Bug 229707 - graphics/gd - upgrade and fix a potential DOS
Summary: graphics/gd - upgrade and fix a potential DOS
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Torsten Zuehlsdorff
URL:
Keywords: easy, patch
Depends on:
Blocks: 217222
  Show dependency treegraph
 
Reported: 2018-07-11 19:53 UTC by Mikhail Teterin
Modified: 2018-07-27 12:37 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (dinoex)
tz: merge-quarterly+

Attachments
Upgrade graphics/gd to 2.2.5 (2.53 KB, patch)
2018-07-11 19:53 UTC, Mikhail Teterin 		no flags Details | Diff
Upgrade graphics/gd to 2.2.5 (2.72 KB, patch)
2018-07-11 20:00 UTC, Mikhail Teterin 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Teterin freebsd_committer freebsd_triage 2018-07-11 19:53:21 UTC 
Created attachment 195060 [details]
Upgrade graphics/gd to 2.2.5

The patch upgrades the port from 2.2.4 to 2.2.5 and adds a patch fixing the problem uncovered by PHP-developers in handling of malformed GIF-files:

https://bugs.php.net/bug.php?id=75571
Comment 1 Mikhail Teterin freebsd_committer freebsd_triage 2018-07-11 20:00:41 UTC 
Created attachment 195061 [details]
Upgrade graphics/gd to 2.2.5

This version contains the TEST_TARGET -- all tests pass for me here...
Comment 2 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2018-07-26 10:34:33 UTC 
Since this seems to run into maintainer-timeout i just started a build-test for this patch including all its 80 dependencies.
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-07-27 07:39:32 UTC 
A commit references this bug:

Author: tz
Date: Fri Jul 27 07:39:14 UTC 2018
New revision: 475415
URL: https://svnweb.freebsd.org/changeset/ports/475415

Log:
  graphics/gd: Update from 2.2.4 to 2.2.5

  This update fixes 2 security issues:
  - Double-free in gdImagePngPtr(). (CVE-2017-6362)
  - Buffer over-read into uninitialized memory. (CVE-2017-7890)

  Full Changelog:
  https://github.com/libgd/libgd/blob/gd-2.2.5/CHANGELOG.md

  PR:		229707
  Submitted by:	Mikhail Teterin <mi@FreeBSD.org>
  Approved by:	maintainer timeout (dinoex, 2 weeks)
  MFH:		2018Q3
  Security:	CVE-2017-6362
  Security:	CVE-2017-7890

Changes:
  head/graphics/gd/Makefile
  head/graphics/gd/distinfo
  head/graphics/gd/files/patch-gd_gif_in.c
  head/graphics/gd/pkg-plist
Comment 4 commit-hook freebsd_committer freebsd_triage 2018-07-27 12:35:25 UTC 
A commit references this bug:

Author: tz
Date: Fri Jul 27 12:35:22 UTC 2018
New revision: 475431
URL: https://svnweb.freebsd.org/changeset/ports/475431

Log:
  MFH: r475415

  graphics/gd: Update from 2.2.4 to 2.2.5

  This update fixes 2 security issues:
  - Double-free in gdImagePngPtr(). (CVE-2017-6362)
  - Buffer over-read into uninitialized memory. (CVE-2017-7890)

  Full Changelog:
  https://github.com/libgd/libgd/blob/gd-2.2.5/CHANGELOG.md

  PR:		229707
  Submitted by:	Mikhail Teterin <mi@FreeBSD.org>
  Approved by:	maintainer timeout (dinoex, 2 weeks)
  Security:	CVE-2017-6362
  Security:	CVE-2017-7890

  Approved by:	ports-secteam (miwi)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/graphics/gd/Makefile
  branches/2018Q3/graphics/gd/distinfo
  branches/2018Q3/graphics/gd/files/patch-gd_gif_in.c
  branches/2018Q3/graphics/gd/pkg-plist
Comment 5 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2018-07-27 12:37:49 UTC 
Committed and MFH'd :)

Thanks!