Re: UPDATE: graphics/gd
On Wed May 10, 2017 at 09:45:19AM +0100, Stuart Henderson wrote: > On 2017/05/09 21:14, Rafael Sadowski wrote: > > multimedia/gstreamer1/ (tested but there is no gd) > > ha, my search matched "graphics/gd" against "graphics/gdk-pixbuf2". > > > Index: Makefile > > Index: Makefile > > Index: Makefile > ... > > I'm not going to run patch 14 times, please send a diff done > from /usr/ports :) I'm sorry, new diff below: Index: cad/pcb/Makefile === RCS file: /cvs/ports/cad/pcb/Makefile,v retrieving revision 1.33 diff -u -p -u -p -r1.33 Makefile --- cad/pcb/Makefile18 May 2015 11:29:37 - 1.33 +++ cad/pcb/Makefile10 May 2017 11:43:08 - @@ -3,7 +3,7 @@ COMMENT= printed circuit board layout tool DISTNAME= pcb-20110918 CATEGORIES=cad -REVISION= 6 +REVISION= 7 HOMEPAGE= http://pcb.gpleda.org/ @@ -15,7 +15,7 @@ WANTLIB += Xi Xinerama Xmu Xrandr Xrende WANTLIB += fontconfig freetype gd gdk-x11-2.0 gdk_pixbuf-2.0 WANTLIB += gdkglext-x11-1.0 gio-2.0 glib-2.0 gmodule-2.0 gobject-2.0 WANTLIB += gtk-x11-2.0 gtkglext-x11-1.0 jpeg m pango-1.0 pangocairo-1.0 -WANTLIB += pangoft2-1.0 pangox-1.0 png pthread tiff vpx z +WANTLIB += pangoft2-1.0 pangox-1.0 png pthread tiff webp z MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=pcb/} Index: converters/libpst/Makefile === RCS file: /cvs/ports/converters/libpst/Makefile,v retrieving revision 1.48 diff -u -p -u -p -r1.48 Makefile --- converters/libpst/Makefile 10 Apr 2017 11:45:24 - 1.48 +++ converters/libpst/Makefile 10 May 2017 11:43:08 - @@ -11,6 +11,7 @@ SHARED_LIBS += pst 3.0 PKGNAME-main= ${DISTNAME} PKGNAME-python=py-${DISTNAME} +REVISION-main= 0 CATEGORIES=converters mail @@ -26,7 +27,7 @@ cWANTLIB += m pthread ${LIBCXX} WANTLIB-main += ${cWANTLIB} iconv intl WANTLIB-main += bz2 c expat ffi fontconfig freetype gd gio-2.0 WANTLIB-main += glib-2.0 gmodule-2.0 gobject-2.0 gsf-1 jpeg pcre png -WANTLIB-main += pthread-stubs tiff vpx xml2 z m pthread ${LIBCXX} lzma +WANTLIB-main += pthread-stubs tiff webp xml2 z m pthread ${LIBCXX} lzma WANTLIB-python += ${cWANTLIB} iconv WANTLIB-python += pst util boost_python Index: devel/cvsgraph/Makefile === RCS file: /cvs/ports/devel/cvsgraph/Makefile,v retrieving revision 1.21 diff -u -p -u -p -r1.21 Makefile --- devel/cvsgraph/Makefile 13 Sep 2016 14:40:29 - 1.21 +++ devel/cvsgraph/Makefile 10 May 2017 11:43:10 - @@ -5,11 +5,12 @@ COMMENT= graphical representation of CV DISTNAME= cvsgraph-1.7.0 CATEGORIES=devel HOMEPAGE= http://www.akhphd.au.dk/~bertho/cvsgraph +REVISION= 0 # GPLv2+ PERMIT_PACKAGE_CDROM= Yes -WANTLIB += c fontconfig freetype gd iconv jpeg m png pthread tiff vpx +WANTLIB += c fontconfig freetype gd iconv jpeg m png pthread tiff webp WANTLIB += z MASTER_SITES= ${HOMEPAGE}/release/ Index: graphics/gd/Makefile === RCS file: /cvs/ports/graphics/gd/Makefile,v retrieving revision 1.70 diff -u -p -u -p -r1.70 Makefile --- graphics/gd/Makefile10 Apr 2017 11:46:20 - 1.70 +++ graphics/gd/Makefile10 May 2017 11:43:22 - @@ -2,12 +2,11 @@ COMMENT= library for dynamic creation of images -V= 2.1.1 -REVISION= 3 +V= 2.2.4 DISTNAME= libgd-$V PKGNAME= gd-$V -SHARED_LIBS += gd 21.1 # 3.0 +SHARED_LIBS += gd 22.0 # 3.0 CATEGORIES=graphics @@ -16,17 +15,17 @@ HOMEPAGE= http://www.libgd.org/ PERMIT_PACKAGE_CDROM= Yes WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z +WANTLIB += pthread-stubs ${LIBCXX} tiff webp z -MASTER_SITES= https://bitbucket.org/libgd/gd-libgd/downloads/ +MASTER_SITES= https://github.com/libgd/libgd/releases/download/${PKGNAME}/ CONFIGURE_STYLE= gnu CONFIGURE_ARGS+= --without-xpm LIB_DEPENDS= converters/libiconv \ graphics/jpeg \ + graphics/libwebp \ graphics/png \ - graphics/tiff \ - multimedia/libvpx + graphics/tiff .include Index: graphics/gd/distinfo === RCS file: /cvs/ports/graphics/gd/distinfo,v retrieving revision 1.8 diff -u -p -u -p -r1.8 distinfo --- graphics/gd/distinfo14 Nov 2015 12:41:53 - 1.8 +++ graphics/gd/distinfo10 May 2017 11:43:22 - @@ -1,2 +1,2 @@ -SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU= -SIZE (libgd-2.1.1.tar.gz) = 2390586 +SHA256 (libgd-2.2.4.tar.gz) =
Re: UPDATE: graphics/gd
On 2017/05/09 21:14, Rafael Sadowski wrote: > multimedia/gstreamer1/ (tested but there is no gd) ha, my search matched "graphics/gd" against "graphics/gdk-pixbuf2". > Index: Makefile > Index: Makefile > Index: Makefile ... I'm not going to run patch 14 times, please send a diff done from /usr/ports :)
Re: UPDATE: graphics/gd
On Sun May 07, 2017 at 10:14:55PM +0100, Stuart Henderson wrote: > On 2017/05/07 22:37, Rafael Sadowski wrote: > > On Sun Apr 30, 2017 at 12:08:47PM +0100, Stuart Henderson wrote: > > > On 2017/04/29 23:14, Rafael Sadowski wrote: > > > > is there any good reason to not update libgd? Here are eight good > > > > reasons for a update: > > > > > > No reason not to update it. Quite a few things depend on it though, > > > so testing is a bit annoying, which might explain why it's old. > > > > > > > -WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread > > > > -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z > > > > +#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread > > > > +#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z > > > > > > er? > > > > > > > LIB_DEPENDS= converters/libiconv \ > > > > graphics/jpeg \ > > > > graphics/png \ > > > > - graphics/tiff \ > > > > - multimedia/libvpx > > > > + graphics/tiff > > > > > > Need to make sure that dropping libvpx doesn't cause problems in > > > dependent ports. > > > > > > Didn't they change from libvpx to libwebp rather than dropping webp > > > support completely? > > > > Please find an new diff with libwebp support from Brad Smith. > > > > The following ports are affected (diff see below): > > > > cad/pcb > > graphics/libgphoto2 > > net/amule > > net/rtg > > print/texlive/base > > sysutils/modlogan > > www/analog > > > > Unaffected: > > > > emulators/fceux > > mail/rspamd > > math/plplot > > net/mldonkey > > net/nagios/nagios > > sysutils/nut > > www/rt > > www/webalizer > > These lists don't match the diff; www/analog isn't in the diff, > net/mldonkey is in the diff but listed as unaffected, and > math/graphviz is in the diff but not listed above at all. Everything too rash! Now, with more structure! > > (For a commit which touches ports all over the tree, you should > list the directories on the command line rather than letting cvs > iterate over the whole lot, so you want the list to be correct :) ACK; > > Apart from the extra whitespace in the WANTLIB line for graphviz, > what's in the diff looks correct, but there are some other ports > which I think may be affected too - are you sure that you don't > need changes for libpst, cvsgraph, eduke32, mscgen, p5-GD, > gnuplot, gstreamer1-plugins-good? Now, hopefully complete. Affected: net/amule/ devel/cvsgraph/ math/gnuplot/ math/graphviz/ graphics/libgphoto2/ converters/libpst/ net/mldonkey/ sysutils/modlogan/ graphics/mscgen/ graphics/p5-GD/ cad/pcb/ net/rtg/ print/texlive/base Unaffected: emulators/fceux/ games/eduke32/ graphics/ansilove/ graphics/fswebcam/ graphics/luagd/ graphics/py-gd/ mail/rspamd/ math/plplot/ multimedia/gstreamer1/ (tested but there is no gd) net/icinga/core net/nagios/nagios net/pfstat/ net/vnstat sysutils/apcupsd/ sysutils/nut/ www/analog/ www/nginx/ www/rt/ www/sarg/ www/webalizer Index: Makefile === RCS file: /cvs/ports/net/amule/Makefile,v retrieving revision 1.58 diff -u -p -u -p -r1.58 Makefile --- Makefile10 Apr 2017 11:46:23 - 1.58 +++ Makefile7 May 2017 19:44:56 - @@ -6,7 +6,7 @@ COMMENT-daemon =stand-alone daemon/cmdli V =2.3.2 DISTNAME = aMule-$V -REVISION = 1 +REVISION = 2 CATEGORIES = net HOMEPAGE = http://www.amule.org/ @@ -52,7 +52,7 @@ RUN_DEPENDS-main =${RUN_DEPENDS} \ commonWANTLIB =c ixml m pthread ${LIBCXX} threadutil upnp \ wx_base wx_base_net z WANTLIB-main = ${WANTLIB} ${commonWANTLIB} \ - GeoIP X11 cryptopp fontconfig tiff vpx \ + GeoIP X11 cryptopp fontconfig tiff webp \ freetype gd jpeg png wx_gtk2_adv wx_gtk2_core WANTLIB-daemon = ${WANTLIB} ${commonWANTLIB} \ cryptopp readline termcap Index: Makefile === RCS file: /cvs/ports/devel/cvsgraph/Makefile,v retrieving revision 1.21 diff -u -p -u -p -r1.21 Makefile --- Makefile13 Sep 2016 14:40:29 - 1.21 +++ Makefile8 May 2017 19:57:24 - @@ -5,11 +5,12 @@ COMMENT= graphical representation of CV DISTNAME= cvsgraph-1.7.0 CATEGORIES=devel HOMEPAGE= http://www.akhphd.au.dk/~bertho/cvsgraph +REVISION= 0 # GPLv2+ PERMIT_PACKAGE_CDROM= Yes -WANTLIB += c fontconfig freetype gd iconv jpeg m png pthread tiff vpx +WANTLIB += c fontconfig freetype gd iconv jpeg m png pthread tiff webp WANTLIB += z MASTER_SITES= ${HOMEPAGE}/release/ Index: Makefile === RCS file: /home/cvs/ports/graphics/gd/Makefile,v retrieving revision 1.70 diff -u -p -u -p -r1.70 Makefile --- Makefile10 Apr 2017 11:46:20 - 1.70
Re: UPDATE: graphics/gd
On 2017/05/07 22:37, Rafael Sadowski wrote: > On Sun Apr 30, 2017 at 12:08:47PM +0100, Stuart Henderson wrote: > > On 2017/04/29 23:14, Rafael Sadowski wrote: > > > is there any good reason to not update libgd? Here are eight good > > > reasons for a update: > > > > No reason not to update it. Quite a few things depend on it though, > > so testing is a bit annoying, which might explain why it's old. > > > > > -WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread > > > -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z > > > +#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread > > > +#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z > > > > er? > > > > > LIB_DEPENDS= converters/libiconv \ > > > graphics/jpeg \ > > > graphics/png \ > > > - graphics/tiff \ > > > - multimedia/libvpx > > > + graphics/tiff > > > > Need to make sure that dropping libvpx doesn't cause problems in > > dependent ports. > > > > Didn't they change from libvpx to libwebp rather than dropping webp > > support completely? > > Please find an new diff with libwebp support from Brad Smith. > > The following ports are affected (diff see below): > > cad/pcb > graphics/libgphoto2 > net/amule > net/rtg > print/texlive/base > sysutils/modlogan > www/analog > > Unaffected: > > emulators/fceux > mail/rspamd > math/plplot > net/mldonkey > net/nagios/nagios > sysutils/nut > www/rt > www/webalizer These lists don't match the diff; www/analog isn't in the diff, net/mldonkey is in the diff but listed as unaffected, and math/graphviz is in the diff but not listed above at all. (For a commit which touches ports all over the tree, you should list the directories on the command line rather than letting cvs iterate over the whole lot, so you want the list to be correct :) Apart from the extra whitespace in the WANTLIB line for graphviz, what's in the diff looks correct, but there are some other ports which I think may be affected too - are you sure that you don't need changes for libpst, cvsgraph, eduke32, mscgen, p5-GD, gnuplot, gstreamer1-plugins-good?
Re: UPDATE: graphics/gd
On Sun Apr 30, 2017 at 12:08:47PM +0100, Stuart Henderson wrote: > On 2017/04/29 23:14, Rafael Sadowski wrote: > > is there any good reason to not update libgd? Here are eight good > > reasons for a update: > > No reason not to update it. Quite a few things depend on it though, > so testing is a bit annoying, which might explain why it's old. > > > -WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread > > -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z > > +#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread > > +#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z > > er? > > > LIB_DEPENDS= converters/libiconv \ > > graphics/jpeg \ > > graphics/png \ > > - graphics/tiff \ > > - multimedia/libvpx > > + graphics/tiff > > Need to make sure that dropping libvpx doesn't cause problems in > dependent ports. > > Didn't they change from libvpx to libwebp rather than dropping webp > support completely? Please find an new diff with libwebp support from Brad Smith. The following ports are affected (diff see below): cad/pcb graphics/libgphoto2 net/amule net/rtg print/texlive/base sysutils/modlogan www/analog Unaffected: emulators/fceux mail/rspamd math/plplot net/mldonkey net/nagios/nagios sysutils/nut www/rt www/webalizer OK? Comments? Best regards, Rafael Sadowski Index: cad/pcb/Makefile === RCS file: /cvs/ports/cad/pcb/Makefile,v retrieving revision 1.33 diff -u -p -u -p -r1.33 Makefile --- cad/pcb/Makefile18 May 2015 11:29:37 - 1.33 +++ cad/pcb/Makefile7 May 2017 20:29:20 - @@ -3,7 +3,7 @@ COMMENT= printed circuit board layout tool DISTNAME= pcb-20110918 CATEGORIES=cad -REVISION= 6 +REVISION= 7 HOMEPAGE= http://pcb.gpleda.org/ @@ -15,7 +15,7 @@ WANTLIB += Xi Xinerama Xmu Xrandr Xrende WANTLIB += fontconfig freetype gd gdk-x11-2.0 gdk_pixbuf-2.0 WANTLIB += gdkglext-x11-1.0 gio-2.0 glib-2.0 gmodule-2.0 gobject-2.0 WANTLIB += gtk-x11-2.0 gtkglext-x11-1.0 jpeg m pango-1.0 pangocairo-1.0 -WANTLIB += pangoft2-1.0 pangox-1.0 png pthread tiff vpx z +WANTLIB += pangoft2-1.0 pangox-1.0 png pthread tiff webp z MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=pcb/} Index: graphics/gd/Makefile === RCS file: /cvs/ports/graphics/gd/Makefile,v retrieving revision 1.70 diff -u -p -u -p -r1.70 Makefile --- graphics/gd/Makefile10 Apr 2017 11:46:20 - 1.70 +++ graphics/gd/Makefile7 May 2017 20:29:34 - @@ -2,12 +2,11 @@ COMMENT= library for dynamic creation of images -V= 2.1.1 -REVISION= 3 +V= 2.2.4 DISTNAME= libgd-$V PKGNAME= gd-$V -SHARED_LIBS += gd 21.1 # 3.0 +SHARED_LIBS += gd 22.0 # 3.0 CATEGORIES=graphics @@ -16,17 +15,17 @@ HOMEPAGE= http://www.libgd.org/ PERMIT_PACKAGE_CDROM= Yes WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z +WANTLIB += pthread-stubs ${LIBCXX} tiff webp z -MASTER_SITES= https://bitbucket.org/libgd/gd-libgd/downloads/ +MASTER_SITES= https://github.com/libgd/libgd/releases/download/${PKGNAME}/ CONFIGURE_STYLE= gnu CONFIGURE_ARGS+= --without-xpm LIB_DEPENDS= converters/libiconv \ graphics/jpeg \ + graphics/libwebp \ graphics/png \ - graphics/tiff \ - multimedia/libvpx + graphics/tiff .include Index: graphics/gd/distinfo === RCS file: /cvs/ports/graphics/gd/distinfo,v retrieving revision 1.8 diff -u -p -u -p -r1.8 distinfo --- graphics/gd/distinfo14 Nov 2015 12:41:53 - 1.8 +++ graphics/gd/distinfo7 May 2017 20:29:34 - @@ -1,2 +1,2 @@ -SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU= -SIZE (libgd-2.1.1.tar.gz) = 2390586 +SHA256 (libgd-2.2.4.tar.gz) = SHplCqYUIX7QirG9GqXSgvnTec/ZXHVq7QtDQGOBvmU= +SIZE (libgd-2.2.4.tar.gz) = 3013928 Index: graphics/gd/patches/patch-src_gd_crop_c === RCS file: graphics/gd/patches/patch-src_gd_crop_c diff -N graphics/gd/patches/patch-src_gd_crop_c --- graphics/gd/patches/patch-src_gd_crop_c 30 Jun 2016 13:27:42 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,19 +0,0 @@ -$OpenBSD: patch-src_gd_crop_c,v 1.1 2016/06/30 13:27:42 jasper Exp $ - -CVE-2016-6128 -https://bugs.php.net/bug.php?id=72494 -https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd - src/gd_crop.c.orig Thu Jun 30 15:23:49 2016 -+++ src/gd_crop.c Thu Jun 30 15:24:14 2016 -@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePt -
Re: UPDATE: graphics/gd
On 2017/04/29 23:14, Rafael Sadowski wrote: > is there any good reason to not update libgd? Here are eight good > reasons for a update: No reason not to update it. Quite a few things depend on it though, so testing is a bit annoying, which might explain why it's old. > -WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread > -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z > +#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread > +#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z er? > LIB_DEPENDS= converters/libiconv \ > graphics/jpeg \ > graphics/png \ > - graphics/tiff \ > - multimedia/libvpx > + graphics/tiff Need to make sure that dropping libvpx doesn't cause problems in dependent ports. Didn't they change from libvpx to libwebp rather than dropping webp support completely?
UPDATE: graphics/gd
Hi ports@, is there any good reason to not update libgd? Here are eight good reasons for a update: - gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317) - double-free in gdImageWebPtr() (CVE-2016-6912) - potential unsigned underflow in gd_interpolation.c (CVE-2016-10166) - DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167) - Signed Integer Overflow gd_io.c (CVE-2016-10168) - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow (CVE-2016-5767) - #215 Stack overflow with gdImageFillToBorder (CVE-2015-8874, CVE-2016-9933) NULL Pointer Dereference at _gdScaleVert Test result from 2.1.1 on amd64: 1 of 93 tests failed Please report to https://bitbucket.org/libgd/gd-libgd/issues and from the new one: tsuite summary for GD 2.2.4 # TOTAL: 153 # # PASS: 150 # # SKIP: 0 # # XFAIL: 0 # # FAIL: 3 # # XPASS: 0 # # ERROR: 0 # Best regards, Rafael Sadowski Index: Makefile === RCS file: /cvs/ports/graphics/gd/Makefile,v retrieving revision 1.70 diff -u -p -u -p -r1.70 Makefile --- Makefile10 Apr 2017 11:46:20 - 1.70 +++ Makefile29 Apr 2017 21:04:18 - @@ -2,12 +2,11 @@ COMMENT= library for dynamic creation of images -V= 2.1.1 -REVISION= 3 +V= 2.2.4 DISTNAME= libgd-$V PKGNAME= gd-$V -SHARED_LIBS += gd 21.1 # 3.0 +SHARED_LIBS += gd 22.0 # 3.0 CATEGORIES=graphics @@ -15,10 +14,10 @@ HOMEPAGE= http://www.libgd.org/ PERMIT_PACKAGE_CDROM= Yes -WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z +#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread +#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z -MASTER_SITES= https://bitbucket.org/libgd/gd-libgd/downloads/ +MASTER_SITES= https://github.com/libgd/libgd/releases/download/${PKGNAME}/ CONFIGURE_STYLE= gnu CONFIGURE_ARGS+= --without-xpm @@ -26,7 +25,6 @@ CONFIGURE_ARGS+= --without-xpm LIB_DEPENDS= converters/libiconv \ graphics/jpeg \ graphics/png \ - graphics/tiff \ - multimedia/libvpx + graphics/tiff .include Index: distinfo === RCS file: /cvs/ports/graphics/gd/distinfo,v retrieving revision 1.8 diff -u -p -u -p -r1.8 distinfo --- distinfo14 Nov 2015 12:41:53 - 1.8 +++ distinfo29 Apr 2017 21:04:18 - @@ -1,2 +1,2 @@ -SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU= -SIZE (libgd-2.1.1.tar.gz) = 2390586 +SHA256 (libgd-2.2.4.tar.gz) = SHplCqYUIX7QirG9GqXSgvnTec/ZXHVq7QtDQGOBvmU= +SIZE (libgd-2.2.4.tar.gz) = 3013928 Index: patches/patch-src_gd_crop_c === RCS file: patches/patch-src_gd_crop_c diff -N patches/patch-src_gd_crop_c --- patches/patch-src_gd_crop_c 30 Jun 2016 13:27:42 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,19 +0,0 @@ -$OpenBSD: patch-src_gd_crop_c,v 1.1 2016/06/30 13:27:42 jasper Exp $ - -CVE-2016-6128 -https://bugs.php.net/bug.php?id=72494 -https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd - src/gd_crop.c.orig Thu Jun 30 15:23:49 2016 -+++ src/gd_crop.c Thu Jun 30 15:24:14 2016 -@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePt - return NULL; - } - -+ if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) { -+ return NULL; -+ } -+ - /* TODO: Add gdImageGetRowPtr and works with ptr at the row level -* for the true color and palette images -* new formats will simply work with ptr Index: patches/patch-src_gd_gd2_c === RCS file: patches/patch-src_gd_gd2_c diff -N patches/patch-src_gd_gd2_c --- patches/patch-src_gd_gd2_c 9 May 2016 06:29:18 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_gd_gd2_c,v 1.1 2016/05/09 06:29:18 ajacoutot Exp $ - -gd2: handle corrupt images better (CVE-2016-3074) - src/gd_gd2.c.orig Sun May 8 23:50:58 2016 -+++ src/gd_gd2.c Sun May 8 23:52:14 2016 -@@ -167,6 +167,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, - if (gdGetInt ([i].size, in) != 1) { - goto fail2; - }; -+ if (cidx[i].offset < 0 || cidx[i].size < 0)
UPDATE: graphics/gd
Hi @ports, simple libgd update to 2.1.1. CVE-2014-9709 patch is not more necessary. Tested on amd64: "All 93 tests passed". Cheers, Rafael Index: Makefile === RCS file: /cvs/ports/graphics/gd/Makefile,v retrieving revision 1.62 diff -u -p -u -p -r1.62 Makefile --- Makefile17 Aug 2015 19:52:39 - 1.62 +++ Makefile14 Nov 2015 12:19:52 - @@ -2,10 +2,9 @@ COMMENT= library for dynamic creation of images -V= 2.1.0 +V= 2.1.1 DISTNAME= libgd-$V PKGNAME= gd-$V -REVISION= 2 SHARED_LIBS= gd 21.0 Index: distinfo === RCS file: /cvs/ports/graphics/gd/distinfo,v retrieving revision 1.7 diff -u -p -u -p -r1.7 distinfo --- distinfo17 Mar 2014 23:20:57 - 1.7 +++ distinfo14 Nov 2015 12:19:52 - @@ -1,2 +1,2 @@ -SHA256 (libgd-2.1.0.tar.gz) = PO72nVRUo5LoeTrpC18NYy3T4gh5wShWqh0dPQY6Ucg= -SIZE (libgd-2.1.0.tar.gz) = 2330322 +SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU= +SIZE (libgd-2.1.1.tar.gz) = 2390586 Index: patches/patch-src_gd_gif_in_c === RCS file: patches/patch-src_gd_gif_in_c diff -N patches/patch-src_gd_gif_in_c --- patches/patch-src_gd_gif_in_c 26 Mar 2015 09:16:31 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,32 +0,0 @@ -$OpenBSD: patch-src_gd_gif_in_c,v 1.1 2015/03/26 09:16:31 jasper Exp $ - -Security fix for CVE-2014-9709, gd: buffer read overflow in gd_gif_in.c - src/gd_gif_in.c.orig Thu Mar 26 10:07:17 2015 -+++ src/gd_gif_in.cThu Mar 26 10:08:35 2015 -@@ -75,8 +75,10 @@ static struct { - - #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) - -+#define CSD_BUF_SIZE 280 -+ - typedef struct { -- unsigned char buf[280]; -+ unsigned char buf[CSD_BUF_SIZE]; - int curbit; - int lastbit; - int done; -@@ -410,7 +412,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_ - - ret = 0; - for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { -- ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; -+ if (i < CSD_BUF_SIZE * 8) { -+ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; -+ } else { -+ ret = -1; -+ break; -+ } - } - - scd->curbit += code_size;
Re: UPDATE: graphics/gd
I'll take care of this. There are also API additions so it needs a SHARED_LIBS bump. On 2015/11/14 14:20, Rafael Sadowski wrote: > Hi @ports, > > simple libgd update to 2.1.1. CVE-2014-9709 patch is not more necessary. > Tested on amd64: "All 93 tests passed". > > Cheers, Rafael > > > Index: Makefile > === > RCS file: /cvs/ports/graphics/gd/Makefile,v > retrieving revision 1.62 > diff -u -p -u -p -r1.62 Makefile > --- Makefile 17 Aug 2015 19:52:39 - 1.62 > +++ Makefile 14 Nov 2015 12:19:52 - > @@ -2,10 +2,9 @@ > > COMMENT= library for dynamic creation of images > > -V= 2.1.0 > +V= 2.1.1 > DISTNAME=libgd-$V > PKGNAME= gd-$V > -REVISION=2 > > SHARED_LIBS= gd 21.0 > > Index: distinfo > === > RCS file: /cvs/ports/graphics/gd/distinfo,v > retrieving revision 1.7 > diff -u -p -u -p -r1.7 distinfo > --- distinfo 17 Mar 2014 23:20:57 - 1.7 > +++ distinfo 14 Nov 2015 12:19:52 - > @@ -1,2 +1,2 @@ > -SHA256 (libgd-2.1.0.tar.gz) = PO72nVRUo5LoeTrpC18NYy3T4gh5wShWqh0dPQY6Ucg= > -SIZE (libgd-2.1.0.tar.gz) = 2330322 > +SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU= > +SIZE (libgd-2.1.1.tar.gz) = 2390586 > Index: patches/patch-src_gd_gif_in_c > === > RCS file: patches/patch-src_gd_gif_in_c > diff -N patches/patch-src_gd_gif_in_c > --- patches/patch-src_gd_gif_in_c 26 Mar 2015 09:16:31 - 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 - > @@ -1,32 +0,0 @@ > -$OpenBSD: patch-src_gd_gif_in_c,v 1.1 2015/03/26 09:16:31 jasper Exp $ > - > -Security fix for CVE-2014-9709, gd: buffer read overflow in gd_gif_in.c > - > src/gd_gif_in.c.orig Thu Mar 26 10:07:17 2015 > -+++ src/gd_gif_in.c Thu Mar 26 10:08:35 2015 > -@@ -75,8 +75,10 @@ static struct { > - > - #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) > - > -+#define CSD_BUF_SIZE 280 > -+ > - typedef struct { > --unsigned char buf[280]; > -+unsigned char buf[CSD_BUF_SIZE]; > - int curbit; > - int lastbit; > - int done; > -@@ -410,7 +412,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_ > - > - ret = 0; > - for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { > --ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; > -+if (i < CSD_BUF_SIZE * 8) { > -+ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; > -+} else { > -+ret = -1; > -+break; > -+} > - } > - > - scd->curbit += code_size; >
UPDATE: graphics/gd
see http://www.libgd.org/ReleaseNote020035 please test. Index: Makefile === RCS file: /cvs/ports/graphics/gd/Makefile,v retrieving revision 1.49 diff -u -r1.49 Makefile --- Makefile31 May 2007 18:32:06 - 1.49 +++ Makefile26 Jun 2007 06:26:26 - @@ -2,9 +2,8 @@ COMMENT= library for dynamic creation of images -DISTNAME= gd-2.0.34 -PKGNAME= ${DISTNAME}p1 -SHARED_LIBS= gd 20.34 +DISTNAME= gd-2.0.35 +SHARED_LIBS= gd 20.35 CATEGORIES=graphics MASTER_SITES= ${HOMEPAGE}releases/ Index: distinfo === RCS file: /cvs/ports/graphics/gd/distinfo,v retrieving revision 1.5 diff -u -r1.5 distinfo --- distinfo5 Apr 2007 16:19:55 - 1.5 +++ distinfo26 Jun 2007 06:26:26 - @@ -1,5 +1,5 @@ -MD5 (gd-2.0.34.tar.gz) = OgLd5CvpKlES/iO0H1RDKw== -RMD160 (gd-2.0.34.tar.gz) = FefcFHYtf5M2oAve/1hD5lAqvXo= -SHA1 (gd-2.0.34.tar.gz) = 2QA3b2sC1dKeZ20PG3IuPBIoOyw= -SHA256 (gd-2.0.34.tar.gz) = bn87r6U/x/7h3ps/VAWF8vMMZdEXQURH1FzxFpn2T5I= -SIZE (gd-2.0.34.tar.gz) = 1273059 +MD5 (gd-2.0.35.tar.gz) = mCljRI3DbyDLebbpum/e3g== +RMD160 (gd-2.0.35.tar.gz) = SuN7VjvsriYwjeG7xIm4zudo3K0= +SHA1 (gd-2.0.35.tar.gz) = 73+7JQ9Ba6twz9pvdyg2JLg8AdU= +SHA256 (gd-2.0.35.tar.gz) = u9FrnCaDd6rqnDwtZMXBEExTYA5AkPIi17s4k4w9fVI= +SIZE (gd-2.0.35.tar.gz) = 1345700 Index: patches/patch-configure === RCS file: /cvs/ports/graphics/gd/patches/patch-configure,v retrieving revision 1.3 diff -u -r1.3 patch-configure --- patches/patch-configure 17 Feb 2007 16:30:11 - 1.3 +++ patches/patch-configure 26 Jun 2007 06:26:26 - @@ -1,7 +1,7 @@ $OpenBSD: patch-configure,v 1.3 2007/02/17 16:30:11 bernd Exp $ configure.orig Wed Feb 7 10:59:57 2007 -+++ configure Wed Feb 7 11:01:33 2007 -@@ -23162,7 +23162,7 @@ if test `eval echo '${'$as_ac_Header'}'` +--- configure.orig Mon Apr 23 16:57:52 2007 configure Tue Jun 26 08:11:35 2007 +@@ -22322,7 +22322,7 @@ if test `eval echo '${'$as_ac_Header'}'` = yes; then cat confdefs.h _ACEOF #define `echo HAVE_$ac_header | $as_tr_cpp` 1 _ACEOF @@ -10,25 +10,25 @@ else CPPFLAGS=$_cppflags fi -@@ -24254,7 +24254,7 @@ eval echo \\$as_me:$LINENO: $ac_try_ec - ac_status=$? - echo $as_me:$LINENO: \$? = $ac_status 5 - (exit $ac_status); }; }; then +@@ -23262,7 +23262,7 @@ eval echo \\$as_me:$LINENO: $ac_try_echo\) 5 +test ! -s conftest.err +} test -s conftest$ac_exeext +$as_test_x conftest$ac_exeext; then - acx_pthread_ok=yes + acx_pthread_ok=no else echo $as_me: failed program was: 5 sed 's/^/| /' conftest.$ac_ext 5 -@@ -24452,7 +24452,7 @@ eval echo \\$as_me:$LINENO: $ac_try_ec - ac_status=$? - echo $as_me:$LINENO: \$? = $ac_status 5 - (exit $ac_status); }; }; then +@@ -23444,7 +23444,7 @@ eval echo \\$as_me:$LINENO: $ac_try_echo\) 5 +test ! -s conftest.err +} test -s conftest$ac_exeext +$as_test_x conftest$ac_exeext; then - acx_pthread_ok=yes + acx_pthread_ok=no else echo $as_me: failed program was: 5 sed 's/^/| /' conftest.$ac_ext 5 -@@ -25472,7 +25472,7 @@ FFLAGS!$FFLAGS$ac_delim +@@ -24461,7 +24461,7 @@ FFLAGS!$FFLAGS$ac_delim ac_ct_F77!$ac_ct_F77$ac_delim LIBTOOL!$LIBTOOL$ac_delim XMKMF!$XMKMF$ac_delim Index: patches/patch-gd_png_c === RCS file: patches/patch-gd_png_c diff -N patches/patch-gd_png_c --- patches/patch-gd_png_c 31 May 2007 18:32:06 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,16 +0,0 @@ -$OpenBSD: patch-gd_png_c,v 1.1 2007/05/31 18:32:06 rui Exp $ gd_png.c.orig Thu May 31 16:03:54 2007 -+++ gd_png.c Thu May 31 16:05:09 2007 -@@ -81,7 +81,11 @@ gdPngErrorHandler (png_structp png_ptr, png_const_char - static void - gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length) - { -- gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr)); -+ int check; -+ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr)); -+ if (check != length) { -+png_error(png_ptr, Read Error: truncated data); -+ } - } - - static void