- security update

- added patches CVE-2019-11038 [bsc#1140118] + gd-CVE-2019-11038.patch OBS-URL: https://build.opensuse.org/package/show/graphics/gd?expand=0&rev=57
2019-07-16 09:12:59 +00:00 · 2019-07-16 09:12:59 +00:00 · a36454e4ca
commit a36454e4ca
parent 5d279d6694
3 changed files with 29 additions and 0 deletions
--- a/gd-CVE-2019-11038.patch
+++ b/gd-CVE-2019-11038.patch
@ -0,0 +1,18 @@
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 4ca41acf..cf0545ef 100644
+--- a/src/gd_xbm.c
+++ b/src/gd_xbm.c
+@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ 			}
+ 			h[3] = ch;
+ 		}
+-		sscanf(h, "%x", &b);
+		if (sscanf(h, "%x", &b) != 1) {
+			gd_error("invalid XBM");
+			gdImageDestroy(im);
+			return 0;
+		}
+ 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
+ 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+ 			if (x == im->sx) {
+
--- a/gd.changes
+++ b/gd.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jul 16 09:12:06 UTC 2019 - pgajdos@suse.com
+
+- security update
+- added patches
+  CVE-2019-11038 [bsc#1140118]
+  + gd-CVE-2019-11038.patch
+
 -------------------------------------------------------------------
 Thu May 30 13:02:38 UTC 2019 - pgajdos@suse.com

--- a/gd.spec
+++ b/gd.spec
@ -38,6 +38,8 @@ Patch5:         libgd-config.patch
 Patch6:         gd-CVE-2018-1000222.patch
 Patch7:         gd-CVE-2019-6978.patch
 Patch8:         gd-CVE-2019-6977.patch
+# CVE-2019-11038 [bsc#1140118]
+Patch9:         gd-CVE-2019-11038.patch
 # needed for tests
 BuildRequires:  dejavu
 BuildRequires:  libjpeg-devel
@ -93,6 +95,7 @@ the formats accepted for inline images by most browsers.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 chmod 644 COPYING

 %build