Commit Graph

21 Commits

Author SHA1 Message Date
Peter Korsgaard
3b85d24c1d gd: security bump to version 2.2.5
Fixes the following security issues:

CVE-2017-6362: Double-free in gdImagePngPtr()
CVE-2017-7890: Buffer over-read into uninitialized memory

Drop patches no more needed:

0001-gdlib-config.patch: @LIBICONV@ is nowadays correct AC_SUBST'ed by
configure

0002-gd_bmp-fix-build-with-uClibc.patch: upstream uses ceil() since
6913dd3cd2

While we're at it, add a hash for the license file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-09-08 11:13:57 +02:00
Gustavo Zacarias
39885cc5b0 gd: security bump to version 2.2.4
Fixes:
CVE-2016-9317 - gdImageCreate() doesn't check for oversized images and
as such is prone to DoS vulnerabilities.
CVE-2016-6912 - double-free in gdImageWebPtr()
(without CVE):
Potential unsigned underflow in gd_interpolation.c
DOS vulnerability in gdImageCreateFromGd2Ctx()
Signed Integer Overflow gd_io.c

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-01-19 15:09:12 +01:00
Peter Korsgaard
81dc283a00 gd: security bump to version 2.2.3
Security related fixes:
This flaw is caused by loading data from external sources (file, custom ctx,
etc) and are hard to validate before calling libgd APIs:

- fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766)
- bug , fix Out-Of-Bounds Read in read_image_tga
- gd: Buffer over-read issue when parsing crafted TGA file (CVE-2016-6132)

Using application provided parameters, in these cases invalid data causes
the issues:

 - Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207)
 - fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128)
 - improve color check for CropThreshold

The build system now enables -Wall and -Werror by default, so pass
--disable-werror to disable that.  Notice that this issue has been fixed
upstream post-2.2.3:

https://github.com/libgd/libgd/issues/339

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-01-04 17:01:42 +01:00
Gustavo Zacarias
ecc43a771a gd: security bump to version 2.2.2
Drop upstreamed patches.
Drop autoreconf since it's no longer required.
Patch 0002-no-zlib.patch is no longer required, and is in fact harmful.
Update homepage URL.

Fixes:
CVE-2015-8874 -  Stack overflow with gdImageFillToBorder
CVE-2016-3074 - gd2: handle corrupt images better
CVE-2016-5767 - Integer Overflow in gdImagePaletteToTrueColor()
resulting in heap overflow

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-06-26 22:59:36 +02:00
Bernd Kuhls
39aeec0801 package/gd: Switch from libvpx to webp
Since bumping libvpx to 1.4.0
http://git.buildroot.net/buildroot/commit/package/libvpx?id=7d9a0c4d3960bb470e993494ac350b1415b72442

building gd was broken.
This patch adds some upstream commits which switch the dependency from libvpx to webp.

Fixes
http://autobuild.buildroot.net/results/046/046dd505feb5e92bdee3d0993366be162da1223a/
http://autobuild.buildroot.net/results/617/61739df0009015451ba78a7ca335dcc0d0dedcc8/
http://autobuild.buildroot.net/results/526/526550e73581a91427b394d566d3389554ee90ed/
http://autobuild.buildroot.net/results/b89/b89d7e3a1fc9403984bcd6462b8fd8d1196f2095/
http://autobuild.buildroot.net/results/dfe/dfed2b62aad83cc960ba3c93b7f0a994f18ad22a/
http://autobuild.buildroot.net/results/a91/a919d2bcbbd573e7a5556fbcdea053d4d451dd50/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-10 21:54:40 +02:00
Bernd Kuhls
9604bdde20 package/gd: Add dependency to libvpx
Needed to get reproducable builds and to reproduce this build error:
http://autobuild.buildroot.net/results/046/046dd505feb5e92bdee3d0993366be162da1223a/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-10 21:54:10 +02:00
Gustavo Zacarias
691fc0a198 gd: bump to version 2.1.1
Also add hash file.
Remove CVE patch since it's upstream.
Rename patches to new naming convention.
Kill some whitespace.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-01-15 09:36:01 +01:00
Bernd Kuhls
668efc5fbf package/gd: Add explicit support for tiff
This ensures reproducible builds.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-01-10 15:28:00 +01:00
Bernd Kuhls
0eb957758b package/gd: fix build when libiconv is enabled
First of two patches to fix
http://autobuild.buildroot.net/results/238/2386edb7f95920e84a35811a33f4333ee0a7a860/

gd links against libiconv if it is already built, depend on libiconv
to get reproducable builds.

readelf output without libiconv present:
$ output/host/opt/ext-toolchain/bfin-linux-uclibc/bin/bfin-linux-uclibc-readelf \
  -a output/staging/usr/lib/libgd.a | grep iconv
    15: 00000000    12 FUNC    GLOBAL HIDDEN     1 _iconv_open
    16: 0000000c    12 FUNC    GLOBAL HIDDEN     1 _iconv
    17: 00000018    12 FUNC    GLOBAL HIDDEN     1 _iconv_close

readelf output with libiconv present:
$ output/host/opt/ext-toolchain/bfin-linux-uclibc/bin/bfin-linux-uclibc-readelf \
  -a output/staging/usr/lib/libgd.a | grep iconv
000000e4  0000100a R_BFIN_PCREL24    00000000   _libiconv_open + 0
00000140  0000140a R_BFIN_PCREL24    00000000   _libiconv + 0
0000019a  0000160a R_BFIN_PCREL24    00000000   _libiconv_close + 0
    16: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND _libiconv_open
    20: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND _libiconv
    22: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND _libiconv_close

[Peter: also add to LIBS so it ends up in gdlib-config --libs output]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-30 23:31:01 +01:00
Peter Korsgaard
ccec35e342 gd: use pkg-config to figure out png linker flags
So gdlib-config --libs returns the full dependency chain (-lpng16 -lz -m)
when linking statically.

Fixes http://autobuild.buildroot.net/results/dac/dac3eb950c7c27b2f09f001f9db9936f897721f9/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-25 15:57:11 +01:00
Peter Korsgaard
46c644310c gd: needs host-pkgconf
configure uses PKG_CHECK_MODULES, so it needs to depend on host-pkgconf.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-25 15:52:09 +01:00
Peter Korsgaard
e6debc2e07 gd: fix pthread related static linking issue for utilities
gd forgets to link utilities with -pthread even though it uses pthreads,
causing linking errors with static linking.

Fixes http://autobuild.buildroot.net/results/156/1564b8de7785c1a756bead1a4160a2b6e2a2243e/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-10-27 00:54:01 +01:00
Thomas De Schampheleire
aaffd209fa packages: rename FOO_CONF_OPT into FOO_CONF_OPTS
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.

Sed command used:
   find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'

Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-10-04 18:54:16 +02:00
Jerzy Grzegorek
c7f4b96471 package: remove the trailing slash sign from <PKG>_SITE variable
Since the trailing slash is stripped from $($(PKG)_SITE) by pkg-generic.mk:

$(call DOWNLOAD,$($(PKG)_SITE:/=)/$($(PKG)_SOURCE))

so it is redundant.
This patch removes it from $(PKG)_SITE variable for BR consistency.

Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-07-31 23:17:46 +02:00
Baruch Siach
c6f86d593c gd: bump to version 2.1.0
Drop obsolete/applied patches. Refresh the rest, and add sequence numbers.

Add a patch fixing build against uClibc when UCLIBC_HAS_LONG_DOUBLE_MATH is
missing.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-04-14 22:47:52 +02:00
Baruch Siach
1c53dd65b2 gd: fix static build with threads
Fixes:
http://autobuild.buildroot.net/results/4b4/4b4272876385cc21dd06ee946d658b8f9e225d78/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-04-10 22:27:20 +02:00
Thomas Petazzoni
a5ce857674 package: use <pkg>_CONFIG_SCRIPTS wherever possible
Use the <pkg>_CONFIG_SCRIPTS mechanism in all packages for which it
does all what the package was doing. A few packages, like libxslt, are
for now left out, since they need some additional fixup (for example a
fixup of includedir).

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-02-08 22:34:26 +01:00
Peter Korsgaard
e81e2770af gd: explictly disable freetype support when not available
Otherwise it will try to run freetype-config from the host to check
for availability.

Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-01-18 23:22:32 +01:00
Jean-Christian de Rivaz
7b69814d48 gd: ensure libpng-config from staging is used
The gd package configure call 'libpng-config' to get the compiler
flags required to use the libpng. The configure correctly allow to
specify the path of the staging libpng-config by using the
ac_cv_path_LIBPNG_CONFIG but the configure.ac call simply
'libpng-config' instead of the specified one. The configure.ac is now
modified to call the specified libpng_config.

[Peter: explictly pass --without-png instead of auto detect]
Signed-off-by: Jean-Christian de Rivaz <jc@eclis.ch>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-01-18 23:22:27 +01:00
Peter Korsgaard
d97187f8c8 gd: fix build with freetype but without fontconfig
Fixes http://autobuild.buildroot.net/results/3309617d2d5e14c0713dbaf9185815d79293e33b

Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2012-12-04 12:47:19 -08:00
Peter Korsgaard
d0a13821d7 package: add gd package
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2012-11-27 11:21:06 -08:00