Subject: CVS commit: pkgsrc/graphics/gd
From: Adam Ciarcinski
Date: 2016-08-02 20:29:21
Message id: 20160802182921.50E38FBB5@cvs.NetBSD.org

Log Message:
We welcome the 2.2.3 release around a month after 2.2.2 (we are getting \ 
consistent). Another important milestone in the GD 2.2 series.

Security related fixes: This flaw is caused by loading data from external \ 
sources (file, custom ctx, etc) and are hard to validate before calling libgd \ 
APIs:
* fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766)
* bug 247, A read out-of-bands was found in the parsing of TGA files (CVE-2016-6132)
* also bug 247, Buffer over-read issue when parsing crafted TGA file (CVE-2016-6214)
* bug 248, fix Out-Of-Bounds Read in read_image_tga

Using application provided parameters, in these cases invalid data causes the issues:
* Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207)
* fix php bug 72494, invalid color index not handled, can lead to crash ( \ 
CVE-2016-6128)
* improve color check for CropThreshold

Important update:
* gdImageCopyResampled has been improved. Better handling of images with alpha \ 
channel, also brings libgd in sync with php's bundled gd.

Files:
RevisionActionfile
1.111modifypkgsrc/graphics/gd/Makefile
1.37modifypkgsrc/graphics/gd/buildlink3.mk
1.41modifypkgsrc/graphics/gd/distinfo
1.5modifypkgsrc/graphics/gd/options.mk
1.19removepkgsrc/graphics/gd/patches/patch-aa
1.10removepkgsrc/graphics/gd/patches/patch-ab
1.1removepkgsrc/graphics/gd/patches/patch-configure
1.1removepkgsrc/graphics/gd/patches/patch-configure.ac
1.2removepkgsrc/graphics/gd/patches/patch-src_gd__bmp.c
1.1removepkgsrc/graphics/gd/patches/patch-src_gd__crop.c
1.1removepkgsrc/graphics/gd/patches/patch-src_webpimg.c