Hello community, here is the log from the commit of package gd for openSUSE:Factory checked in at 2018-09-11 17:13:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gd (Old) and /work/SRC/openSUSE:Factory/.gd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gd" Tue Sep 11 17:13:21 2018 rev:48 rq:631813 version:2.2.5 Changes: -------- --- /work/SRC/openSUSE:Factory/gd/gd.changes 2018-01-26 13:34:28.327383444 +0100 +++ /work/SRC/openSUSE:Factory/.gd.new/gd.changes 2018-09-11 17:13:25.207768737 +0200 @@ -1,0 +2,14 @@ +Mon Aug 27 13:45:14 UTC 2018 - pgaj...@suse.com + +- security update: + * CVE-2018-1000222 [bsc#1105434] + + gd-CVE-2018-1000222.patch + +------------------------------------------------------------------- +Tue Mar 13 13:31:37 UTC 2018 - crrodrig...@opensuse.org + +- libgd-config.patch: do not inject false dependencies into + packages, GD does not need extra libs to be used. + this also allows us to clean up -devel package dependencies. + +------------------------------------------------------------------- New: ---- gd-CVE-2018-1000222.patch libgd-config.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gd.spec ++++++ --- /var/tmp/diff_new_pack.uQjaa5/_old 2018-09-11 17:13:25.739767914 +0200 +++ /var/tmp/diff_new_pack.uQjaa5/_new 2018-09-11 17:13:25.743767907 +0200 @@ -34,6 +34,8 @@ # could be upstreamed Patch3: gd-aliasing.patch Patch4: gd-CVE-2018-5711.patch +Patch5: libgd-config.patch +Patch6: gd-CVE-2018-1000222.patch # needed for tests BuildRequires: dejavu BuildRequires: libjpeg-devel @@ -43,9 +45,6 @@ BuildRequires: pkgconfig(freetype2) BuildRequires: pkgconfig(libtiff-4) BuildRequires: pkgconfig(libwebp) -BuildRequires: pkgconfig(x11) -BuildRequires: pkgconfig(xau) -BuildRequires: pkgconfig(xdmcp) BuildRequires: pkgconfig(xpm) Provides: gdlib = %{version} Obsoletes: gdlib < %{version} @@ -71,15 +70,6 @@ Group: Development/Libraries/C and C++ Requires: %{lname} = %{version} Requires: glibc-devel -Requires: libjpeg-devel -Requires: libpng-devel -Requires: pkgconfig(libtiff-4) -Requires: pkgconfig(libwebp) -Requires: pkgconfig(libwebpdecoder) -Requires: pkgconfig(libwebpdemux) -Requires: pkgconfig(libwebpmux) -Requires: pkgconfig(vpx) -Requires: pkgconfig(zlib) %description devel gd allows code to quickly draw images complete with lines, arcs, text, @@ -94,6 +84,8 @@ %patch2 %patch3 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 chmod 644 COPYING %build ++++++ gd-CVE-2018-1000222.patch ++++++ diff --git a/src/gd_bmp.c b/src/gd_bmp.c index bde0b9d3..78f40d9a 100644 --- a/src/gd_bmp.c +++ b/src/gd_bmp.c @@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); +static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); + #define BMP_DEBUG(s) static int gdBMPPutWord(gdIOCtx *out, int w) @@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) void *rv; gdIOCtx *out = gdNewDynamicCtx(2048, NULL); if (out == NULL) return NULL; - gdImageBmpCtx(im, out, compression); - rv = gdDPExtractData(out, size); + if (!_gdImageBmpCtx(im, out, compression)) + rv = gdDPExtractData(out, size); + else + rv = NULL; out->gd_free(out); return rv; } @@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) compression - whether to apply RLE or not. */ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) +{ + _gdImageBmpCtx(im, out, compression); +} + +static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) { int bitmap_size = 0, info_size, total_size, padding; int i, row, xpos, pixel; @@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; FILE *tmpfile_for_compression = NULL; gdIOCtxPtr out_original = NULL; + int ret = 1; /* No compression if its true colour or we don't support seek */ if (im->trueColor) { @@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) out_original = NULL; } + ret = 0; cleanup: if (tmpfile_for_compression) { #ifdef _WIN32 @@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) if (out_original) { out_original->gd_free(out_original); } - return; + return ret; } static int compress_row(unsigned char *row, int length) ++++++ libgd-config.patch ++++++ Index: libgd-2.2.5/config/gdlib-config.in =================================================================== --- libgd-2.2.5.orig/config/gdlib-config.in +++ libgd-2.2.5/config/gdlib-config.in @@ -74,7 +74,7 @@ while test $# -gt 0; do echo @LDFLAGS@ ;; --libs) - echo -lgd @LIBS@ @LIBICONV@ + echo -lgd ;; --cflags|--includes) echo -I@includedir@ @@ -87,7 +87,7 @@ while test $# -gt 0; do echo "includedir: $includedir" echo "cflags: -I@includedir@" echo "ldflags: @LDFLAGS@" - echo "libs: @LIBS@ @LIBICONV@" + echo "libs: -lgd" echo "libdir: $libdir" echo "features: @FEATURES@" ;;