- fixed CVE-2014-2497 [bnc#868624]

OBS-URL: https://build.opensuse.org/package/show/graphics/gd?expand=0&rev=5
2014-04-04 12:22:22 +00:00 · 2014-04-04 12:22:22 +00:00 · 85caa8ebaf
commit 85caa8ebaf
parent 303201208b
3 changed files with 31 additions and 1 deletions
--- a/gd-2.1.0-CVE-2014-2497.patch
+++ b/gd-2.1.0-CVE-2014-2497.patch
@ -0,0 +1,23 @@
+Description: Patch to fix PHP bug 66901.
+Author: Andres Mejia <mejiaa@amazon.com>
+Forwarded: no
+
+Index: src/gdxpm.c
+===================================================================
+--- src/gdxpm.c.orig	2014-04-04 12:56:02.570160501 +0200
+++ src/gdxpm.c	2014-04-04 13:01:24.031976322 +0200
+@@ -62,6 +62,14 @@
+ 
+ 	for(i = 0; i < number; i++) {
+ 		char *c_color = image.colorTable[i].c_color;
+                if (!image.colorTable[i].c_color)
+                {
+                        /* unsupported color key or color key not defined */
+                        gdImageDestroy(im);
+                        gdFree(colors);
+                        im = 0;
+                        goto done;
+                }
+ 		if(strcmp(c_color, "None") == 0) {
+ 			colors[i] = gdImageGetTransparent(im);
+ 			if(colors[i] == -1) colors[i] = gdImageColorAllocate(im, 0, 0, 0);
--- a/gd.changes
+++ b/gd.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Apr  4 12:21:22 UTC 2014 - pgajdos@suse.com
+
+- fixed CVE-2014-2497 [bnc#868624]
+
 -------------------------------------------------------------------
 Fri Dec 27 07:42:11 UTC 2013 - tchvatal@suse.com

--- a/gd.spec
+++ b/gd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package gd
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -36,6 +36,7 @@ Patch2:         gd-format.patch
 Patch3:         gd-aliasing.patch
 # could be upstreamed?
 Patch4:         gd-autoconf.patch
+Patch5:         gd-2.1.0-CVE-2014-2497.patch
 BuildRequires:  fontconfig-devel
 BuildRequires:  freetype2-devel
 BuildRequires:  libjpeg-devel
@ -78,6 +79,7 @@ the formats accepted for inline images by most browsers.
 %patch2
 %patch3
 %patch4
+%patch5

 %build
 autoreconf -fiv