Bug 213020

Summary: graphics/gd: Fix integer overflow in gdImageWebpCtx
Product: Ports & Packages Reporter: VK <vlad-fbsd>
Component: Individual Port(s)Assignee: Dirk Meyer <dinoex>
Status: Closed FIXED    
Severity: Affects Some People CC: ale, dinoex, ports-secteam, tz
Priority: --- Keywords: patch, security
Version: LatestFlags: dinoex: maintainer-feedback+
dinoex: merge-quarterly-
Hardware: Any   
OS: Any   
URL: https://github.com/libgd/libgd/issues/308
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213023
Bug Depends on: 213023    
Bug Blocks:    
Attachments:
Description Flags
Fix integer overflow in gdImageWebpCtx vlad-fbsd: maintainer-approval? (dinoex)

Description VK 2016-09-27 13:27:17 UTC 
Created attachment 175197 [details]
Fix integer overflow in gdImageWebpCtx

An integer overflow issue was found in function gdImageWebpCtx of file gd_webp.c which could lead to heap buffer overflow.

* Upstream issue:
  https://github.com/libgd/libgd/issues/308

* Upstream commit:
  https://github.com/libgd/libgd/commit/40bec0f38f50e8510f5bb71a82f516d46facde03

* CVE request:
  http://seclists.org/oss-sec/2016/q3/626

Patch attached. Passes Poudriere build with 11.0-RELEASE amd64. Running build tests for 10.3 and 9.3.

VuXML entry coming up.

CC ports-secteam and maintainers of php70-gd and php56-gd.
Comment 1 VK 2016-09-27 14:20:15 UTC 
Passes Poudriere builds for 10.3-p9 and 9.3-p47, both amd64.
Comment 2 VK 2016-10-15 20:21:35 UTC 
Maintainer timeout, back to the pool.
Comment 3 Dirk Meyer freebsd_committer freebsd_triage 2016-10-16 18:31:03 UTC 
option is disabled, so the patch is a no op
marked for later.
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-10-16 18:41:57 UTC 
A commit references this bug:

Author: dinoex
Date: Sun Oct 16 18:41:21 UTC 2016
New revision: 424078
URL: https://svnweb.freebsd.org/changeset/ports/424078

Log:
  - fix option WEBP
  - make option WEBP default
  PR:		211368

  - Security patch, port was not vulnerable
  Security: https://github.com/libgd/libgd/issues/308
  Security: http://seclists.org/oss-sec/2016/q3/626
  Security: CVE-2016-7568
  PR:		213020

Changes:
  head/graphics/gd/Makefile
  head/graphics/gd/files/patch-gd_webp.c
Comment 5 Dirk Meyer freebsd_committer freebsd_triage 2016-10-16 18:45:05 UTC 
port was bot vulnerable, option was disabled.