Update to 2.2.5

fix double-free in gdImagePngPtr(). CVE-2017-6362
fix buffer over-read into uninitialized memory. CVE-2017-7890

.gitignore

@@ -8,3 +8,4 @@ gd-2.0.35.tar.bz2
 /libgd-2.2.2.tar.xz
 /libgd-2.2.3.tar.xz
 /libgd-2.2.4.tar.xz
+/libgd-2.2.5.tar.xz

gd-2.2.3-tests.patch

@@ -1,42 +0,0 @@
-From 2b3dd57a6ccb2940f2e9119ae04e14362e2a1f61 Mon Sep 17 00:00:00 2001
-From: Remi Collet <fedora@famillecollet.com>
-Date: Fri, 22 Jul 2016 08:14:12 +0200
-Subject: [PATCH] Fix gd2/gd2_read.c:8:6: error: 'error' may be used
- uninitialized in this function [-Werror=maybe-uninitialized]
-
-Also report about any error, not only the last one.
----
- tests/gd2/gd2_read.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/tests/gd2/gd2_read.c b/tests/gd2/gd2_read.c
-index 94fe069..8ce8bd1 100644
---- a/tests/gd2/gd2_read.c
-+++ b/tests/gd2/gd2_read.c
-@@ -5,7 +5,7 @@
- 
- int main(int argc, char *argv[])
- {
--	int error, i = 0;
-+	int error = 0, i = 0;
- 	gdImagePtr im, exp;
- 	FILE *fp;
- 	char *path[] = {
-@@ -40,8 +40,6 @@ int main(int argc, char *argv[])
- 				gdTestErrorMsg("image %s differs from expected result\n", path[i]);
- 				gdImageDestroy(im);
- 				error = 1;
--			} else {
--				error = 0;
- 			}
- 			if (exp) {
- 				gdImageDestroy(exp);
-@@ -52,8 +50,6 @@ int main(int argc, char *argv[])
- 				gdTestErrorMsg("image %s should have failed to be loaded\n", path[i]);
- 				gdImageDestroy(im);
- 				error = 1;
--			} else {
--				error = 0;
- 			}
- 		}
- 		i++;

gd-2.2.4-upstream.patch

@@ -1,50 +0,0 @@
-From c9b601a658a79e6ea2aad29fbf60ca6e24ccef1e Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Wed, 18 Jan 2017 13:59:02 +0100
-Subject: [PATCH] Fix build issue regarding INT_MAX
-
-For portability gd_gd2.c needs to include <limits.h>.
----
- src/gd_gd2.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index c2904ca..049c4c5 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -74,6 +74,7 @@
- 
- /* 2.0.29: no more errno.h, makes windows happy */
- #include <math.h>
-+#include <limits.h>
- #include <string.h>
- #include "gd.h"
- #include "gd_errors.h"
-
-
-From 55ac28a293eaa8c531870c8bb8ecc04b333975f4 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Thu, 19 Jan 2017 01:02:58 +0100
-Subject: [PATCH] Fix #357: 2.2.4: Segfault in test suite.
-
-We make sure to never pass a negative `int` as argument to a `size_t`
-parameter.
----
- src/gd_io_dp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
-index eda2eeb..cb38794 100644
---- a/src/gd_io_dp.c
-+++ b/src/gd_io_dp.c
-@@ -292,6 +292,10 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
- 		rlen = dp->realSize - dp->pos;
- 	}
- 
-+	if (rlen < 0) {
-+		return 0;
-+	}
-+
- 	memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen);
- 	dp->pos += rlen;
- 

gd.spec

@@ -4,8 +4,8 @@
 
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
-Version:       2.2.4
-Release:       5%{?prever}%{?short}%{?dist}
+Version:       2.2.5
+Release:       1%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.github.io/
@@ -18,8 +18,6 @@ Source0:       https://github.com/libgd/libgd/releases/download/gd-%{version}/li
 %endif
 
 Patch1:        gd-2.1.0-multilib.patch
-Patch2:        gd-2.2.3-tests.patch
-Patch3:        gd-2.2.4-upstream.patch
 
 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@@ -80,16 +78,6 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %prep
 %setup -q -n libgd-%{version}%{?prever:-%{prever}}
 %patch1 -p1 -b .mlib
-%patch2 -p1 -b .build
-%patch3 -p1 -b .upstream
-
-%if 0%{?fedora} >= 26
-# TODO - tests using freetype 2.7 are failing
-# https://github.com/libgd/libgd/issues/302
-# https://github.com/libgd/libgd/issues/217
-sed -i -e "s|libgd_test_programs +=|libgd_freetype_test_program =|" tests/freetype/Makemodule.am
-sed -i -e "s|libgd_test_programs +=|libgd_freetype_test_program +=|" tests/gdimagestringft/Makemodule.am
-%endif
 
 : $(perl config/getver.pl)
 
@@ -138,11 +126,6 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a
 # See https://github.com/libgd/libgd/issues/359
 XFAIL_TESTS="gdimagegrayscale/basic $XFAIL_TESTS"
 %endif
-%if 0%{?fedora} >= 26
-# See https://github.com/libgd/libgd/issues/363
-XFAIL_TESTS="freetype/bug00132 $XFAIL_TESTS"
-XFAIL_TESTS="gdimagestringft/gdimagestringft_bbox $XFAIL_TESTS"
-%endif
 
 export XFAIL_TESTS
 
@@ -175,6 +158,11 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 
 
 %changelog
+* Wed Aug 30 2017 Remi Collet <remi@fedoraproject.org> - 2.2.5-1
+- Update to 2.2.5
+- fix double-free in gdImagePngPtr(). CVE-2017-6362
+- fix buffer over-read into uninitialized memory. CVE-2017-7890
+
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.4-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (libgd-2.2.4.tar.xz) = 07903f322c4f6ab392508b0f60c38ca133699111ea92995dc6cd9379210d598bcb24a46c19657884d9e252f8663d0ee8c89c600e3a382a5ae598198c190f39b5
+SHA512 (libgd-2.2.5.tar.xz) = 946675b0a9dbecdee3dda927d496a35d6b5b071d3252a82cd649db0d959a82fcc65ce067ec34d07eed0e0497cd92cc0d93803609a4854f42d284e950764044d0