diff options
author | Catalin Enache <catalin.enache@windriver.com> | 2017-04-07 13:10:53 +0300 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2017-04-18 14:21:39 +0200 |
commit | f66465d4d52a7a0df208a0701e3cb034e9c47bd3 (patch) | |
tree | c686eb28c0386b941dadccf5b28099ad8ee01059 /meta-oe/recipes-support/gd | |
parent | dcd6d5b2405e0be18694696dfb0221fc59e6d107 (diff) | |
download | meta-openembedded-contrib-f66465d4d52a7a0df208a0701e3cb034e9c47bd3.tar.gz |
gd : CVE-2016-10167, CVE-2016-10168
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics
Library (aka libgd) before 2.2.4 allows remote attackers to cause a
denial of service (application crash) via a crafted image file.
Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before
2.2.4 allows remote attackers to have unspecified impact via vectors
involving the number of horizontal and vertical chunks in an image.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10167
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10168
Upstream patches:
https://github.com/libgd/libgd/commit/fe9ed49dafa993e3af96b6a5a589efeea9bfb36f
https://github.com/libgd/libgd/commit/69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-oe/recipes-support/gd')
-rw-r--r-- | meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch | 48 | ||||
-rw-r--r-- | meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch | 38 | ||||
-rw-r--r-- | meta-oe/recipes-support/gd/gd_2.2.3.bb | 4 |
3 files changed, 89 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch new file mode 100644 index 00000000000..54ef22cb628 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2016-10167.patch @@ -0,0 +1,48 @@ +From 6ab531ef0d82efb9e00236ee5ea23928335d221f Mon Sep 17 00:00:00 2001 +From: Catalin Enache <catalin.enache@windriver.com> +Date: Fri, 7 Apr 2017 12:30:22 +0300 +Subject: [PATCH] Fix DOS vulnerability in gdImageCreateFromGd2Ctx() + +We must not pretend that there are image data if there are none. Instead +we fail reading the image file gracefully. + +Upstream-Status: Backport +CVE: CVE-2016-10167 + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +--- + src/gd_gd2.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index 8df93c1..bae65ea 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -445,18 +445,16 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in) + + if (im->trueColor) { + if (!gdGetInt (&im->tpixels[y][x], in)) { +- /*printf("EOF while reading\n"); */ +- /*gdImageDestroy(im); */ +- /*return 0; */ +- im->tpixels[y][x] = 0; ++ gd_error("gd2: EOF while reading\n"); ++ gdImageDestroy(im); ++ return NULL; + } + } else { + int ch; + if (!gdGetByte (&ch, in)) { +- /*printf("EOF while reading\n"); */ +- /*gdImageDestroy(im); */ +- /*return 0; */ +- ch = 0; ++ gd_error("gd2: EOF while reading\n"); ++ gdImageDestroy(im); ++ return NULL; + } + im->pixels[y][x] = ch; + } +-- +2.10.2 + diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch new file mode 100644 index 00000000000..aef1060c45e --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch @@ -0,0 +1,38 @@ +From 2d37bdc03a6e2b820fe380016f22592a7733e0be Mon Sep 17 00:00:00 2001 +From: Catalin Enache <catalin.enache@windriver.com> +Date: Fri, 7 Apr 2017 12:32:49 +0300 +Subject: [PATCH] Fix #354: Signed Integer Overflow gd_io.c + +GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 +byte unsigned). These values are multiplied and assigned to an int when +reading the image, what can cause integer overflows. We have to avoid +that, and also make sure that either chunk count is actually greater +than zero. If illegal chunk counts are detected, we bail out from +reading the image. + +Upstream-Status: Backport +CVE: CVE-2016-10168 + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +--- + src/gd_gd2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index bae65ea..9006bd2 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -151,6 +151,10 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + GD2_DBG (printf ("%d Chunks vertically\n", *ncy)); + + if (gd2_compressed (*fmt)) { ++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { ++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); ++ goto fail1; ++ } + nc = (*ncx) * (*ncy); + + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); +-- +2.10.2 + diff --git a/meta-oe/recipes-support/gd/gd_2.2.3.bb b/meta-oe/recipes-support/gd/gd_2.2.3.bb index 4ff6b756a69..4e21d532d5f 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.3.bb +++ b/meta-oe/recipes-support/gd/gd_2.2.3.bb @@ -14,7 +14,9 @@ DEPENDS = "freetype libpng jpeg zlib tiff" SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \ file://fix-gcc-unused-functions.patch \ - file://CVE-2016-10166.patch" + file://CVE-2016-10166.patch \ + file://CVE-2016-10167.patch \ + file://CVE-2016-10168.patch" SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c" |