From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Nov 6 15:40:02 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46EB21065672; Fri, 6 Nov 2009 15:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 065BD8FC17; Fri, 6 Nov 2009 15:40:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nA6Fe16C076960; Fri, 6 Nov 2009 15:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nA6Fe1KI076957; Fri, 6 Nov 2009 15:40:01 GMT (envelope-from gnats) Resent-Date: Fri, 6 Nov 2009 15:40:01 GMT Resent-Message-Id: <200911061540.nA6Fe1KI076957@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: miwi@freebsd.org, ale@freebsd.org, dinoex@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C5AB106566C for ; Fri, 6 Nov 2009 15:37:13 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id E834C8FC0A for ; Fri, 6 Nov 2009 15:37:12 +0000 (UTC) Received: from shadow.codelabs.ru (shadow.codelabs.ru [144.206.177.8]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1N6QsB-000EDF-Vc for FreeBSD-gnats-submit@freebsd.org; Fri, 06 Nov 2009 18:37:11 +0300 Message-Id: <20091106153722.011371711E@shadow.codelabs.ru> Date: Fri, 6 Nov 2009 18:37:21 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: miwi@freebsd.org, ale@freebsd.org, dinoex@freebsd.org Cc: Subject: ports/140335: [patch] graphics/gd: fix CVE-2009-3546 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2009 15:40:02 -0000 >Number: 140335 >Category: ports >Synopsis: [patch] graphics/gd: fix CVE-2009-3546 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 06 15:40:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 8.0-RC2 amd64 >Organization: Code Labs >Environment: System: FreeBSD 8.0-RC2 amd64 >Description: See [1] and [2]. >How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 [2] http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html >Fix: The following diff adds the patch from Thomas Hoger that was accepted to the PHP 5.x. The patch was whitespace-modified for the graphics/gd. I had verified that all three ports build fine and graphics/gd works as expected in respect to the image conversion (GD -> PNG -> GD) and graphics creation. --- cve-2009-3546-fix.diff begins here --- >From 0697562e60bf3a45813403b8de08f0dfa6f80e33 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Fri, 6 Nov 2009 18:18:15 +0300 Signed-off-by: Eygene Ryabinkin --- graphics/gd/Makefile | 2 +- graphics/gd/files/patch-cve-2009-3546 | 15 +++++++++++++++ graphics/php4-gd/Makefile | 2 ++ graphics/php4-gd/files/patch-cve-2009-3546 | 14 ++++++++++++++ graphics/php5-gd/Makefile | 2 ++ graphics/php5-gd/files/patch-cve-2009-3546 | 14 ++++++++++++++ security/vuxml/vuln.xml | 7 ++++--- 7 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 graphics/gd/files/patch-cve-2009-3546 create mode 100644 graphics/php4-gd/files/patch-cve-2009-3546 create mode 100644 graphics/php5-gd/files/patch-cve-2009-3546 diff --git a/graphics/gd/Makefile b/graphics/gd/Makefile index e344354..1341296 100644 --- a/graphics/gd/Makefile +++ b/graphics/gd/Makefile @@ -7,7 +7,7 @@ PORTNAME= gd PORTVERSION= 2.0.35 -PORTREVISION?= 1 +PORTREVISION?= 2 PORTEPOCH= 1 CATEGORIES+= graphics MASTER_SITES= http://www.libgd.org/releases/ diff --git a/graphics/gd/files/patch-cve-2009-3546 b/graphics/gd/files/patch-cve-2009-3546 new file mode 100644 index 0000000..f483039 --- /dev/null +++ b/graphics/gd/files/patch-cve-2009-3546 @@ -0,0 +1,15 @@ +Adopted-From: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557&view=patch + +--- gd_gd.c.orig 2006-04-05 19:52:22.000000000 +0400 ++++ gd_gd.c 2009-11-06 18:06:50.000000000 +0300 +@@ -44,6 +44,10 @@ + { + goto fail1; + } ++ if (im->colorsTotal > gdMaxColors) ++ { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt (&im->transparent, in)) diff --git a/graphics/php4-gd/Makefile b/graphics/php4-gd/Makefile index 6702512..025f833 100644 --- a/graphics/php4-gd/Makefile +++ b/graphics/php4-gd/Makefile @@ -11,4 +11,6 @@ MASTERDIR= ${.CURDIR}/../../lang/php4 PKGNAMESUFFIX= -gd +PORTREVISION= 1 + .include "${MASTERDIR}/Makefile" diff --git a/graphics/php4-gd/files/patch-cve-2009-3546 b/graphics/php4-gd/files/patch-cve-2009-3546 new file mode 100644 index 0000000..6a2d2c7 --- /dev/null +++ b/graphics/php4-gd/files/patch-cve-2009-3546 @@ -0,0 +1,14 @@ +Obtained-From: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557&view=patch + +--- libgd/gd_gd.c 2009/10/12 09:44:18 289556 ++++ libgd/gd_gd.c 2009/10/12 10:01:37 289557 +@@ -39,6 +39,9 @@ + if (!gdGetWord(&im->colorsTotal, in)) { + goto fail1; + } ++ if (im->colorsTotal > gdMaxColors) { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt(&im->transparent, in)) { diff --git a/graphics/php5-gd/Makefile b/graphics/php5-gd/Makefile index 1a0d0b5..6333f40 100644 --- a/graphics/php5-gd/Makefile +++ b/graphics/php5-gd/Makefile @@ -11,4 +11,6 @@ MASTERDIR= ${.CURDIR}/../../lang/php5 PKGNAMESUFFIX= -gd +PORTREVISION= 2 + .include "${MASTERDIR}/Makefile" diff --git a/graphics/php5-gd/files/patch-cve-2009-3546 b/graphics/php5-gd/files/patch-cve-2009-3546 new file mode 100644 index 0000000..6a2d2c7 --- /dev/null +++ b/graphics/php5-gd/files/patch-cve-2009-3546 @@ -0,0 +1,14 @@ +Obtained-From: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557&view=patch + +--- libgd/gd_gd.c 2009/10/12 09:44:18 289556 ++++ libgd/gd_gd.c 2009/10/12 10:01:37 289557 +@@ -39,6 +39,9 @@ + if (!gdGetWord(&im->colorsTotal, in)) { + goto fail1; + } ++ if (im->colorsTotal > gdMaxColors) { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt(&im->transparent, in)) { diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 3b2eace..6440a90 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -40,15 +40,15 @@ Note: Please add new entries to the beginning of this file. gd - 0 + 2.0.35_2,1 php5-gd - 0 + 5.2.11_2 php4-gd - 0 + 4.4.9_1 @@ -73,6 +73,7 @@ Note: Please add new entries to the beginning of this file. 2009-10-15 2009-11-05 + 2009-11-06 -- 1.6.5.1 --- cve-2009-3546-fix.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: