From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] package/gd: add post-2.2.5 security fixes from upstream
Date: Mon, 21 Oct 2019 21:45:50 +0200 [thread overview]
Message-ID: <20191021214550.59dc1c87@windsurf> (raw)
In-Reply-To: <20191020090511.2135-1-peter@korsgaard.com>
On Sun, 20 Oct 2019 11:05:10 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:
> Fixes the following security vulnerablities:
>
> - CVE-2018-1000222: Libgd version 2.2.5 contains a Double Free Vulnerability
> vulnerability in gdImageBmpPtr Function that can result in Remote Code
> Execution . This attack appear to be exploitable via Specially Crafted
> Jpeg Image can trigger double free
>
> - CVE-2018-5711: gd_gif_in.c in the GD Graphics Library (aka libgd), as used
> in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x
> before 7.2.1, has an integer signedness error that leads to an infinite
> loop via a crafted GIF file, as demonstrated by a call to the
> imagecreatefromgif or imagecreatefromstring PHP function
>
> - CVE-2019-11038: When using the gdImageCreateFromXbm() function in the GD
> Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP
> versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it
> is possible to supply data that will cause the function to use the value
> of uninitialized variable. This may lead to disclosing contents of the
> stack that has been left there by previous code
>
> - CVE-2019-6978: The GD Graphics Library (aka LibGD) 2.2.5 has a double free
> in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> ...-check-return-value-in-gdImageBmpPtr.patch | 80 +++++++
> ...l-infinite-loop-in-gdImageCreateFrom.patch | 61 +++++
> ...lized-read-in-gdImageCreateFromXbm-C.patch | 41 ++++
> ...Potential-double-free-in-gdImage-Ptr.patch | 219 ++++++++++++++++++
> 4 files changed, 401 insertions(+)
> create mode 100644 package/gd/0001-bmp-check-return-value-in-gdImageBmpPtr.patch
> create mode 100644 package/gd/0002-Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch
> create mode 100644 package/gd/0003-Fix-501-Uninitialized-read-in-gdImageCreateFromXbm-C.patch
> create mode 100644 package/gd/0004-Fix-492-Potential-double-free-in-gdImage-Ptr.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2019-10-21 19:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-20 9:05 [Buildroot] [PATCH] package/gd: add post-2.2.5 security fixes from upstream Peter Korsgaard
2019-10-21 19:45 ` Thomas Petazzoni [this message]
2019-10-30 12:28 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191021214550.59dc1c87@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox