[Buildroot] [PATCH] package/gd: add post-2.2.5 security fixes from upstream

Peter Korsgaard peter at korsgaard.com
Wed Oct 30 12:28:43 UTC 2019


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security vulnerablities:
 > - CVE-2018-1000222: Libgd version 2.2.5 contains a Double Free Vulnerability
 >   vulnerability in gdImageBmpPtr Function that can result in Remote Code
 >   Execution .  This attack appear to be exploitable via Specially Crafted
 >   Jpeg Image can trigger double free

 > - CVE-2018-5711: gd_gif_in.c in the GD Graphics Library (aka libgd), as used
 >   in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x
 >   before 7.2.1, has an integer signedness error that leads to an infinite
 >   loop via a crafted GIF file, as demonstrated by a call to the
 >   imagecreatefromgif or imagecreatefromstring PHP function

 > - CVE-2019-11038: When using the gdImageCreateFromXbm() function in the GD
 >   Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP
 >   versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it
 >   is possible to supply data that will cause the function to use the value
 >   of uninitialized variable.  This may lead to disclosing contents of the
 >   stack that has been left there by previous code

 > - CVE-2019-6978: The GD Graphics Library (aka LibGD) 2.2.5 has a double free
 >   in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>


Committed to 2019.02.x and 2019.08.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list