out, int compression)
out_original = NULL;
}
+ ret = 0;
cleanup:
if (tmpfile_for_compression) {
#ifdef _WIN32
@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr
out, int compression)
if (out_original) {
out_original->gd_free(out_original);
}
- return;
+ return ret;
}
static int compress_row(unsigned char *row, int length)
++++++ libgd-config.patch ++++++
Index: libgd-2.2.5/config/gdlib-config.in
===================================================================
--- libgd-2.2.5.orig/config/gdlib-config.in
+++ libgd-2.2.5/config/gdlib-config.in
@@ -74,7 +74,7 @@ while test $# -gt 0; do
echo @LDFLAGS@
;;
--libs)
- echo -lgd @LIBS@ @LIBICONV@
+ echo -lgd
;;
--cflags|--includes)
echo -I@includedir@
@@ -87,7 +87,7 @@ while test $# -gt 0; do
echo "includedir: $includedir"
echo "cflags: -I@includedir@"
echo "ldflags: @LDFLAGS@"
- echo "libs: @LIBS@ @LIBICONV@"
+ echo "libs: -lgd"
echo "libdir: $libdir"
echo "features: @FEATURES@"
;;
