pool/gd
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 508757 from home:scarabeus_iv:branches:graphics

Browse Source 
- Version update to 2.2.4:
  * gdImageCreate() doesn't check for oversized images and as such is prone
    to DoS vulnerabilities. (CVE-2016-9317) bsc#1022283
  * double-free in gdImageWebPtr() (CVE-2016-6912) bsc#1022284
  * potential unsigned underflow in gd_interpolation.c (CVE-2016-10166)
    bsc#1022263
  * DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)
    bsc#1022264
  * Signed Integer Overflow gd_io.c (CVE-2016-10168) bsc#1022265
- Remove patches merged/obsoleted by upstream:
  * gd-config.patch
  * gd-disable-freetype27-failed-tests.patch
  * gd-test-unintialized-var.patch
- Add patch gd-freetype.patch taking patch from upstream for
  freetype 2.7

OBS-URL: https://build.opensuse.org/request/show/508757
OBS-URL: https://build.opensuse.org/package/show/graphics/gd?expand=0&rev=37
This commit is contained in:
Petr Gajdos 2017-07-17 08:28:43 +00:00 committed by Git OBS Bridge
parent 084c792f83
commit b783cebdcb
8 changed files with 111 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
gd-config.patch
View File

@ -1,13 +0,0 @@
Index: config/gdlib-config.in
===================================================================
--- config/gdlib-config.in.orig 2013-06-25 11:58:23.000000000 +0200
+++ config/gdlib-config.in 2013-12-18 10:00:24.635577307 +0100
@@ -71,7 +71,7 @@
echo @LDFLAGS@
;;
--libs)
- echo -lgd @LIBS@ @LIBICONV@
+ echo -lgd
;;
--cflags|--includes)
echo -I@includedir@

47
gd-disable-freetype27-failed-tests.patch
View File

@ -1,47 +0,0 @@
Two tests: freetype/bug00132 and gdimagestringft fail with freetype >= 2.7
for being too exact/strict, as acknowledged by upstream. Let us disable these
tests for now, as the impact is understood to be "slight". See discussion
in the issue tracker.
Issue: https://github.com/libgd/libgd/issues/302
Index: libgd-2.2.3/tests/CMakeLists.txt
===================================================================
--- libgd-2.2.3.orig/tests/CMakeLists.txt
+++ libgd-2.2.3/tests/CMakeLists.txt
@@ -19,7 +19,6 @@ if (BUILD_TEST)
SET(TESTS_DIRS
bmp
- freetype
gd
gd2
gdimagearc
@@ -50,7 +49,6 @@ if (BUILD_TEST)
gdimagescale
gdimagescatterex
gdimagesetpixel
- gdimagestringft
gdimagestringftex
gdimagetruecolortopalette
gdinterpolatedscale
Index: libgd-2.2.3/tests/Makefile.am
===================================================================
--- libgd-2.2.3.orig/tests/Makefile.am
+++ libgd-2.2.3/tests/Makefile.am
@@ -13,7 +13,6 @@ EXTRA_DIST =
TESTS =
include bmp/Makemodule.am
-include freetype/Makemodule.am
include gd/Makemodule.am
include gd2/Makemodule.am
include gdimagearc/Makemodule.am
@@ -44,7 +43,6 @@ include gdimagerotate/Makemodule.am
include gdimagescale/Makemodule.am
include gdimagescatterex/Makemodule.am
include gdimagesetpixel/Makemodule.am
-include gdimagestringft/Makemodule.am
include gdimagestringftex/Makemodule.am
include gdimagetruecolortopalette/Makemodule.am
include gdinterpolatedscale/Makemodule.am

51
gd-freetype.patch Normal file
View File

@ -0,0 +1,51 @@
From a5570d3ed30ff76c2a8bdd54f4ab1825acca0143 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sun, 29 Jan 2017 17:07:50 +0100
Subject: [PATCH] Fix #302: Test suite fails with freetype 2.7
Actually, the test failures are not necessarily related to freetype
2.7, but rather are caused by subpixel hinting which is enabled by
default in freetype 2.7. Subpixel hinting is, however, already
available in freetype 2.5 and in versions having the "Infinality"
patch.
To get the expected results in all environments, we have to disable
subpixel hinting, what is easily done by setting a respective
environment variable.
See also:
* https://www.freetype.org/freetype2/docs/subpixel-hinting.html
* https://www.freetype.org/freetype2/docs/reference/ft2-tt_driver.html
---
tests/freetype/bug00132.c | 3 +++
tests/gdimagestringft/gdimagestringft_bbox.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/tests/freetype/bug00132.c b/tests/freetype/bug00132.c
index 713dd2d0..42ed5b17 100644
--- a/tests/freetype/bug00132.c
+++ b/tests/freetype/bug00132.c
@@ -11,6 +11,9 @@ int main()
char *path;
char *ret = NULL;
+ /* disable subpixel hinting */
+ putenv("FREETYPE_PROPERTIES=truetype:interpreter-version=35");
+
im = gdImageCreateTrueColor(50, 30);
if (!im) {
diff --git a/tests/gdimagestringft/gdimagestringft_bbox.c b/tests/gdimagestringft/gdimagestringft_bbox.c
index 0161ec81..1596a9e7 100644
--- a/tests/gdimagestringft/gdimagestringft_bbox.c
+++ b/tests/gdimagestringft/gdimagestringft_bbox.c
@@ -38,6 +38,9 @@ int main()
int error = 0;
FILE *fp;
+ /* disable subpixel hinting */
+ putenv("FREETYPE_PROPERTIES=truetype:interpreter-version=35");
+
path = gdTestFilePath("freetype/DejaVuSans.ttf");
im = gdImageCreate(800, 800);
gdImageColorAllocate(im, 0xFF, 0xFF, 0xFF); /* allocate white for background color */

13
gd-test-unintialized-var.patch
View File

@ -1,13 +0,0 @@
Index: libgd-2.2.3/tests/gd2/gd2_read.c
===================================================================
--- libgd-2.2.3.orig/tests/gd2/gd2_read.c
+++ libgd-2.2.3/tests/gd2/gd2_read.c
@@ -5,7 +5,7 @@
int main(int argc, char *argv[])
{
- int error, i = 0;
+ int error = 0, i = 0;
gdImagePtr im, exp;
FILE *fp;
char *path[] = {

19
gd.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Fri Jul 7 10:54:11 UTC 2017 - tchvatal@suse.com
- Version update to 2.2.4:
* gdImageCreate() doesn't check for oversized images and as such is prone
to DoS vulnerabilities. (CVE-2016-9317) bsc#1022283
* double-free in gdImageWebPtr() (CVE-2016-6912) bsc#1022284
* potential unsigned underflow in gd_interpolation.c (CVE-2016-10166)
bsc#1022263
* DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)
bsc#1022264
* Signed Integer Overflow gd_io.c (CVE-2016-10168) bsc#1022265
- Remove patches merged/obsoleted by upstream:
* gd-config.patch
* gd-disable-freetype27-failed-tests.patch
* gd-test-unintialized-var.patch
- Add patch gd-freetype.patch taking patch from upstream for
freetype 2.7
-------------------------------------------------------------------
Fri Dec 9 17:09:40 UTC 2016 - pgajdos@suse.com

94
gd.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package gd
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,11 +17,9 @@
%define prjname libgd
%define lname libgd3
Name: gd
Version: 2.2.3
Version: 2.2.4
Release: 0
Summary: A Drawing Library for Programs That Use PNG and JPEG Output
License: MIT
@ -29,35 +27,29 @@ Group: System/Libraries
Url: https://libgd.github.io/
Source: https://github.com/libgd/libgd/releases/download/%{name}-%{version}/%{prjname}-%{version}.tar.xz
Source1: baselibs.conf
# to be upstreamed, gdlib-config --libs to return the same as pkg-config --libs gdlib
Patch0: gd-config.patch
# might be upstreamed, but could be suse specific also (/usr/share/fonts/Type1 font dir)
Patch1: gd-fontpath.patch
# could be upstreamed, but not in this form (need ac check for attribute format printf, etc.)
Patch2: gd-format.patch
# could be upstreamed
Patch3: gd-aliasing.patch
# PATCH-FIX-UPSTREAM gd-disable-freetype27-failed-tests.patch gh#libgd/libgd#302 badshah400@gmail.com -- Disable for now tests failing against freetype >= 2.7 for being too exact.
Patch5: gd-disable-freetype27-failed-tests.patch
# PATCH-FIX-UPSTREAM gd-test-unintialized-var.patch badshah400@gmail.com -- Initialise a variable in tests/gd2/gd2_read.c to 0 to prevent it from failing to compile with -Werror (only causes problems in no ix86 arch surprisingly); patch sent upstream
Patch6: gd-test-unintialized-var.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: fontconfig-devel
BuildRequires: freetype2-devel
# PATCH-FIX-UPSTREAM:
Patch4: gd-freetype.patch
# needed for tests
BuildRequires: dejavu
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libtiff-devel
BuildRequires: libtool
BuildRequires: libwebp-devel
BuildRequires: pkg-config
BuildRequires: xorg-x11-libX11-devel
BuildRequires: xorg-x11-libXau-devel
BuildRequires: xorg-x11-libXdmcp-devel
BuildRequires: xorg-x11-libXpm-devel
BuildRequires: pkgconfig
BuildRequires: pkgconfig(fontconfig)
BuildRequires: pkgconfig(freetype2)
BuildRequires: pkgconfig(libtiff-4)
BuildRequires: pkgconfig(libwebp)
BuildRequires: pkgconfig(x11)
BuildRequires: pkgconfig(xau)
BuildRequires: pkgconfig(xdmcp)
BuildRequires: pkgconfig(xpm)
Provides: gdlib = %{version}
Obsoletes: gdlib < %{version}
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Gd allows your code to quickly draw images complete with lines, arcs,
@ -65,11 +57,11 @@ text, and multiple colors. It supports cut and paste from other images
and flood fills. It outputs PNG, JPEG, and WBMP (for wireless devices)
and is supported by PHP.
%package -n %lname
%package -n %{lname}
Summary: A Drawing Library for Programs That Use PNG and JPEG Output
Group: System/Libraries
%description -n %lname
%description -n %{lname}
Gd allows your code to quickly draw images complete with lines, arcs,
text, and multiple colors. It supports cut and paste from other images
and flood fills. It outputs PNG, JPEG, and WBMP (for wireless devices)
@ -78,13 +70,17 @@ and is supported by PHP.
%package devel
Summary: Drawing Library for Programs with PNG and JPEG Output
Group: Development/Libraries/C and C++
Requires: %lname = %{version}
Requires: %{lname} = %{version}
Requires: glibc-devel
Requires: libjpeg-devel
Requires: libpng-devel
Requires: libtiff-devel
Requires: libvpx-devel
Requires: libwebp-devel
Requires: zlib-devel
Requires: pkgconfig(libtiff-4)
Requires: pkgconfig(libwebp)
Requires: pkgconfig(libwebpdecoder)
Requires: pkgconfig(libwebpdemux)
Requires: pkgconfig(libwebpmux)
Requires: pkgconfig(vpx)
Requires: pkgconfig(zlib)
%description devel
gd allows code to quickly draw images complete with lines, arcs, text,
@ -95,53 +91,41 @@ the formats accepted for inline images by most browsers.
%prep
%setup -q -n %{prjname}-%{version}
%patch0
%patch1
%patch2
%patch3
%patch5 -p1
%patch6 -p1
%patch4 -p1
%build
autoreconf -fiv
# ADDITIONAL CFLAGS ARE NEEDED TO FIX TEST FAILURES IN CASE OF i586, BUT HARMLESS TO APPLY GENERALLY FOR ALL ix86
%ifarch %{ix86}
export CFLAGS="%optflags -msse -mfpmath=sse"
%else
%ifnarch x86_64
export CFLAGS="%optflags -ffp-contract=off"
%endif
%endif
# without-x -- useless switch which just mangles cflags
%configure \
--disable-silent-rules \
--disable-werror \
--without-liq \
--without-x \
--with-fontconfig \
--with-freetype \
--with-jpeg \
--with-png \
--with-xpm \
--disable-static \
--with-pic
--with-webp \
--with-zlib \
--disable-static
make %{?_smp_mflags}
%check
make check %{?_smp_mflags}
%install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
%make_install
find %{buildroot} -type f -name "*.la" -delete -print
%post -n %lname -p /sbin/ldconfig
%postun -n %lname -p /sbin/ldconfig
%post -n %{lname} -p /sbin/ldconfig
%postun -n %{lname} -p /sbin/ldconfig
%files
%defattr(-,root,root)
%doc COPYING NEWS examples
%doc COPYING
%{_bindir}/annotate
%{_bindir}/bdftogd
%{_bindir}/gd2copypal
@ -155,13 +139,11 @@ find %{buildroot} -type f -name "*.la" -delete -print
%{_bindir}/pngtogd2
%{_bindir}/webpng
%files -n %lname
%defattr(-,root,root)
%files -n %{lname}
%doc COPYING
%{_libdir}/*.so.*
%files devel
%defattr(-,root,root)
%doc COPYING
%{_bindir}/gdlib-config
%{_includedir}/*

3
libgd-2.2.3.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c
size 2164152

3
libgd-2.2.4.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:137f13a7eb93ce72e32ccd7cebdab6874f8cf7ddf31d3a455a68e016ecd9e4e6
size 2478528