diff --git a/gd-config.patch b/gd-config.patch deleted file mode 100644 index 57e34cf..0000000 --- a/gd-config.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: config/gdlib-config.in -=================================================================== ---- config/gdlib-config.in.orig 2013-06-25 11:58:23.000000000 +0200 -+++ config/gdlib-config.in 2013-12-18 10:00:24.635577307 +0100 -@@ -71,7 +71,7 @@ - echo @LDFLAGS@ - ;; - --libs) -- echo -lgd @LIBS@ @LIBICONV@ -+ echo -lgd - ;; - --cflags|--includes) - echo -I@includedir@ diff --git a/gd-disable-freetype27-failed-tests.patch b/gd-disable-freetype27-failed-tests.patch deleted file mode 100644 index eed8546..0000000 --- a/gd-disable-freetype27-failed-tests.patch +++ /dev/null @@ -1,47 +0,0 @@ -Two tests: freetype/bug00132 and gdimagestringft fail with freetype >= 2.7 -for being too exact/strict, as acknowledged by upstream. Let us disable these -tests for now, as the impact is understood to be "slight". See discussion -in the issue tracker. -Issue: https://github.com/libgd/libgd/issues/302 - -Index: libgd-2.2.3/tests/CMakeLists.txt -=================================================================== ---- libgd-2.2.3.orig/tests/CMakeLists.txt -+++ libgd-2.2.3/tests/CMakeLists.txt -@@ -19,7 +19,6 @@ if (BUILD_TEST) - - SET(TESTS_DIRS - bmp -- freetype - gd - gd2 - gdimagearc -@@ -50,7 +49,6 @@ if (BUILD_TEST) - gdimagescale - gdimagescatterex - gdimagesetpixel -- gdimagestringft - gdimagestringftex - gdimagetruecolortopalette - gdinterpolatedscale -Index: libgd-2.2.3/tests/Makefile.am -=================================================================== ---- libgd-2.2.3.orig/tests/Makefile.am -+++ libgd-2.2.3/tests/Makefile.am -@@ -13,7 +13,6 @@ EXTRA_DIST = - TESTS = - - include bmp/Makemodule.am --include freetype/Makemodule.am - include gd/Makemodule.am - include gd2/Makemodule.am - include gdimagearc/Makemodule.am -@@ -44,7 +43,6 @@ include gdimagerotate/Makemodule.am - include gdimagescale/Makemodule.am - include gdimagescatterex/Makemodule.am - include gdimagesetpixel/Makemodule.am --include gdimagestringft/Makemodule.am - include gdimagestringftex/Makemodule.am - include gdimagetruecolortopalette/Makemodule.am - include gdinterpolatedscale/Makemodule.am - diff --git a/gd-freetype.patch b/gd-freetype.patch new file mode 100644 index 0000000..aad178c --- /dev/null +++ b/gd-freetype.patch @@ -0,0 +1,51 @@ +From a5570d3ed30ff76c2a8bdd54f4ab1825acca0143 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Sun, 29 Jan 2017 17:07:50 +0100 +Subject: [PATCH] Fix #302: Test suite fails with freetype 2.7 + +Actually, the test failures are not necessarily related to freetype +2.7, but rather are caused by subpixel hinting which is enabled by +default in freetype 2.7. Subpixel hinting is, however, already +available in freetype 2.5 and in versions having the "Infinality" +patch. + +To get the expected results in all environments, we have to disable +subpixel hinting, what is easily done by setting a respective +environment variable. + +See also: +* https://www.freetype.org/freetype2/docs/subpixel-hinting.html +* https://www.freetype.org/freetype2/docs/reference/ft2-tt_driver.html +--- + tests/freetype/bug00132.c | 3 +++ + tests/gdimagestringft/gdimagestringft_bbox.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/tests/freetype/bug00132.c b/tests/freetype/bug00132.c +index 713dd2d0..42ed5b17 100644 +--- a/tests/freetype/bug00132.c ++++ b/tests/freetype/bug00132.c +@@ -11,6 +11,9 @@ int main() + char *path; + char *ret = NULL; + ++ /* disable subpixel hinting */ ++ putenv("FREETYPE_PROPERTIES=truetype:interpreter-version=35"); ++ + im = gdImageCreateTrueColor(50, 30); + + if (!im) { +diff --git a/tests/gdimagestringft/gdimagestringft_bbox.c b/tests/gdimagestringft/gdimagestringft_bbox.c +index 0161ec81..1596a9e7 100644 +--- a/tests/gdimagestringft/gdimagestringft_bbox.c ++++ b/tests/gdimagestringft/gdimagestringft_bbox.c +@@ -38,6 +38,9 @@ int main() + int error = 0; + FILE *fp; + ++ /* disable subpixel hinting */ ++ putenv("FREETYPE_PROPERTIES=truetype:interpreter-version=35"); ++ + path = gdTestFilePath("freetype/DejaVuSans.ttf"); + im = gdImageCreate(800, 800); + gdImageColorAllocate(im, 0xFF, 0xFF, 0xFF); /* allocate white for background color */ diff --git a/gd-test-unintialized-var.patch b/gd-test-unintialized-var.patch deleted file mode 100644 index 7feaeaf..0000000 --- a/gd-test-unintialized-var.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: libgd-2.2.3/tests/gd2/gd2_read.c -=================================================================== ---- libgd-2.2.3.orig/tests/gd2/gd2_read.c -+++ libgd-2.2.3/tests/gd2/gd2_read.c -@@ -5,7 +5,7 @@ - - int main(int argc, char *argv[]) - { -- int error, i = 0; -+ int error = 0, i = 0; - gdImagePtr im, exp; - FILE *fp; - char *path[] = { diff --git a/gd.changes b/gd.changes index 286f174..678b988 100644 --- a/gd.changes +++ b/gd.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Fri Jul 7 10:54:11 UTC 2017 - tchvatal@suse.com + +- Version update to 2.2.4: + * gdImageCreate() doesn't check for oversized images and as such is prone + to DoS vulnerabilities. (CVE-2016-9317) bsc#1022283 + * double-free in gdImageWebPtr() (CVE-2016-6912) bsc#1022284 + * potential unsigned underflow in gd_interpolation.c (CVE-2016-10166) + bsc#1022263 + * DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167) + bsc#1022264 + * Signed Integer Overflow gd_io.c (CVE-2016-10168) bsc#1022265 +- Remove patches merged/obsoleted by upstream: + * gd-config.patch + * gd-disable-freetype27-failed-tests.patch + * gd-test-unintialized-var.patch +- Add patch gd-freetype.patch taking patch from upstream for + freetype 2.7 + ------------------------------------------------------------------- Fri Dec 9 17:09:40 UTC 2016 - pgajdos@suse.com diff --git a/gd.spec b/gd.spec index 1663538..3b1b638 100644 --- a/gd.spec +++ b/gd.spec @@ -1,7 +1,7 @@ # # spec file for package gd # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,11 +17,9 @@ %define prjname libgd - %define lname libgd3 - Name: gd -Version: 2.2.3 +Version: 2.2.4 Release: 0 Summary: A Drawing Library for Programs That Use PNG and JPEG Output License: MIT @@ -29,35 +27,29 @@ Group: System/Libraries Url: https://libgd.github.io/ Source: https://github.com/libgd/libgd/releases/download/%{name}-%{version}/%{prjname}-%{version}.tar.xz Source1: baselibs.conf -# to be upstreamed, gdlib-config --libs to return the same as pkg-config --libs gdlib -Patch0: gd-config.patch # might be upstreamed, but could be suse specific also (/usr/share/fonts/Type1 font dir) Patch1: gd-fontpath.patch # could be upstreamed, but not in this form (need ac check for attribute format printf, etc.) Patch2: gd-format.patch # could be upstreamed Patch3: gd-aliasing.patch -# PATCH-FIX-UPSTREAM gd-disable-freetype27-failed-tests.patch gh#libgd/libgd#302 badshah400@gmail.com -- Disable for now tests failing against freetype >= 2.7 for being too exact. -Patch5: gd-disable-freetype27-failed-tests.patch -# PATCH-FIX-UPSTREAM gd-test-unintialized-var.patch badshah400@gmail.com -- Initialise a variable in tests/gd2/gd2_read.c to 0 to prevent it from failing to compile with -Werror (only causes problems in no ix86 arch surprisingly); patch sent upstream -Patch6: gd-test-unintialized-var.patch -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: fontconfig-devel -BuildRequires: freetype2-devel +# PATCH-FIX-UPSTREAM: +Patch4: gd-freetype.patch +# needed for tests +BuildRequires: dejavu BuildRequires: libjpeg-devel BuildRequires: libpng-devel -BuildRequires: libtiff-devel -BuildRequires: libtool -BuildRequires: libwebp-devel -BuildRequires: pkg-config -BuildRequires: xorg-x11-libX11-devel -BuildRequires: xorg-x11-libXau-devel -BuildRequires: xorg-x11-libXdmcp-devel -BuildRequires: xorg-x11-libXpm-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(fontconfig) +BuildRequires: pkgconfig(freetype2) +BuildRequires: pkgconfig(libtiff-4) +BuildRequires: pkgconfig(libwebp) +BuildRequires: pkgconfig(x11) +BuildRequires: pkgconfig(xau) +BuildRequires: pkgconfig(xdmcp) +BuildRequires: pkgconfig(xpm) Provides: gdlib = %{version} Obsoletes: gdlib < %{version} -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Gd allows your code to quickly draw images complete with lines, arcs, @@ -65,11 +57,11 @@ text, and multiple colors. It supports cut and paste from other images and flood fills. It outputs PNG, JPEG, and WBMP (for wireless devices) and is supported by PHP. -%package -n %lname +%package -n %{lname} Summary: A Drawing Library for Programs That Use PNG and JPEG Output Group: System/Libraries -%description -n %lname +%description -n %{lname} Gd allows your code to quickly draw images complete with lines, arcs, text, and multiple colors. It supports cut and paste from other images and flood fills. It outputs PNG, JPEG, and WBMP (for wireless devices) @@ -78,13 +70,17 @@ and is supported by PHP. %package devel Summary: Drawing Library for Programs with PNG and JPEG Output Group: Development/Libraries/C and C++ -Requires: %lname = %{version} +Requires: %{lname} = %{version} Requires: glibc-devel +Requires: libjpeg-devel Requires: libpng-devel -Requires: libtiff-devel -Requires: libvpx-devel -Requires: libwebp-devel -Requires: zlib-devel +Requires: pkgconfig(libtiff-4) +Requires: pkgconfig(libwebp) +Requires: pkgconfig(libwebpdecoder) +Requires: pkgconfig(libwebpdemux) +Requires: pkgconfig(libwebpmux) +Requires: pkgconfig(vpx) +Requires: pkgconfig(zlib) %description devel gd allows code to quickly draw images complete with lines, arcs, text, @@ -95,53 +91,41 @@ the formats accepted for inline images by most browsers. %prep %setup -q -n %{prjname}-%{version} -%patch0 %patch1 %patch2 %patch3 -%patch5 -p1 -%patch6 -p1 +%patch4 -p1 %build -autoreconf -fiv - -# ADDITIONAL CFLAGS ARE NEEDED TO FIX TEST FAILURES IN CASE OF i586, BUT HARMLESS TO APPLY GENERALLY FOR ALL ix86 -%ifarch %{ix86} -export CFLAGS="%optflags -msse -mfpmath=sse" -%else -%ifnarch x86_64 -export CFLAGS="%optflags -ffp-contract=off" -%endif -%endif - # without-x -- useless switch which just mangles cflags %configure \ + --disable-silent-rules \ + --disable-werror \ + --without-liq \ --without-x \ --with-fontconfig \ --with-freetype \ --with-jpeg \ --with-png \ --with-xpm \ - --disable-static \ - --with-pic - + --with-webp \ + --with-zlib \ + --disable-static make %{?_smp_mflags} %check make check %{?_smp_mflags} %install -make DESTDIR=%{buildroot} install %{?_smp_mflags} +%make_install find %{buildroot} -type f -name "*.la" -delete -print -%post -n %lname -p /sbin/ldconfig - -%postun -n %lname -p /sbin/ldconfig +%post -n %{lname} -p /sbin/ldconfig +%postun -n %{lname} -p /sbin/ldconfig %files -%defattr(-,root,root) -%doc COPYING NEWS examples +%doc COPYING %{_bindir}/annotate %{_bindir}/bdftogd %{_bindir}/gd2copypal @@ -155,13 +139,11 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_bindir}/pngtogd2 %{_bindir}/webpng -%files -n %lname -%defattr(-,root,root) +%files -n %{lname} %doc COPYING %{_libdir}/*.so.* %files devel -%defattr(-,root,root) %doc COPYING %{_bindir}/gdlib-config %{_includedir}/* diff --git a/libgd-2.2.3.tar.xz b/libgd-2.2.3.tar.xz deleted file mode 100644 index 7e579dd..0000000 --- a/libgd-2.2.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c -size 2164152 diff --git a/libgd-2.2.4.tar.xz b/libgd-2.2.4.tar.xz new file mode 100644 index 0000000..46c5744 --- /dev/null +++ b/libgd-2.2.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:137f13a7eb93ce72e32ccd7cebdab6874f8cf7ddf31d3a455a68e016ecd9e4e6 +size 2478528