Date: Fri, 6 Nov 2009 18:37:21 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/140335: [patch] graphics/gd: fix CVE-2009-3546 Message-ID: <20091106153722.011371711E@shadow.codelabs.ru> Resent-Message-ID: <200911061540.nA6Fe1KI076957@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 140335 >Category: ports >Synopsis: [patch] graphics/gd: fix CVE-2009-3546 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 06 15:40:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 8.0-RC2 amd64 >Organization: Code Labs >Environment: System: FreeBSD 8.0-RC2 amd64 >Description: See [1] and [2]. >How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 [2] http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html >Fix: The following diff adds the patch from Thomas Hoger that was accepted to the PHP 5.x. The patch was whitespace-modified for the graphics/gd. I had verified that all three ports build fine and graphics/gd works as expected in respect to the image conversion (GD -> PNG -> GD) and graphics creation. --- cve-2009-3546-fix.diff begins here --- >From 0697562e60bf3a45813403b8de08f0dfa6f80e33 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Fri, 6 Nov 2009 18:18:15 +0300 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- graphics/gd/Makefile | 2 +- graphics/gd/files/patch-cve-2009-3546 | 15 +++++++++++++++ graphics/php4-gd/Makefile | 2 ++ graphics/php4-gd/files/patch-cve-2009-3546 | 14 ++++++++++++++ graphics/php5-gd/Makefile | 2 ++ graphics/php5-gd/files/patch-cve-2009-3546 | 14 ++++++++++++++ security/vuxml/vuln.xml | 7 ++++--- 7 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 graphics/gd/files/patch-cve-2009-3546 create mode 100644 graphics/php4-gd/files/patch-cve-2009-3546 create mode 100644 graphics/php5-gd/files/patch-cve-2009-3546 diff --git a/graphics/gd/Makefile b/graphics/gd/Makefile index e344354..1341296 100644 --- a/graphics/gd/Makefile +++ b/graphics/gd/Makefile @@ -7,7 +7,7 @@ PORTNAME= gd PORTVERSION= 2.0.35 -PORTREVISION?= 1 +PORTREVISION?= 2 PORTEPOCH= 1 CATEGORIES+= graphics MASTER_SITES= http://www.libgd.org/releases/ diff --git a/graphics/gd/files/patch-cve-2009-3546 b/graphics/gd/files/patch-cve-2009-3546 new file mode 100644 index 0000000..f483039 --- /dev/null +++ b/graphics/gd/files/patch-cve-2009-3546 @@ -0,0 +1,15 @@ +Adopted-From: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557&view=patch + +--- gd_gd.c.orig 2006-04-05 19:52:22.000000000 +0400 ++++ gd_gd.c 2009-11-06 18:06:50.000000000 +0300 +@@ -44,6 +44,10 @@ + { + goto fail1; + } ++ if (im->colorsTotal > gdMaxColors) ++ { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt (&im->transparent, in)) diff --git a/graphics/php4-gd/Makefile b/graphics/php4-gd/Makefile index 6702512..025f833 100644 --- a/graphics/php4-gd/Makefile +++ b/graphics/php4-gd/Makefile @@ -11,4 +11,6 @@ MASTERDIR= ${.CURDIR}/../../lang/php4 PKGNAMESUFFIX= -gd +PORTREVISION= 1 + .include "${MASTERDIR}/Makefile" diff --git a/graphics/php4-gd/files/patch-cve-2009-3546 b/graphics/php4-gd/files/patch-cve-2009-3546 new file mode 100644 index 0000000..6a2d2c7 --- /dev/null +++ b/graphics/php4-gd/files/patch-cve-2009-3546 @@ -0,0 +1,14 @@ +Obtained-From: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557&view=patch + +--- libgd/gd_gd.c 2009/10/12 09:44:18 289556 ++++ libgd/gd_gd.c 2009/10/12 10:01:37 289557 +@@ -39,6 +39,9 @@ + if (!gdGetWord(&im->colorsTotal, in)) { + goto fail1; + } ++ if (im->colorsTotal > gdMaxColors) { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt(&im->transparent, in)) { diff --git a/graphics/php5-gd/Makefile b/graphics/php5-gd/Makefile index 1a0d0b5..6333f40 100644 --- a/graphics/php5-gd/Makefile +++ b/graphics/php5-gd/Makefile @@ -11,4 +11,6 @@ MASTERDIR= ${.CURDIR}/../../lang/php5 PKGNAMESUFFIX= -gd +PORTREVISION= 2 + .include "${MASTERDIR}/Makefile" diff --git a/graphics/php5-gd/files/patch-cve-2009-3546 b/graphics/php5-gd/files/patch-cve-2009-3546 new file mode 100644 index 0000000..6a2d2c7 --- /dev/null +++ b/graphics/php5-gd/files/patch-cve-2009-3546 @@ -0,0 +1,14 @@ +Obtained-From: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557&view=patch + +--- libgd/gd_gd.c 2009/10/12 09:44:18 289556 ++++ libgd/gd_gd.c 2009/10/12 10:01:37 289557 +@@ -39,6 +39,9 @@ + if (!gdGetWord(&im->colorsTotal, in)) { + goto fail1; + } ++ if (im->colorsTotal > gdMaxColors) { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt(&im->transparent, in)) { diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 3b2eace..6440a90 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -40,15 +40,15 @@ Note: Please add new entries to the beginning of this file. <affects> <package> <name>gd</name> - <range><gt>0</gt></range> + <range><lt>2.0.35_2,1</lt></range> </package> <package> <name>php5-gd</name> - <range><gt>0</gt></range> + <range><lt>5.2.11_2</lt></range> </package> <package> <name>php4-gd</name> - <range><gt>0</gt></range> + <range><lt>4.4.9_1</lt></range> </package> </affects> <description> @@ -73,6 +73,7 @@ Note: Please add new entries to the beginning of this file. <dates> <discovery>2009-10-15</discovery> <entry>2009-11-05</entry> + <modified>2009-11-06</modified> </dates> </vuln> -- 1.6.5.1 --- cve-2009-3546-fix.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091106153722.011371711E>