[pkgsrc/pkgsrc-2009Q3]: pkgsrc/graphics/gd Pullup ticket #2919 - requested by...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/57f979ff0e47
branches:  pkgsrc-2009Q3
changeset: 399951:57f979ff0e47
user:      tron <tron%pkgsrc.org@localhost>
date:      Thu Oct 22 21:28:32 2009 +0000

description:
Pullup ticket #2919 - requested by taca
gd: security patch

Revisions pulled up:
- graphics/gd/Makefile                          1.81
- graphics/gd/distinfo                          1.30-1.31
- graphics/gd/patches/patch-ad                  1.1
---
Module Name:    pkgsrc
Committed By:   taca
Date:           Thu Oct 22 14:39:55 UTC 2009

Modified Files:
        pkgsrc/graphics/gd: Makefile distinfo
Added Files:
        pkgsrc/graphics/gd/patches: patch-ad

Log Message:
Fix gd library security problem refering PHP's SVN repositry.

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546

Bump PKGREVISION.
(This fix is for php5 only and I don't know about php4.)
---
Module Name:    pkgsrc
Committed By:   taca
Date:           Thu Oct 22 15:20:53 UTC 2009

Modified Files:
        pkgsrc/graphics/gd: distinfo

Log Message:
Oops, update distinfo.

diffstat:

 graphics/gd/Makefile         |   4 ++--
 graphics/gd/distinfo         |   3 ++-
 graphics/gd/patches/patch-ad |  18 ++++++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diffs (49 lines):

diff -r c6eaf611a8ac -r 57f979ff0e47 graphics/gd/Makefile
--- a/graphics/gd/Makefile      Thu Oct 22 21:25:08 2009 +0000
+++ b/graphics/gd/Makefile      Thu Oct 22 21:28:32 2009 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.80 2009/08/26 19:56:39 sno Exp $
+# $NetBSD: Makefile,v 1.80.2.1 2009/10/22 21:28:32 tron Exp $
 
 DISTNAME=      gd-2.0.35
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    graphics
 MASTER_SITES=  http://www.libgd.org/releases/
 EXTRACT_SUFX=  .tar.bz2
diff -r c6eaf611a8ac -r 57f979ff0e47 graphics/gd/distinfo
--- a/graphics/gd/distinfo      Thu Oct 22 21:25:08 2009 +0000
+++ b/graphics/gd/distinfo      Thu Oct 22 21:28:32 2009 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2009/04/12 00:29:26 sno Exp $
+$NetBSD: distinfo,v 1.29.4.1 2009/10/22 21:28:32 tron Exp $
 
 SHA1 (gd-2.0.35.tar.bz2) = ccf34a610abff2dbf133a20c4d2a4aa94939018a
 RMD160 (gd-2.0.35.tar.bz2) = f452a2c333b2ba9b7b4c143983ec2af18a335516
@@ -6,3 +6,4 @@
 SHA1 (patch-aa) = 726107579811ce1f33b00bd4dbf13040c48120bb
 SHA1 (patch-ab) = 082f5baa2c147fb62381c21ecb3ce11a1891a2aa
 SHA1 (patch-ac) = d166ed4d0a3510c610e8aa233d312e15d96f4667
+SHA1 (patch-ad) = 27631984f613c4c1c6f57cea23c36ae7d48271ac
diff -r c6eaf611a8ac -r 57f979ff0e47 graphics/gd/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/gd/patches/patch-ad      Thu Oct 22 21:28:32 2009 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-ad,v 1.1.2.2 2009/10/22 21:28:32 tron Exp $
+
+* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546,
+  similar chagne from PHP's SVN repositry r289557.
+
+--- gd_gd.c.orig       2006-04-06 00:52:22.000000000 +0900
++++ gd_gd.c
+@@ -44,6 +44,10 @@ _gdGetColors (gdIOCtx * in, gdImagePtr i
+           {
+             goto fail1;
+           }
++        if (im->colorsTotal > gdMaxColors)
++          {
++              goto fail1;
++          }
+       }
+       /* Int to accommodate truecolor single-color transparency */
+       if (!gdGetInt (&im->transparent, in))