diff --git a/SOURCES/0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch b/SOURCES/0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch new file mode 100644 index 0000000..51db1b6 --- /dev/null +++ b/SOURCES/0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch @@ -0,0 +1,150 @@ +From f58c813f8afcd08acdd630f378cff1a5009655cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Thu, 31 Jan 2019 16:02:19 +0000 +Subject: [PATCH] merge in fixes for libgd CVE-2019-6978 + +--- + README | 5 +++++ + configure.ac | 2 +- + src/extra/gd/gd_jpeg.c | 21 +++++++++++++++++---- + src/extra/gd/gd_wbmp.c | 24 ++++++++++++++++++++++-- + 4 files changed, 45 insertions(+), 7 deletions(-) + +diff --git a/src/extra/gd/gd_jpeg.c b/src/extra/gd/gd_jpeg.c +index 7e6dfbb..b270186 100644 +--- a/src/extra/gd/gd_jpeg.c ++++ b/src/extra/gd/gd_jpeg.c +@@ -72,6 +72,8 @@ fatal_jpeg_error (j_common_ptr cinfo) + exit (99); + } + ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); ++ + /* + * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality + * QUALITY. If QUALITY is in the range 0-100, increasing values +@@ -93,8 +95,12 @@ gdImageJpegPtr (gdImagePtr im, int *size, int quality) + { + void *rv; + gdIOCtx *out = gdNewDynamicCtx (2048, NULL); +- gdImageJpegCtx (im, out, quality); +- rv = gdDPExtractData (out, size); ++ if (out == NULL) return NULL; ++ if (!_gdImageJpegCtx(im, out, quality)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->free (out); + return rv; + } +@@ -103,6 +109,12 @@ static void jpeg_gdIOCtx_dest (j_compress_ptr cinfo, gdIOCtx * outfile); + + void + gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) ++{ ++ _gdImageJpegCtx(im, outfile, quality); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + { + struct jpeg_compress_struct cinfo; + struct jpeg_error_mgr jerr; +@@ -139,7 +151,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) + /* we're here courtesy of longjmp */ + if (row) + gdFree (row); +- return; ++ return 1; + } + + cinfo.err->error_exit = fatal_jpeg_error; +@@ -173,7 +185,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) + fprintf (stderr, "gd-jpeg: error: unable to allocate JPEG row " + "structure: gdCalloc returns NULL\n"); + jpeg_destroy_compress (&cinfo); +- return; ++ return 1; + } + + rowptr[0] = row; +@@ -254,6 +266,7 @@ error: + #endif + jpeg_destroy_compress (&cinfo); + gdFree (row); ++ return 0; + } + + gdImagePtr +diff --git a/src/extra/gd/gd_wbmp.c b/src/extra/gd/gd_wbmp.c +index f1258da..4b27043 100644 +--- a/src/extra/gd/gd_wbmp.c ++++ b/src/extra/gd/gd_wbmp.c +@@ -85,6 +85,7 @@ gd_getin (void *in) + return (gdGetC ((gdIOCtx *) in)); + } + ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); + + /* gdImageWBMPCtx + ** -------------- +@@ -97,6 +98,12 @@ gd_getin (void *in) + */ + void + gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) ++{ ++ _gdImageWBMPCtx(image, fg, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + { + + int x, y, pos; +@@ -105,7 +112,10 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) + + /* create the WBMP */ + if ((wbmp = createwbmp (gdImageSX (image), gdImageSY (image), WBMP_WHITE)) == NULL) ++ { + fprintf (stderr, "Could not create WBMP\n"); ++ return 1; ++ } + + /* fill up the WBMP structure */ + pos = 0; +@@ -123,9 +133,16 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) + + /* write the WBMP to a gd file descriptor */ + if (writewbmp (wbmp, &gd_putout, out)) ++ { + fprintf (stderr, "Could not save WBMP\n"); ++ freewbmp (wbmp); ++ return 1; ++ } ++ + /* des submitted this bugfix: gdFree the memory. */ + freewbmp (wbmp); ++ ++ return 0; + } + + +@@ -211,8 +228,12 @@ gdImageWBMPPtr (gdImagePtr im, int *size, int fg) + { + void *rv; + gdIOCtx *out = gdNewDynamicCtx (2048, NULL); +- gdImageWBMPCtx (im, fg, out); +- rv = gdDPExtractData (out, size); ++ if (out == NULL) return NULL; ++ if (!_gdImageWBMPCtx(im, fg, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->free (out); + return rv; + } +-- +2.20.1 + diff --git a/SPECS/libwmf.spec b/SPECS/libwmf.spec index 1e3ff22..843c481 100644 --- a/SPECS/libwmf.spec +++ b/SPECS/libwmf.spec @@ -1,7 +1,7 @@ Summary: Windows MetaFile Library Name: libwmf Version: 0.2.8.4 -Release: 41%{?dist} +Release: 43%{?dist} Group: System Environment/Libraries #libwmf is under the LGPLv2+, however... #1. The tarball contains an old version of the urw-fonts under GPL+. @@ -61,6 +61,8 @@ Patch17: libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch Patch18: libwmf-0.2.8.4-CVE-2015-4695.patch # CVE-2015-4696 Patch19: libwmf-0.2.8.4-CVE-2015-4696.patch +# CVE-2019-6978 +Patch20: 0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch Requires: urw-fonts Requires: %{name}-lite = %{version}-%{release} @@ -111,6 +113,7 @@ using libwmf. %patch17 -p1 -b .CVE-2015-0848+CVE-2015-4588 %patch18 -p1 -b .CVE-2015-4695 %patch19 -p1 -b .CVE-2015-4696 +%patch20 -p1 -b .CVE-2019-6978 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f %build @@ -176,14 +179,17 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache || : %changelog -* Wed Sep 02 2015 Caolán McNamara - 0.2.8.4-41 -- Related: rhbz#1239161 fix patch context +* Mon Mar 30 2020 Caolán McNamara - 0.2.8.4-43 +- Resolves: rhbz#1679005 CVE-2019-6978 -* Mon Jun 08 2015 Caolán McNamara - 0.2.8.4-40 -- Resolves: rhbz#1239161 CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 +* Wed Sep 02 2015 Caolán McNamara - 0.2.8.4-42 +- Related: rhbz#1239162 fix patch context -* Mon Jun 08 2015 Caolán McNamara - 0.2.8.4-39.1 -- Resolves: rhbz#1227430 CVE-2015-0848 heap overflow when decoding BMP images +* Tue Jul 07 2015 Caolán McNamara - 0.2.8.4-41 +- Resolves: rhbz#1239162 CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 + +* Mon May 08 2015 Caolán McNamara - 0.2.8.4-40 +- Resolves: rhbz#1227431 CVE-2015-0848 libwmf: heap overflow when decoding BMP images * Fri Jan 24 2014 Daniel Mach - 0.2.8.4-39 - Mass rebuild 2014-01-24