* [Buildroot] [PATCH 1/1] package/gd: security bump to version 2.3.3
@ 2021-09-13 20:44 Fabrice Fontaine
2021-09-14 6:12 ` Peter Korsgaard
2021-09-14 12:57 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-09-13 20:44 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
- Fix CVE-2021-40145: ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD
Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE:
the vendor's position is "The GD2 image format is a proprietary image
format of libgd. It has to be regarded as being obsolete, and should
only be used for development and testing purposes."
- Drop patch (already in version)
- Update hash of COPYING (duplicate merged and title added with
https://github.com/libgd/libgd/commit/82d260950589563a1af9c56f4ce5fde843a695ae
https://github.com/libgd/libgd/commit/6013c7bcf6eb795dba584f92d3824ebd3ae60202)
https://github.com/libgd/libgd/releases/tag/gd-2.3.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...-of-bands-in-reading-tga-header-file.patch | 29 -------------------
package/gd/gd.hash | 4 +--
package/gd/gd.mk | 5 +---
3 files changed, 3 insertions(+), 35 deletions(-)
delete mode 100644 package/gd/0001-fix-read-out-of-bands-in-reading-tga-header-file.patch
diff --git a/package/gd/0001-fix-read-out-of-bands-in-reading-tga-header-file.patch b/package/gd/0001-fix-read-out-of-bands-in-reading-tga-header-file.patch
deleted file mode 100644
index a42bfb402e..0000000000
--- a/package/gd/0001-fix-read-out-of-bands-in-reading-tga-header-file.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 8b111b2b4a4842179be66db68d84dda91a246032 Mon Sep 17 00:00:00 2001
-From: maryam ebrahimzadeh <maryam.ebr@student.sharif.edu>
-Date: Mon, 19 Jul 2021 10:07:13 +0430
-Subject: [PATCH] fix read out-of-bands in reading tga header file
-
-[Retrieved from:
-https://github.com/libgd/libgd/commit/8b111b2b4a4842179be66db68d84dda91a246032]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- src/gd_tga.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/gd_tga.c b/src/gd_tga.c
-index cae9428da..286febb28 100644
---- a/src/gd_tga.c
-+++ b/src/gd_tga.c
-@@ -191,7 +191,11 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
- return -1;
- }
-
-- gdGetBuf(tga->ident, tga->identsize, ctx);
-+
-+ if (gdGetBuf(tga->ident, tga->identsize, ctx) != tga->identsize) {
-+ gd_error("fail to read header ident");
-+ return -1;
-+ }
- }
-
- return 1;
diff --git a/package/gd/gd.hash b/package/gd/gd.hash
index 25e64e801b..d0b1e97675 100644
--- a/package/gd/gd.hash
+++ b/package/gd/gd.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 478a047084e0d89b83616e4c2cf3c9438175fb0cc55d8c8967f06e0427f7d7fb libgd-2.3.2.tar.xz
-sha256 4d80b4af6c38d7a65128c881623dee2a5daee6b3a6ccab74a5cdfa0dfda96da7 COPYING
+sha256 3fe822ece20796060af63b7c60acb151e5844204d289da0ce08f8fdf131e5a61 libgd-2.3.3.tar.xz
+sha256 005f4b6b0141d1bd11d371bbf7d4f67947f85a4906b7f5465f942204cf918ba3 COPYING
diff --git a/package/gd/gd.mk b/package/gd/gd.mk
index 90f966c294..55c12e6968 100644
--- a/package/gd/gd.mk
+++ b/package/gd/gd.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GD_VERSION = 2.3.2
+GD_VERSION = 2.3.3
GD_SOURCE = libgd-$(GD_VERSION).tar.xz
GD_SITE = https://github.com/libgd/libgd/releases/download/gd-$(GD_VERSION)
GD_INSTALL_STAGING = YES
@@ -15,9 +15,6 @@ GD_CPE_ID_PRODUCT = libgd
GD_CONF_OPTS = --without-x --disable-rpath --disable-werror
GD_DEPENDENCIES = host-pkgconf
-# 0001-fix-read-out-of-bands-in-reading-tga-header-file.patch
-GD_IGNORE_CVES += CVE-2021-38115
-
# gd forgets to link utilities with -pthread even though it uses
# pthreads, causing linking errors with static linking
ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
--
2.33.0
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/gd: security bump to version 2.3.3
2021-09-13 20:44 [Buildroot] [PATCH 1/1] package/gd: security bump to version 2.3.3 Fabrice Fontaine
@ 2021-09-14 6:12 ` Peter Korsgaard
2021-09-14 12:57 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-09-14 6:12 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2021-40145: ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD
> Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE:
> the vendor's position is "The GD2 image format is a proprietary image
> format of libgd. It has to be regarded as being obsolete, and should
> only be used for development and testing purposes."
> - Drop patch (already in version)
> - Update hash of COPYING (duplicate merged and title added with
> https://github.com/libgd/libgd/commit/82d260950589563a1af9c56f4ce5fde843a695ae
> https://github.com/libgd/libgd/commit/6013c7bcf6eb795dba584f92d3824ebd3ae60202)
> https://github.com/libgd/libgd/releases/tag/gd-2.3.3
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/gd: security bump to version 2.3.3
2021-09-13 20:44 [Buildroot] [PATCH 1/1] package/gd: security bump to version 2.3.3 Fabrice Fontaine
2021-09-14 6:12 ` Peter Korsgaard
@ 2021-09-14 12:57 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-09-14 12:57 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2021-40145: ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD
> Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE:
> the vendor's position is "The GD2 image format is a proprietary image
> format of libgd. It has to be regarded as being obsolete, and should
> only be used for development and testing purposes."
> - Drop patch (already in version)
> - Update hash of COPYING (duplicate merged and title added with
> https://github.com/libgd/libgd/commit/82d260950589563a1af9c56f4ce5fde843a695ae
> https://github.com/libgd/libgd/commit/6013c7bcf6eb795dba584f92d3824ebd3ae60202)
> https://github.com/libgd/libgd/releases/tag/gd-2.3.3
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x, 2021.05.x and 2021.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-14 18:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-13 20:44 [Buildroot] [PATCH 1/1] package/gd: security bump to version 2.3.3 Fabrice Fontaine
2021-09-14 6:12 ` Peter Korsgaard
2021-09-14 12:57 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.