diff --git a/SOURCES/0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch b/SOURCES/0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch new file mode 100644 index 0000000..fbecef3 --- /dev/null +++ b/SOURCES/0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch @@ -0,0 +1,148 @@ +From f58c813f8afcd08acdd630f378cff1a5009655cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Thu, 31 Jan 2019 16:02:19 +0000 +Subject: [PATCH] merge in fixes for libgd CVE-2019-6978 + +--- + README | 5 +++++ + configure.ac | 2 +- + src/extra/gd/gd_jpeg.c | 21 +++++++++++++++++---- + src/extra/gd/gd_wbmp.c | 24 ++++++++++++++++++++++-- + 4 files changed, 45 insertions(+), 7 deletions(-) + +diff --git a/src/extra/gd/gd_jpeg.c b/src/extra/gd/gd_jpeg.c +index 7e6dfbb..b270186 100644 +--- a/src/extra/gd/gd_jpeg.c ++++ b/src/extra/gd/gd_jpeg.c +@@ -72,6 +72,8 @@ fatal_jpeg_error (j_common_ptr cinfo) + exit (99); + } + ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); ++ + /* + * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality + * QUALITY. If QUALITY is in the range 0-100, increasing values +@@ -93,8 +95,12 @@ gdImageJpegPtr (gdImagePtr im, int *size, int quality) + { + void *rv; + gdIOCtx *out = gdNewDynamicCtx (2048, NULL); +- gdImageJpegCtx (im, out, quality); +- rv = gdDPExtractData (out, size); ++ if (out == NULL) return NULL; ++ if (!_gdImageJpegCtx(im, out, quality)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->free (out); + return rv; + } +@@ -103,6 +109,12 @@ static void jpeg_gdIOCtx_dest (j_compress_ptr cinfo, gdIOCtx * outfile); + + void + gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) ++{ ++ _gdImageJpegCtx(im, outfile, quality); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + { + struct jpeg_compress_struct cinfo; + struct jpeg_error_mgr jerr; +@@ -139,7 +151,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) + /* we're here courtesy of longjmp */ + if (row) + gdFree (row); +- return; ++ return 1; + } + + cinfo.err->error_exit = fatal_jpeg_error; +@@ -173,7 +185,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) + fprintf (stderr, "gd-jpeg: error: unable to allocate JPEG row " + "structure: gdCalloc returns NULL\n"); + jpeg_destroy_compress (&cinfo); +- return; ++ return 1; + } + + rowptr[0] = row; +@@ -254,6 +266,7 @@ error: + #endif + jpeg_destroy_compress (&cinfo); + gdFree (row); ++ return 0; + } + + gdImagePtr +diff --git a/src/extra/gd/gd_wbmp.c b/src/extra/gd/gd_wbmp.c +index f1258da..4b27043 100644 +--- a/src/extra/gd/gd_wbmp.c ++++ b/src/extra/gd/gd_wbmp.c +@@ -85,6 +85,7 @@ gd_getin (void *in) + return (gdGetC ((gdIOCtx *) in)); + } + ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); + + /* gdImageWBMPCtx + ** -------------- +@@ -97,6 +98,12 @@ gd_getin (void *in) + */ + void + gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) ++{ ++ _gdImageWBMPCtx(image, fg, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + { + + int x, y, pos; +@@ -107,7 +114,7 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) + if ((wbmp = createwbmp (gdImageSX (image), gdImageSY (image), WBMP_WHITE)) == NULL) + { + fprintf (stderr, "Could not create WBMP\n"); +- return; ++ return 1; + } + + /* fill up the WBMP structure */ +@@ -126,9 +133,16 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) + + /* write the WBMP to a gd file descriptor */ + if (writewbmp (wbmp, &gd_putout, out)) ++ { + fprintf (stderr, "Could not save WBMP\n"); ++ freewbmp (wbmp); ++ return 1; ++ } ++ + /* des submitted this bugfix: gdFree the memory. */ + freewbmp (wbmp); ++ ++ return 0; + } + + +@@ -214,8 +228,12 @@ gdImageWBMPPtr (gdImagePtr im, int *size, int fg) + { + void *rv; + gdIOCtx *out = gdNewDynamicCtx (2048, NULL); +- gdImageWBMPCtx (im, fg, out); +- rv = gdDPExtractData (out, size); ++ if (out == NULL) return NULL; ++ if (!_gdImageWBMPCtx(im, fg, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->free (out); + return rv; + } +-- +2.20.1 + diff --git a/SPECS/libwmf.spec b/SPECS/libwmf.spec index fb6dde2..c72b546 100644 --- a/SPECS/libwmf.spec +++ b/SPECS/libwmf.spec @@ -1,7 +1,7 @@ Summary: Windows MetaFile Library Name: libwmf Version: 0.2.9 -Release: 4%{?dist} +Release: 8%{?dist} Group: System Environment/Libraries #libwmf is under the LGPLv2+, however... #1. The tarball contains an old version of the urw-fonts under GPL+. @@ -13,6 +13,7 @@ Source: https://github.com/caolanm/libwmf/archive/v%{version}.tar.gz URL: https://github.com/caolanm/libwmf Patch0: covscan.patch +Patch1: 0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch Requires: urw-fonts Requires: %{name}-lite = %{version}-%{release} @@ -46,6 +47,7 @@ using libwmf. %prep %setup -q %patch0 -p1 -b .covscan +%patch1 -p1 -b .CVE-2019-6978 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f %build @@ -101,6 +103,18 @@ sed -i $RPM_BUILD_ROOT%{_datadir}/libwmf/fonts/fontmap -e 's#libwmf/fonts#fonts/ %changelog +* Wed Aug 14 2019 Caolán McNamara - 0.2.9-8 +- Related: rhbz1717799 fix clang warning + +* Wed Aug 14 2019 Caolán McNamara - 0.2.9-7 +- Related: rhbz1717799 bump n-v-r + +* Wed Mar 06 2019 Caolán McNamara - 0.2.9-6 +- Related: rhbz1679006 bump n-v-r + +* Tue Feb 26 2019 Caolán McNamara - 0.2.9-5 +- Resolves: rhbz1679006 libgd CVE-2019-6978 + * Fri Aug 10 2018 Caolán McNamara - 0.2.9-4 - Related: rhbz#1602602 fix more clang warnings