ports/140335: [patch] graphics/gd: fix CVE-2009-3546
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Fri Nov 6 15:40:02 UTC 2009
>Number: 140335
>Category: ports
>Synopsis: [patch] graphics/gd: fix CVE-2009-3546
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Nov 06 15:40:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 8.0-RC2 amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 8.0-RC2 amd64
>Description:
See [1] and [2].
>How-To-Repeat:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
[2] http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html
>Fix:
The following diff adds the patch from Thomas Hoger that was accepted to
the PHP 5.x. The patch was whitespace-modified for the graphics/gd. I
had verified that all three ports build fine and graphics/gd works as
expected in respect to the image conversion (GD -> PNG -> GD) and
graphics creation.
--- cve-2009-3546-fix.diff begins here ---
>From 0697562e60bf3a45813403b8de08f0dfa6f80e33 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Fri, 6 Nov 2009 18:18:15 +0300
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
graphics/gd/Makefile | 2 +-
graphics/gd/files/patch-cve-2009-3546 | 15 +++++++++++++++
graphics/php4-gd/Makefile | 2 ++
graphics/php4-gd/files/patch-cve-2009-3546 | 14 ++++++++++++++
graphics/php5-gd/Makefile | 2 ++
graphics/php5-gd/files/patch-cve-2009-3546 | 14 ++++++++++++++
security/vuxml/vuln.xml | 7 ++++---
7 files changed, 52 insertions(+), 4 deletions(-)
create mode 100644 graphics/gd/files/patch-cve-2009-3546
create mode 100644 graphics/php4-gd/files/patch-cve-2009-3546
create mode 100644 graphics/php5-gd/files/patch-cve-2009-3546
diff --git a/graphics/gd/Makefile b/graphics/gd/Makefile
index e344354..1341296 100644
--- a/graphics/gd/Makefile
+++ b/graphics/gd/Makefile
@@ -7,7 +7,7 @@
PORTNAME= gd
PORTVERSION= 2.0.35
-PORTREVISION?= 1
+PORTREVISION?= 2
PORTEPOCH= 1
CATEGORIES+= graphics
MASTER_SITES= http://www.libgd.org/releases/
diff --git a/graphics/gd/files/patch-cve-2009-3546 b/graphics/gd/files/patch-cve-2009-3546
new file mode 100644
index 0000000..f483039
--- /dev/null
+++ b/graphics/gd/files/patch-cve-2009-3546
@@ -0,0 +1,15 @@
+Adopted-From: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557&view=patch
+
+--- gd_gd.c.orig 2006-04-05 19:52:22.000000000 +0400
++++ gd_gd.c 2009-11-06 18:06:50.000000000 +0300
+@@ -44,6 +44,10 @@
+ {
+ goto fail1;
+ }
++ if (im->colorsTotal > gdMaxColors)
++ {
++ goto fail1;
++ }
+ }
+ /* Int to accommodate truecolor single-color transparency */
+ if (!gdGetInt (&im->transparent, in))
diff --git a/graphics/php4-gd/Makefile b/graphics/php4-gd/Makefile
index 6702512..025f833 100644
--- a/graphics/php4-gd/Makefile
+++ b/graphics/php4-gd/Makefile
@@ -11,4 +11,6 @@ MASTERDIR= ${.CURDIR}/../../lang/php4
PKGNAMESUFFIX= -gd
+PORTREVISION= 1
+
.include "${MASTERDIR}/Makefile"
diff --git a/graphics/php4-gd/files/patch-cve-2009-3546 b/graphics/php4-gd/files/patch-cve-2009-3546
new file mode 100644
index 0000000..6a2d2c7
--- /dev/null
+++ b/graphics/php4-gd/files/patch-cve-2009-3546
@@ -0,0 +1,14 @@
+Obtained-From: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557&view=patch
+
+--- libgd/gd_gd.c 2009/10/12 09:44:18 289556
++++ libgd/gd_gd.c 2009/10/12 10:01:37 289557
+@@ -39,6 +39,9 @@
+ if (!gdGetWord(&im->colorsTotal, in)) {
+ goto fail1;
+ }
++ if (im->colorsTotal > gdMaxColors) {
++ goto fail1;
++ }
+ }
+ /* Int to accommodate truecolor single-color transparency */
+ if (!gdGetInt(&im->transparent, in)) {
diff --git a/graphics/php5-gd/Makefile b/graphics/php5-gd/Makefile
index 1a0d0b5..6333f40 100644
--- a/graphics/php5-gd/Makefile
+++ b/graphics/php5-gd/Makefile
@@ -11,4 +11,6 @@ MASTERDIR= ${.CURDIR}/../../lang/php5
PKGNAMESUFFIX= -gd
+PORTREVISION= 2
+
.include "${MASTERDIR}/Makefile"
diff --git a/graphics/php5-gd/files/patch-cve-2009-3546 b/graphics/php5-gd/files/patch-cve-2009-3546
new file mode 100644
index 0000000..6a2d2c7
--- /dev/null
+++ b/graphics/php5-gd/files/patch-cve-2009-3546
@@ -0,0 +1,14 @@
+Obtained-From: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557&view=patch
+
+--- libgd/gd_gd.c 2009/10/12 09:44:18 289556
++++ libgd/gd_gd.c 2009/10/12 10:01:37 289557
+@@ -39,6 +39,9 @@
+ if (!gdGetWord(&im->colorsTotal, in)) {
+ goto fail1;
+ }
++ if (im->colorsTotal > gdMaxColors) {
++ goto fail1;
++ }
+ }
+ /* Int to accommodate truecolor single-color transparency */
+ if (!gdGetInt(&im->transparent, in)) {
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 3b2eace..6440a90 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -40,15 +40,15 @@ Note: Please add new entries to the beginning of this file.
<affects>
<package>
<name>gd</name>
- <range><gt>0</gt></range>
+ <range><lt>2.0.35_2,1</lt></range>
</package>
<package>
<name>php5-gd</name>
- <range><gt>0</gt></range>
+ <range><lt>5.2.11_2</lt></range>
</package>
<package>
<name>php4-gd</name>
- <range><gt>0</gt></range>
+ <range><lt>4.4.9_1</lt></range>
</package>
</affects>
<description>
@@ -73,6 +73,7 @@ Note: Please add new entries to the beginning of this file.
<dates>
<discovery>2009-10-15</discovery>
<entry>2009-11-05</entry>
+ <modified>2009-11-06</modified>
</dates>
</vuln>
--
1.6.5.1
--- cve-2009-3546-fix.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list