meta-openembedded: subtree update:e6d76b05a7..01d539b324

Adrian Ratiu (1): renderdoc: add x11 to REQUIRED_DISTRO_FEATURES Callaghan, Dan (2): firewalld: update to 0.7.1 strongswan: install dev headers George McCollister (1): wireshark: fix qt5 build Jean-Marie LEMETAYER (1): python-toml: add recipes for python2 and python3 Khem Raj (1): xscreensaver: Remove xserver-nodm-init rdep Maciej Pijanowski (1): smem: package smemcap separately Ovidiu Panait (1): kea: Disable parallel install Peiran Hong (1): zabbix: upgrade 3.0.9 -> 4.2.6 Randy MacLeod (1): libteam: update from 1.28 to 1.29 Trevor Gamblin (2): php: fix CVE-2019-6978 gd: fix CVE-2019-6978 Change-Id: I2c308ff46213876c1d74f42b5d9f9e52946bbf02 Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
author: Brad Bishop <bradleyb@fuzziesquirrel.com> 2019-10-07 16:34:48 +0300
committer: Brad Bishop <bradleyb@fuzziesquirrel.com> 2019-10-07 16:34:54 +0300
commit: 4fe7a1353f8f7f96c7407caa3352fa50fcce5aa3 (patch)
tree: e1e898e098bec469e02e357983dae7436a072235 /meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2019-6978.patch
parent: 00e122a7b3a839f5ce8b819cb1bfe92cf3781eda (diff)
download: openbmc-4fe7a1353f8f7f96c7407caa3352fa50fcce5aa3.tar.xz
1 files changed, 192 insertions, 0 deletions
diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2019-6978.patch b/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2019-6978.patch
new file mode 100644
index 000000000..b7cdfd964
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2019-6978.patch
@@ -0,0 +1,192 @@
+From 089f7c0bc28d399b0420aa6ef058e4c1c120b2ae Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 19 Jan 2019 10:35:39 +0100
+Subject: [PATCH] Sync with upstream
+
+Even though libgd/libgd#492 is not a relevant bug fix for PHP, since
+the binding doesn't use the `gdImage*Ptr()` functions at all, we're
+porting the fix to stay in sync here.
+---
+ ext/gd/libgd/gd_gif_out.c | 20 +++++++++++++++++---
+ ext/gd/libgd/gd_jpeg.c    | 17 ++++++++++++++---
+ ext/gd/libgd/gd_wbmp.c    | 18 +++++++++++++++---
+ 3 files changed, 46 insertions(+), 9 deletions(-)
+
+Upstream-Status: Backport [http://git.php.net/?p=php-src.git;a=commit;h=089f7c0bc28d399b0420aa6ef058e4c1c120b2ae]
+CVE: CVE-2019-6978
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+diff --git a/ext/gd/libgd/gd_gif_out.c b/ext/gd/libgd/gd_gif_out.c
+index 1f2a6b936a..2e1f38af70 100644
+--- a/ext/gd/libgd/gd_gif_out.c
++++ b/ext/gd/libgd/gd_gif_out.c
+@@ -97,12 +97,18 @@ static void cl_hash (register count_int chsize, GifCtx *ctx);
+ static void char_init (GifCtx *ctx);
+ static void char_out (int c, GifCtx *ctx);
+ static void flush_char (GifCtx *ctx);
++
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
++
+ void * gdImageGifPtr (gdImagePtr im, int *size)
+ {
+   void *rv;
+   gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
+-  gdImageGifCtx (im, out);
+-  rv = gdDPExtractData (out, size);
++	if (!_gdImageGifCtx(im, out)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+   out->gd_free (out);
+   return rv;
+ }
+@@ -115,6 +121,12 @@ void gdImageGif (gdImagePtr im, FILE * outFile)
+ }
+ 
+ void gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
++{
++	_gdImageGifCtx(im, out);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ {
+ 	gdImagePtr pim = 0, tim = im;
+ 	int interlace, BitsPerPixel;
+@@ -125,7 +137,7 @@ void gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ 			based temporary image. */
+ 		pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
+ 		if (!pim) {
+-			return;
++			return 1;
+ 		}
+ 		tim = pim;
+ 	}
+@@ -138,6 +150,8 @@ void gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ 		/* Destroy palette based temporary image. */
+ 		gdImageDestroy(	pim);
+ 	}
++
++    return 0;
+ }
+ 
+ static int
+diff --git a/ext/gd/libgd/gd_jpeg.c b/ext/gd/libgd/gd_jpeg.c
+index 8cf71fcbc9..ef46c4a22c 100644
+--- a/ext/gd/libgd/gd_jpeg.c
++++ b/ext/gd/libgd/gd_jpeg.c
+@@ -132,6 +132,7 @@ const char * gdJpegGetVersionString()
+ 	}
+ }
+ 
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
+ 
+ /*
+  * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
+@@ -153,8 +154,11 @@ void *gdImageJpegPtr (gdImagePtr im, int *size, int quality)
+ {
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
+-	gdImageJpegCtx (im, out, quality);
+-	rv = gdDPExtractData (out, size);
++	if (!_gdImageJpegCtx(im, out, quality)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free (out);
+ 
+ 	return rv;
+@@ -163,6 +167,12 @@ void *gdImageJpegPtr (gdImagePtr im, int *size, int quality)
+ void jpeg_gdIOCtx_dest (j_compress_ptr cinfo, gdIOCtx * outfile);
+ 
+ void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
++{
++	_gdImageJpegCtx(im, outfile, quality);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ {
+ 	struct jpeg_compress_struct cinfo;
+ 	struct jpeg_error_mgr jerr;
+@@ -184,7 +194,7 @@ void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+ 		if (row) {
+ 			gdFree (row);
+ 		}
+-		return;
++		return 1;
+ 	}
+ 
+ 	cinfo.err->error_exit = fatal_jpeg_error;
+@@ -277,6 +287,7 @@ void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+ 	jpeg_finish_compress (&cinfo);
+ 	jpeg_destroy_compress (&cinfo);
+ 	gdFree (row);
++	return 0;
+ }
+ 
+ gdImagePtr gdImageCreateFromJpeg (FILE * inFile)
+diff --git a/ext/gd/libgd/gd_wbmp.c b/ext/gd/libgd/gd_wbmp.c
+index 55ced3443d..fd9edad2ca 100644
+--- a/ext/gd/libgd/gd_wbmp.c
++++ b/ext/gd/libgd/gd_wbmp.c
+@@ -82,6 +82,7 @@ int gd_getin (void *in)
+ 	return (gdGetC((gdIOCtx *) in));
+ }
+ 
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
+ 
+ /*      gdImageWBMPCtx
+    **  --------------
+@@ -93,6 +94,12 @@ int gd_getin (void *in)
+    **  out:    the stream where to write
+  */
+ void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
++{
++	_gdImageWBMPCtx(image, fg, out);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ {
+ 	int x, y, pos;
+ 	Wbmp *wbmp;
+@@ -100,7 +107,7 @@ void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
+ 	/* create the WBMP */
+ 	if ((wbmp = createwbmp (gdImageSX (image), gdImageSY (image), WBMP_WHITE)) == NULL) {
+ 		gd_error("Could not create WBMP");
+-		return;
++		return 1;
+ 	}
+ 
+ 	/* fill up the WBMP structure */
+@@ -116,7 +123,9 @@ void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
+ 
+ 	/* write the WBMP to a gd file descriptor */
+ 	if (writewbmp (wbmp, &gd_putout, out)) {
++		freewbmp(wbmp);
+ 		gd_error("Could not save WBMP");
++		return 1;
+ 	}
+ 	/* des submitted this bugfix: gdFree the memory. */
+ 	freewbmp(wbmp);
+@@ -204,8 +213,11 @@ void * gdImageWBMPPtr (gdImagePtr im, int *size, int fg)
+ {
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+-	gdImageWBMPCtx(im, fg, out);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageWBMPCtx(im, fg, out)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 
+ 	return rv;
+-- 
+2.17.1
+
author	Brad Bishop <bradleyb@fuzziesquirrel.com>	2019-10-07 16:34:48 +0300
committer	Brad Bishop <bradleyb@fuzziesquirrel.com>	2019-10-07 16:34:54 +0300
commit	4fe7a1353f8f7f96c7407caa3352fa50fcce5aa3 (patch)
tree	e1e898e098bec469e02e357983dae7436a072235 /meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2019-6978.patch
parent	00e122a7b3a839f5ce8b819cb1bfe92cf3781eda (diff)
download	openbmc-4fe7a1353f8f7f96c7407caa3352fa50fcce5aa3.tar.xz