From 83e474f369a31eda778f2ffa5257b49e12844d2d Mon Sep 17 00:00:00 2001 From: Li Zhou Date: Mon, 26 Feb 2018 15:50:30 +0800 Subject: php: Security Advisory - php - CVE-2018-5711 Porting the patch from to solve CVE-2018-5711. Signed-off-by: Li Zhou Signed-off-by: Armin Kuster --- .../php/php-7.1.9/CVE-2018-5711.patch | 56 ++++++++++++++++++++++ meta-oe/recipes-devtools/php/php_7.1.9.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch new file mode 100644 index 0000000000..596244d6ba --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch @@ -0,0 +1,56 @@ +From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001 +From: Li Zhou +Date: Sun, 11 Feb 2018 15:03:21 +0800 +Subject: [PATCH] Fixed bug #75571: Potential infinite loop in + gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +Upstream-Status: Backport +CVE: CVE-2018-5711 +Signed-off-by: Li Zhou +--- + ext/gd/libgd/gd_gif_in.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c +index 76ba152..7156e4b 100644 +--- a/ext/gd/libgd/gd_gif_in.c ++++ b/ext/gd/libgd/gd_gif_in.c +@@ -261,10 +261,6 @@ terminated: + if (!im) { + return 0; + } +- if (!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } + /* Check for open colors at the end, so + we can reduce colorsTotal and ultimately + BitsPerPixel */ +@@ -275,6 +271,10 @@ terminated: + break; + } + } ++ if (!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } + return im; + } + /* }}} */ +@@ -375,7 +375,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if (flag) { + scd->curbit = 0; +-- +1.9.1 + diff --git a/meta-oe/recipes-devtools/php/php_7.1.9.bb b/meta-oe/recipes-devtools/php/php_7.1.9.bb index acf68a0594..1d9e35a9ce 100644 --- a/meta-oe/recipes-devtools/php/php_7.1.9.bb +++ b/meta-oe/recipes-devtools/php/php_7.1.9.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c0af599f66d0461c5837c695fcbc5c1e" SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \ file://0001-Specify-tag-with-libtool.patch \ file://CVE-2017-16642.patch \ + file://CVE-2018-5711.patch \ " SRC_URI[md5sum] = "2397be54f3281cdf30c7ef076b28f7d0" SRC_URI[sha256sum] = "314dcc10dfdd7c4443edb4fe1e133a44f2b2a8351be8c9eb6ab9222d45fd9bae" -- cgit 1.2.3-korg