package/giflib/0003-Fix-CVE-2023-39742.patch: New security patch

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> [yann.morin.1998@free.fr: extend GIFLIB_IGNORE_CVES] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-12-05 16:59:18 -07:00 · 2023-12-05 16:59:18 -07:00 · 74253ffee5
commit 74253ffee5
parent 4a93a83196
2 changed files with 38 additions and 0 deletions
--- a/package/giflib/0003-Fix-CVE-2023-39742.patch
+++ b/package/giflib/0003-Fix-CVE-2023-39742.patch
@ -0,0 +1,36 @@
+From 4288b993ee9df6550a367fe06ede3c003dc7bbc6 Mon Sep 17 00:00:00 2001
+From: Sandro Mani <manisandro@gmail.com>
+Date: Tue, 5 Dec 2023 16:35:40 -0700
+Subject: [PATCH] Fix CVE-2023-39742
+
+From: giflib-5.2.1-17.fc39.src.rpm
+Fix segmentation faults due to non correct checking for args
+Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-39742
+Upstream: https://sourceforge.net/p/giflib/bugs/166/
+
+Signed-off-by: Sandro Mani <manisandro@gmail.com>
+Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
+---
+ getarg.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/getarg.c b/getarg.c
+index d569f6c..51fbe0b 100644
+--- a/getarg.c
+++ b/getarg.c
+@@ -307,6 +307,12 @@ GAGetParmeters(void *Parameters[],
+     int i = 0, ScanRes;
+ 
+     while (!(ISSPACE(CtrlStrCopy[i]))) {
+
+        if ((*argv) == argv_end) {
+            GAErrorToken = Option;
+            return CMD_ERR_NumRead;
+        }
+
+         switch (CtrlStrCopy[i + 1]) {
+           case 'd':    /* Get signed integers. */
+               ScanRes = sscanf(*((*argv)++), "%d",
+-- 
+2.43.0
+
--- a/package/giflib/giflib.mk
+++ b/package/giflib/giflib.mk
@ -13,6 +13,8 @@ GIFLIB_CPE_ID_VENDOR = giflib_project

 # 0002-Fix-CVE-2022-28506.patch
 GIFLIB_IGNORE_CVES = CVE-2022-28506
+# 0003-Fix-CVE-2023-39742.patch
+GIFLIB_IGNORE_CVES += CVE-2023-39742

 ifeq ($(BR2_STATIC_LIBS),y)
 GIFLIB_BUILD_LIBS = static-lib