package/giflib/0003-Fix-CVE-2023-39742.patch: New security patch

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[yann.morin.1998@free.fr: extend GIFLIB_IGNORE_CVES]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Adam Duskett 2023-12-05 16:59:18 -07:00 committed by Yann E. MORIN
parent 4a93a83196
commit 74253ffee5
2 changed files with 38 additions and 0 deletions

View File

@ -0,0 +1,36 @@
From 4288b993ee9df6550a367fe06ede3c003dc7bbc6 Mon Sep 17 00:00:00 2001
From: Sandro Mani <manisandro@gmail.com>
Date: Tue, 5 Dec 2023 16:35:40 -0700
Subject: [PATCH] Fix CVE-2023-39742
From: giflib-5.2.1-17.fc39.src.rpm
Fix segmentation faults due to non correct checking for args
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-39742
Upstream: https://sourceforge.net/p/giflib/bugs/166/
Signed-off-by: Sandro Mani <manisandro@gmail.com>
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
getarg.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/getarg.c b/getarg.c
index d569f6c..51fbe0b 100644
--- a/getarg.c
+++ b/getarg.c
@@ -307,6 +307,12 @@ GAGetParmeters(void *Parameters[],
int i = 0, ScanRes;
while (!(ISSPACE(CtrlStrCopy[i]))) {
+
+ if ((*argv) == argv_end) {
+ GAErrorToken = Option;
+ return CMD_ERR_NumRead;
+ }
+
switch (CtrlStrCopy[i + 1]) {
case 'd': /* Get signed integers. */
ScanRes = sscanf(*((*argv)++), "%d",
--
2.43.0

View File

@ -13,6 +13,8 @@ GIFLIB_CPE_ID_VENDOR = giflib_project
# 0002-Fix-CVE-2022-28506.patch # 0002-Fix-CVE-2022-28506.patch
GIFLIB_IGNORE_CVES = CVE-2022-28506 GIFLIB_IGNORE_CVES = CVE-2022-28506
# 0003-Fix-CVE-2023-39742.patch
GIFLIB_IGNORE_CVES += CVE-2023-39742
ifeq ($(BR2_STATIC_LIBS),y) ifeq ($(BR2_STATIC_LIBS),y)
GIFLIB_BUILD_LIBS = static-lib GIFLIB_BUILD_LIBS = static-lib