diff -Nru libgd-perl-2.71/ChangeLog libgd-perl-2.72/ChangeLog --- libgd-perl-2.71/ChangeLog 2019-02-12 11:22:36.000000000 +0000 +++ libgd-perl-2.72/ChangeLog 2020-07-17 19:02:21.000000000 +0000 @@ -1,3 +1,6 @@ +2.72 * fix CVE 2019-6977 colorMatch for older unpatched libgd versions. + This is a severe security problem, an exploitable heap-overflow. + See https://nvd.nist.gov/vuln/detail/CVE-2019-6977 2.71 * skip Test::Fork on freebsd (GH #25) 2.70 * fixes for hardened CCFLAGS with -Werror (RT #128167) 2.69 * little spelling error, GH #29 Xavier Guimard diff -Nru libgd-perl-2.71/debian/changelog libgd-perl-2.72/debian/changelog --- libgd-perl-2.71/debian/changelog 2019-10-18 19:31:41.000000000 +0000 +++ libgd-perl-2.72/debian/changelog 2020-07-29 14:33:47.000000000 +0000 @@ -1,8 +1,36 @@ -libgd-perl (2.71-2build1) focal; urgency=medium +libgd-perl (2.72-2) unstable; urgency=medium - * No-change rebuild for the perl update. + * Team upload. + * Add back Breaks/Replaces/Provides an libgd-gd2-perl and + libgd-gd2-noxpm-perl. + Apparently there are still at least 13 packages in the archive depending + on them. This fact was unfortunately missed in the previous upload. + (Closes: #966498) - -- Matthias Klose Fri, 18 Oct 2019 19:31:41 +0000 + -- gregor herrmann Wed, 29 Jul 2020 16:33:47 +0200 + +libgd-perl (2.72-1) unstable; urgency=medium + + * Team upload. + * Import upstream version 2.72. + * Update build dependencies. + Drop the alternative on the ancient libgd2-xpm-dev, and make the + dependency on libgd-dev versioned to ensure we have the fixes for + CVE-2019-6977 and CVE-2019-11038. + * Update debian/copyright, remove helper files. + * Remove debian/gbp.conf. + * Declare compliance with Debian Policy 4.5.0. + * Set Rules-Requires-Root: no. + * Update Build-Depends for cross builds. + * Annotate test-only build dependencies with . + * Bump debhelper-compat to 13. + * debian/watch: use uscan version 4. + * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository. + * Remove obsolete field Name from debian/upstream/metadata. + * Drop ancient Breakes/Replaces/Provides on libgd-gd2-{,noxpm-}perl. + * Drop unused debian/source/include-binaries. + + -- gregor herrmann Wed, 22 Jul 2020 19:58:57 +0200 libgd-perl (2.71-2) unstable; urgency=medium diff -Nru libgd-perl-2.71/debian/compat libgd-perl-2.72/debian/compat --- libgd-perl-2.71/debian/compat 2019-02-22 12:31:11.000000000 +0000 +++ libgd-perl-2.72/debian/compat 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -12 diff -Nru libgd-perl-2.71/debian/control libgd-perl-2.72/debian/control --- libgd-perl-2.71/debian/control 2019-02-22 12:31:11.000000000 +0000 +++ libgd-perl-2.72/debian/control 2020-07-29 14:33:47.000000000 +0000 @@ -5,36 +5,38 @@ Section: perl Testsuite: autopkgtest-pkg-perl Priority: optional -Build-Depends: debhelper (>= 12), +Build-Depends: debhelper-compat (= 13), libextutils-pkgconfig-perl, - libfont-ttf-perl, + libfont-ttf-perl , libfreetype6-dev, - libgd-dev | libgd2-xpm-dev, - libimage-exiftool-perl, + libgd-dev (>= 2.2.5-5.2), + libimage-exiftool-perl , libjpeg-dev, libpng-dev, - libregexp-assemble-perl, + libregexp-assemble-perl , + libtest-fork-perl , libx11-dev, libxpm-dev, - libtest-fork-perl, libz-dev, - perl -Standards-Version: 4.3.0 + perl-xs-dev, + perl:native +Standards-Version: 4.5.0 Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/libgd-perl Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/libgd-perl.git Homepage: https://github.com/lstein/Perl-GD +Rules-Requires-Root: no Package: libgd-perl Architecture: any -Depends: ${shlibs:Depends}, +Depends: ${misc:Depends}, ${perl:Depends}, - ${misc:Depends} -Replaces: libgd-gd2-noxpm-perl (<= 1:2.46-2.1), - libgd-gd2-perl (<= 1:2.46-3.1) -Provides: libgd-gd2-noxpm-perl, - libgd-gd2-perl + ${shlibs:Depends} Breaks: libgd-gd2-noxpm-perl (<= 1:2.46-2.1), libgd-gd2-perl (<= 1:2.46-3.1) +Provides: libgd-gd2-noxpm-perl, + libgd-gd2-perl +Replaces: libgd-gd2-noxpm-perl (<= 1:2.46-2.1), + libgd-gd2-perl (<= 1:2.46-3.1) Description: Perl module wrapper for libgd This is a autoloadable interface module for libgd, a popular library for creating and manipulating PNG files. With this library you can diff -Nru libgd-perl-2.71/debian/copyright libgd-perl-2.72/debian/copyright --- libgd-perl-2.71/debian/copyright 2019-02-22 12:31:11.000000000 +0000 +++ libgd-perl-2.72/debian/copyright 2020-07-29 14:33:47.000000000 +0000 @@ -5,39 +5,18 @@ Files: * Copyright: 1995-2010, Lincoln D. Stein -License-Grant: - The GD.pm interface is copyright 1995-2010, Lincoln D. Stein. This - package and its accompanying libraries is free software; you can - redistribute it and/or modify it under the terms of the GPL (either - version 1, or at your option, any later version) or the Artistic - License 2.0. Refer to LICENSE for the full license text. License: Artistic-2.0 or GPL-1+ Files: bdf_scripts/* Copyright: 2004, Cold Spring Harbor Laboratory -License-Grant: - This library is free software; you can redistribute it and/or modify - it under the same terms as Perl itself. License: Artistic or GPL-1+ Files: lib/GD/Polyline.pm Copyright: 2002, Daniel J. Harasty -License-Grant: - The Polyline.pm module is copyright 2002, Daniel J. Harasty. It is - distributed under the same terms as Perl itself. See the "Artistic - License" in the Perl source code distribution for licensing terms. License: Artistic or GPL-1+ -Comment: - Perl is licensed under either the "Artistic license" or the "GNU - General Public License" version 1 or later. Files: debian/* Copyright: 2003-2008,2010-2011,2013-2015, Jonas Smedegaard -License-Grant: - This program is free software; you can redistribute it and/or modify it - under the terms of the GNU General Public License as published by the - Free Software Foundation; either version 3, or (at your option) any - later version. License: GPL-3+ License: Artistic diff -Nru libgd-perl-2.71/debian/copyright_hints libgd-perl-2.72/debian/copyright_hints --- libgd-perl-2.71/debian/copyright_hints 2019-02-22 12:31:11.000000000 +0000 +++ libgd-perl-2.72/debian/copyright_hints 1970-01-01 00:00:00.000000000 +0000 @@ -1,85 +0,0 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: FIXME -Upstream-Contact: FIXME -Source: FIXME -Disclaimer: Autogenerated by CDBS - -Files: ChangeLog - lib/GD/Group.pm - lib/GD/Polygon.pm - lib/GD/Polyline.pm - lib/GD/Simple.pm - MANIFEST - META.json - META.yml - Makefile.PL - README.QUICKDRAW - bdf_scripts/README - bdf_scripts/cvtbdf.pl - debian/README.source - debian/compat - debian/control - debian/control.in - debian/gbp.conf - debian/patches/README - debian/patches/series - debian/source/format - debian/source/include-binaries - debian/source/lintian-overrides - debian/watch - demos/brushes.pl - demos/copies.pl - demos/draw_colors.pl - demos/fills.pl - demos/fonttest - demos/gd_example.cgi - demos/polyline.pl - demos/polys.pl - demos/shapes.pl - demos/transform.pl - demos/truetype_test - demos/ttf.pl - t/GD.t - t/Polyline.t - t/frog.jpg - t/frog.xpm - typemap -Copyright: *No copyright* -License: UNKNOWN - FIXME - -Files: GD.xs - lib/GD/Image.pm - lib/GD/Image.pm.PLS -Copyright: 1995, - 1998, Lincoln D. Stein. See accompanying README file for - 1995, Lincoln D. Stein. See accompanying README file for -License: UNKNOWN - FIXME - -Files: bdf_scripts/bdf2gdfont.PLS - bdf_scripts/bdftogd -Copyright: = $value; } -License: UNKNOWN - FIXME - -Files: LICENSE - README -Copyright: 1995-2010, Lincoln D. Stein. This -License: UNKNOWN - FIXME - -Files: GD.pm -Copyright: 1995, Lincoln D. Stein. See accompanying README file for -License: GPL - FIXME - -Files: debian/license-miner -Copyright: => 0 Trademark => 7, License => 13, 'License URL' => 14, ); -License: GPL-3+ - FIXME - -Files: debian/rules -Copyright: 2002-2008, 2010-2011, 2013-2015, Jonas Smedegaard -License: GPL-3+ - FIXME - diff -Nru libgd-perl-2.71/debian/gbp.conf libgd-perl-2.72/debian/gbp.conf --- libgd-perl-2.71/debian/gbp.conf 2019-02-22 12:31:11.000000000 +0000 +++ libgd-perl-2.72/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,5 +0,0 @@ -# Configuration file for git-buildpackage and friends - -[DEFAULT] -pristine-tar = True -sign-tags = True diff -Nru libgd-perl-2.71/debian/license-miner libgd-perl-2.72/debian/license-miner --- libgd-perl-2.71/debian/license-miner 2019-02-22 12:31:11.000000000 +0000 +++ libgd-perl-2.72/debian/license-miner 1970-01-01 00:00:00.000000000 +0000 @@ -1,205 +0,0 @@ -#! /usr/bin/perl - -use autodie; -use strict; -use utf8; -use warnings qw(all); -use feature 'say'; - -use Getopt::Long; -use Pod::Usage; -use FileHandle; -use Regexp::Assemble; -use Image::ExifTool; -use Font::TTF::Font; - -=head1 NAME - -license-miner - extract copyright/licensing info from complex files - -=head1 SYNOPSIS - -license-miner [B] [F|inspector:F...] - -=head1 OPTIONS - -=over 12 - -=item B<--help> - -Print a brief help message and exits. - -=item B<--man> - -Prints the manual page and exits. - -=item B<--verbose> - -Prints names of paths and the inspector used. - -=item B<--debug> - -Prints extracted info. - -=back - -=head1 DESCRIPTION - -B will inspect files, -extract their copyright and licensing info, -and save the result next to the files -(adding suffix "F<.metadata_dump>"). - -File paths are provided either as arguments -or (if no arguments provided) from STDIN. - -Each path may optionally be prefixed with an inspector to use. -Default is to pick inspector based on file suffix. - -=head1 INSPECTORS - -Available inspectors are B and B. - -=over 12 - -=item B - -TrueType fonts (including Truetype-flavored OpenType and WOFF). - -Used by default for extensions F<.ttf>, F<.otf>, F. - -Beware that some OpenType fonts are not TrueType but Type1, -which may fail to parse correctly based on suffix detection. -If that happens, try force using the exif inspector -by prefixing the path with "exif:". - -=item B - -misc. images and fonts. - -Used by default for extensions F<.pdf>, F<.png>, F<.jpg>, F, F, F. - -Beware that some OpenType fonts are not TrueType but Type1, -which may fail to parse correctly based on suffix detection. -If that happens, try force using the exif inspector -by prefixing the path with "exif:". - -=back - -=cut - -# avoid custom configuration of ExifTool -BEGIN { $Image::ExifTool::configFile = '' } - -GetOptions( help => \my $help, - man => \my $man, - verbose => \my $verbose, - debug => \my $debug, -) or pod2usage(2); -pod2usage( -verbose => 1 ) if $help; -pod2usage( -verbose => 2, -exitstatus => 0 ) if $man; - -# Fail if no paths provided as arguments and STDIN is interactive -pod2usage("$0: No paths provided.") if ((@ARGV == 0) && (-t STDIN)); - -my $dispatch = { - # TrueType fonts (including Truetype-flavored OpenType and WOFF) - '((?<=\Attf:).*|\A.*\.(?:ttf|otf|woff))$' => sub { - my $file = check_infile(shift); - say "ttf: $file" if ($verbose); - my $handle = ($debug) - ? *STDOUT{IO} - : FileHandle->new( check_outfile($file), 'w' ); - # source: http://scripts.sil.org/IWS-Chapter08#3054f18b - my %table = ( - Copyright => 0, - Trademark => 7, - License => 13, - 'License URL' => 14, - ); - my $font = Font::TTF::Font->open($file) or do { - say STDERR "ERROR: Failed to parse file as TrueType: $_"; - exit 1; - }; - my $fn = $font->{'name'}->read; - foreach (sort keys %table) { - my $value = $fn->find_name($table{$_}); - print $handle $_ . ": " . $value . "\n" - if ($value); - } - }, - # exif: misc. images and fonts - '((?<=\Aexif:).*|\A.*\.(?:pdf|png|jpg|jpeg|gif|icc))$' => sub { - my $file = check_infile(shift); - say "exif: $file" if ($verbose); - my $exifTool = new Image::ExifTool; - my $handle = ($debug) - ? *STDOUT{IO} - : FileHandle->new( check_outfile($file), 'w' ); - my $info = $exifTool->ImageInfo($file, - # tags to lookup (like `exiftool $file` in shell) - '*Copyright*', '*Licens*', '*Trademark*'); - my $seen; - foreach (sort keys %$info) { - my $tagdesc = $exifTool->GetDescription($_); - print $handle "$tagdesc: $$info{$_}\n"; - } - } -}; - -my $re = Regexp::Assemble->new( track => 1 )->add( keys %$dispatch ); - -while( <> ) { - chomp; - if( $re->match($_) ) { - $dispatch->{ $re->matched }( $re->mvar(1) ); - } - else { - say STDERR "ERROR: Unsupported or unparseable string: $_"; - say STDERR " maybe you need a prefix (e.g. \"exif:fonts/SomeType1Font\""; - exit 1; - } -} - -sub check_infile { - my $infile = shift; - unless ( -e $infile ) { - say STDERR "ERROR: file does not exist: $infile"; - exit 1; - } - return $infile; -} - -sub check_outfile { - my $infile = shift; - my $outfile = $infile . ".metadata_dump"; - if ( -e $outfile ) { - say STDERR "ERROR: dumpfile exist: $outfile"; - say STDERR " remove or put aside and try again"; - exit 1; - } - return $outfile; -} - -=head1 AUTHOR - -Jonas Smedegaard, C<< >> - -=head1 LICENSE AND COPYRIGHT - -Copyright 2014 Jonas Smedegaard - -This program is free software; you can redistribute it and/or modify it -under the terms of the GNU General Public License as published by the -Free Software Foundation; either version 3, or (at your option) any -later version. - -This program is distributed in the hope that it will be useful, but -WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -General Public License for more details. - -You should have received a copy of the GNU General Public License along -with this program. If not, see . - -=cut diff -Nru libgd-perl-2.71/debian/source/include-binaries libgd-perl-2.72/debian/source/include-binaries --- libgd-perl-2.71/debian/source/include-binaries 2019-02-22 12:31:11.000000000 +0000 +++ libgd-perl-2.72/debian/source/include-binaries 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -t/test.out.2.png-2 -t/test.out.3.png-2 -t/test.out.4.png-3 -t/test.out.5.png-2 -t/test.out.6.png-2 -t/test.out.7.png-2 -t/test.out.9.png-3 diff -Nru libgd-perl-2.71/debian/upstream/metadata libgd-perl-2.72/debian/upstream/metadata --- libgd-perl-2.71/debian/upstream/metadata 2019-02-22 12:31:11.000000000 +0000 +++ libgd-perl-2.72/debian/upstream/metadata 2020-07-29 14:33:47.000000000 +0000 @@ -1,6 +1,7 @@ --- Archive: CPAN Contact: Lincoln Stein -Name: GD -Repository: https://github.com/lstein/Perl-GD +Bug-Database: https://github.com/lstein/Perl-GD/issues +Bug-Submit: https://github.com/lstein/Perl-GD/issues/new +Repository: https://github.com/lstein/Perl-GD.git Repository-Browse: https://github.com/lstein/Perl-GD diff -Nru libgd-perl-2.71/debian/watch libgd-perl-2.72/debian/watch --- libgd-perl-2.71/debian/watch 2019-02-22 12:31:11.000000000 +0000 +++ libgd-perl-2.72/debian/watch 2020-07-29 14:33:47.000000000 +0000 @@ -1,2 +1,2 @@ -version=3 -https://metacpan.org/release/GD .*/GD-v?(\d[\d.-]*)\.(?:tar(?:\.gz|\.bz2)?|tgz|zip)$ +version=4 +https://metacpan.org/release/GD .*/GD-v?@ANY_VERSION@@ARCHIVE_EXT@$ diff -Nru libgd-perl-2.71/GD.xs libgd-perl-2.72/GD.xs --- libgd-perl-2.71/GD.xs 2019-02-12 11:23:37.000000000 +0000 +++ libgd-perl-2.72/GD.xs 2020-07-17 19:46:28.000000000 +0000 @@ -1022,12 +1022,19 @@ OUTPUT: RETVAL +# beware of CVE 2019-6977 https://bugs.php.net/bug.php?id=77270 +# refuse to match truecolor with palette int gdcolorMatch(image, im2) GD::Image image GD::Image im2 PROTOTYPE: $$ CODE: +#if GD_VERSION <= 20205 + if (gdImageTrueColor(image) ^ gdImageTrueColor(im2)) + XSRETURN_UNDEF; + else +#endif RETVAL = gdImageColorMatch(image,im2); OUTPUT: RETVAL diff -Nru libgd-perl-2.71/lib/GD/Image.pm libgd-perl-2.72/lib/GD/Image.pm --- libgd-perl-2.71/lib/GD/Image.pm 2019-02-12 11:51:05.000000000 +0000 +++ libgd-perl-2.72/lib/GD/Image.pm 2020-07-18 06:02:17.000000000 +0000 @@ -5,7 +5,7 @@ use GD; use Symbol 'gensym','qualify_to_ref'; use vars '$VERSION'; -$VERSION = '2.71'; +$VERSION = '2.72'; =head1 NAME diff -Nru libgd-perl-2.71/lib/GD/Image_pm.PL libgd-perl-2.72/lib/GD/Image_pm.PL --- libgd-perl-2.71/lib/GD/Image_pm.PL 2019-02-12 11:25:43.000000000 +0000 +++ libgd-perl-2.72/lib/GD/Image_pm.PL 2020-07-17 18:59:27.000000000 +0000 @@ -29,7 +29,7 @@ use GD; use Symbol 'gensym','qualify_to_ref'; use vars '$VERSION'; -$VERSION = '2.71'; +$VERSION = '2.72'; =head1 NAME diff -Nru libgd-perl-2.71/lib/GD.pm libgd-perl-2.72/lib/GD.pm --- libgd-perl-2.71/lib/GD.pm 2019-02-12 11:25:16.000000000 +0000 +++ libgd-perl-2.72/lib/GD.pm 2020-07-17 18:58:43.000000000 +0000 @@ -16,7 +16,7 @@ use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $AUTOLOAD); -$VERSION = '2.71'; +$VERSION = '2.72'; our $XS_VERSION = $VERSION; $VERSION = eval $VERSION; diff -Nru libgd-perl-2.71/Makefile.PL libgd-perl-2.72/Makefile.PL --- libgd-perl-2.71/Makefile.PL 2019-02-12 11:01:17.000000000 +0000 +++ libgd-perl-2.72/Makefile.PL 2020-07-18 05:59:42.000000000 +0000 @@ -39,7 +39,7 @@ **UNRECOVERABLE ERROR** Could not find gdlib-config nor pkgconfig/gdlib.pc. Please install libgd 2.0.28 or higher. In Debian and its derivatives (e.g. Ubuntu), it is provided by the libgd-dev or -libgd2-xpm-dev package. Their libgd3 is the latest 2.2.4 +libgd2-xpm-dev package. Their libgd3 is the latest 2.2.5 (which has a severe security bug). On Redhat and derivatives or OpenSUSE you need gd-devel. On FreeBSD it is installed by the graphics/gd port. Mandriva has libgd2-devel, libgd-devel or lib64gd-devel. @@ -193,6 +193,7 @@ my ($JPEG, $FT, $XPM, $GIF,$ANIMGIF,$UNCLOSEDPOLY,$FONTCONFIG,$PNG,$FTCIRCLE,$VERSION_33); if( defined($options) ) { + # WBMP is builtin since at least 1.8.0 $JPEG = $options =~ m/JPEG/i; $FT = $options =~ m/FT|FREETYPE/i; $XPM = $options =~ m/XPM/i; @@ -286,6 +287,7 @@ 'CCFLAGS' => $CCFLAGS, 'EXE_FILES' => ['bdf_scripts/bdf2gdfont.pl'], 'AUTHOR' => 'Lincoln Stein ', + # Maintained by Reini Urban now $CAPI ? ('CAPI' => 'TRUE') : (), 'DEFINE' => $DEFINES, 'clean' => { @@ -453,6 +455,7 @@ $cflags = $config{cflags}; $libs = $config{libs}; ($libdir, $libs) = $libs =~ m/-L(.*) (-lgd.*)/; + # Requires.private: zlib libpng freetype2 >= 9.8.3 fontconfig libjpeg xpm libtiff-4 # Libs.private: -L/opt/local/lib -lz -L/opt/local/lib -lpng16 -L/opt/local/lib -lfreetype -L/opt/local/lib -lfontconfig -lfreetype -ljpeg -L/opt/local/lib -lXpm -lX11 -L/opt/local/lib -ltiff -lwebp # not in the hash! $features = 'GD_GIF GD_OPENPOLYGON GD_ZLIB GD_PNG GD_FREETYPE GD_FONTCONFIG GD_JPEG GD_XPM GD_TIFF GD_WEBP'; diff -Nru libgd-perl-2.71/META.json libgd-perl-2.72/META.json --- libgd-perl-2.71/META.json 2019-02-12 11:52:45.000000000 +0000 +++ libgd-perl-2.72/META.json 2020-07-18 06:02:38.000000000 +0000 @@ -4,7 +4,7 @@ "Lincoln Stein " ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 8.3506, CPAN::Meta::Converter version 2.150010", + "generated_by" : "ExtUtils::MakeMaker version 7.38, CPAN::Meta::Converter version 2.150010", "license" : [ "perl_5" ], @@ -62,6 +62,6 @@ "url" : "http://github.com/lstein/Perl-GD" } }, - "version" : "2.71", - "x_serialization_backend" : "JSON::PP version 2.97001_04" + "version" : "2.72", + "x_serialization_backend" : "JSON::PP version 2.97001" } diff -Nru libgd-perl-2.71/META.yml libgd-perl-2.72/META.yml --- libgd-perl-2.71/META.yml 2019-02-12 11:52:45.000000000 +0000 +++ libgd-perl-2.72/META.yml 2020-07-18 06:02:38.000000000 +0000 @@ -10,7 +10,7 @@ ExtUtils::Constant: '0.22' ExtUtils::PkgConfig: '0' dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 8.3506, CPAN::Meta::Converter version 2.150010' +generated_by: 'ExtUtils::MakeMaker version 7.38, CPAN::Meta::Converter version 2.150010' license: perl meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html @@ -34,5 +34,5 @@ resources: license: http://dev.perl.org/licenses/ repository: http://github.com/lstein/Perl-GD -version: '2.71' +version: '2.72' x_serialization_backend: 'CPAN::Meta::YAML version 0.018' diff -Nru libgd-perl-2.71/SIGNATURE libgd-perl-2.72/SIGNATURE --- libgd-perl-2.71/SIGNATURE 2019-02-12 11:52:45.000000000 +0000 +++ libgd-perl-2.72/SIGNATURE 2020-07-18 06:02:40.000000000 +0000 @@ -1,5 +1,5 @@ This file contains message digests of all files listed in MANIFEST, -signed via the Module::Signature module, version 0.83. +signed via the Module::Signature module, version 0.87. To verify the content in this distribution, first make sure you have Module::Signature installed, then type: @@ -12,16 +12,16 @@ not run its Makefile.PL or Build.PL. -----BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 +Hash: RIPEMD160 -SHA256 23ac024b86a74f7a78a4db2f2aae51d9bff88977e5e2dc8cfad59decd6bd5763 ChangeLog -SHA256 5c7dd48a4d99fc02593421a69b9d1c7ad6db6b049ce283df09aff869051a6e91 GD.xs +SHA256 8c8344690fc9184808664c8e06b604fb54e2b89e78a9d9e307756ba4592b0b9d ChangeLog +SHA256 dcc00a35967248d4f2451fc567e9f5cb176096e1b183c8a57bdb07946853f9e2 GD.xs SHA256 1e2250289d6df4ba1c24f7550982d7ffaff2c97cd02e847659406e1afd28e83f LICENSE SHA256 b564564a187f22812709963eee1c4fc5954aa7f34c5090e71e80b28adc7679b5 MANIFEST SHA256 14ea8c82767468801cb414198e04bfddddfa72a66c3e1c30994af9a02972a89a MANIFEST.SKIP -SHA256 702f214835ea642a237999b78b67ace4c7d8dab4562f2b3bde96a3e20823c5ac META.json -SHA256 15e18fa8bde2970e9fc3ed05f511f67015cbed5fed1d82d361414da52ce5843d META.yml -SHA256 5a00683575c7d03a6741c5d8da51cf5ff624e92f7ad6d26fe3a59ba1bd220ffe Makefile.PL +SHA256 ee2424f22eca4dba582be81dcdebf8493eb1488b8a0645a213e3cb373b42a11a META.json +SHA256 0cda605e160164354e76b6f6296b92fc7192022e66d2ceb6e112a22db261e553 META.yml +SHA256 028a01842f5d65b5139bb0a67d17365e69ae3eb62f8721e3cc092471ed4ad6cc Makefile.PL SHA256 817323f9893727cee009cf383426982e00bcb13e84f25dcab039a77c9077e025 README SHA256 fd15127ae2613fa8a6ea308371cf256a89654c64aa39d2cd4da6fa445b4bf094 README.QUICKDRAW SHA256 2be4d75aad4a18cfa9da42c3f2ac46c22f7c1798d9be5b09d591ea8dd3c6c94a bdf_scripts/README @@ -44,14 +44,14 @@ SHA256 f5a5d9b3499a6e7bb4802f892c34618359a7afc6a48a567d444ef92599f07af4 demos/transform.pl SHA256 855052638bff1622bad600fe5bdad5fd4c92321eceefd18b4cee1dcb336cab38 demos/truetype_test SHA256 278cf272eb8a93a1e850fa54e815e450c48a3e2c25c57ecc54034cb398dd5646 demos/ttf.pl -SHA256 3f564be99a891abcb22b94f4e1e13565d6b2c8f2bc99cb4d916d33e64a5d30b4 lib/GD.pm +SHA256 211931708deabb60ca61646fd462d39c7a630a4e1cb6669e1355fe5bc6167d60 lib/GD.pm SHA256 a5c8d2674d72cc5fccb54aedf6665b524a52ce86b3852e6767fbde74141274fc lib/GD/Group.pm -SHA256 16426070e91491da7e4e168327012f8d210639ef8141c95c9433354ebda624bc lib/GD/Image.pm -SHA256 eacebf3787fe4271d983f9a7a4585a1288d079e43b67fba46ed5f49787d23a6b lib/GD/Image_pm.PL +SHA256 fb1a2cf19b3579d1cb7a8704e55f2931f6c7b1a4b954418e6b7749cf8f579e75 lib/GD/Image.pm +SHA256 8e6edf96eb05548134ad8b4888d48c2336a7d8366bfd4f7dc7485420b7c42cd6 lib/GD/Image_pm.PL SHA256 20acec8291942516eca94fe39de6e1939599a6d57a94a0834bc9fda23075303d lib/GD/Polygon.pm SHA256 3de543fd2d0309c2afd6e5a4dd06dfd80697f858ab6f4e0a6fb3cd829f63e097 lib/GD/Polyline.pm SHA256 10c0e77b9e11caf2c073eff46c1c0706a933fdbef216e2a9e4878e325e8f5c49 lib/GD/Simple.pm -SHA256 d557dc74957d339b2cc8dc9e31d4026b1038ac3b8169ce73a76ebf4c7d3debc0 t/GD.t +SHA256 3dcdf2830ef1c6188aa3599eb604fc6bc630431948f982bfc13a48c4c8838aa8 t/GD.t SHA256 0444099f93e5564e7aed93a99037d5a2d8b0179107efe670c3c4ef59a58b5691 t/HSV.t SHA256 f2d7cc77efeaa1af76d10e5aee57447ada1d0ddcb3e037877e3dd4918d7b0290 t/Polyline.t SHA256 72230075340aaa8c56e0b4d9605a05b90d34a26923d149e9ec24342a38940aaa t/fork.t @@ -103,18 +103,18 @@ SHA256 d1d9bb1fbcf22a008f7daff62f0c02d9983ff3ace2d504363c7aa73db8da863e t/test_data/tile.png SHA256 2e3b8c76bfaaa3733534dcbd4542c1d0be124d588c3e927180a780aa2986dbcd t/transp.t SHA256 04df534e56f8031e065153e3c80f5c7ae93f83aba8d5df58e3449e2fbe324d98 t/z_kwalitee.t -SHA256 ea5b10f1e49f8c6b60d65fc53264023b40286074fe6b08ac6e8d3223908d3780 t/z_manifest.t +SHA256 6d990a1f9ecbfbc762d2f87771c49b883ce94f0d6d0bcf76645987a63f03e49b t/z_manifest.t SHA256 f60c3190f3d4a3f79cd000071ce34cc6de122abaac9649ccc6371385366fca52 t/z_pod-spell-mistakes.t SHA256 20745a3f76d051aed139c90e33416e116b7a6d76b840151545c23cbfe5581528 t/z_pod.t SHA256 15513754e6de8f9d0d297935e78568953431754ac3d735cf95092afb55955532 typemap -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEKJWogdNCcPq/6PdHtPYzOeZdZBQFAlxis40ACgkQtPYzOeZd -ZBSLJQgAtNfUceE3qm+S9kqMRAwXN9PpTEP/48LA1B/vtErLSArPnXCHZZ3HAJ8f -5xgZ1IsWFkwQArYbn0I/VUuYQIvFmIe6kZigM6r5fWQIbB35hs3lOBUhVa8mG/Yk -dNXAXQVYyUZdig9E2P8Swb8i52nxPABKVf9cbE47Fqn8Cg4jMJJvJ/7ollklmTl9 -RRTij2m8q7rxE5RUxBbwcUlLh/vrdXkVr4J5bWyPKmNbTfFXQT5clWupwszkLIIJ -UaYLNNC2uM2vmgwyYwA0ZbtTnk5Ofh5hlhRQVZVwkLnFG+W8bMCFqz04A37PjozJ -nvTSP7bgLASBBe6diXonaiudANOnJw== -=hf1+ +iQEzBAEBAwAdFiEEKJWogdNCcPq/6PdHtPYzOeZdZBQFAl8SkH8ACgkQtPYzOeZd +ZBRasQgAp12nYRBJkwSfo9Yty56UPTNBNe8pqyTH20ps4AQ26kUUdyzJCWd/QnxZ +CF6PE0WVPbtdJkNheM1iwLHTKwC5kYfIATk0h4zwW5kte2qoqIq19P83b85nnOxT +t2iBkV1DQ+AoCgrk+GGgVQNPiFI9WNlnu2MPHbagHqOkq/FlokKv5Q9TBAUhok25 +uMpO6DofHojQyuKindRXDk5HZQ7Gl9FwhaLjmLT7f/BA2cwPYwdGWVBd/DXZSbk2 +baA9k19/Hy0POi68nmum4NhpS4iKac6NmR4zMnvZo5WeMWN7o9sgl1yq2AtpnuMQ +NsLwqYWqWRk2GC1puOnIDVCuATyjmg== +=V0HZ -----END PGP SIGNATURE----- diff -Nru libgd-perl-2.71/t/GD.t libgd-perl-2.72/t/GD.t --- libgd-perl-2.71/t/GD.t 2019-01-10 13:53:38.000000000 +0000 +++ libgd-perl-2.72/t/GD.t 2020-07-17 18:56:53.000000000 +0000 @@ -8,7 +8,7 @@ use lib "$Bin/../blib/lib","$Bin/../blib/arch","$Bin/../lib"; use constant FONT=>"$Bin/test_data/Generic.ttf"; use constant IMAGE_TESTS => 7; -use Test::More tests => 13; +use Test::More tests => 14; use IO::Dir; use_ok('GD',':DEFAULT',':cmp'); @@ -22,6 +22,7 @@ run_image_regression_tests(); run_round_trip_test(); catch_libgd_error(); +test_cve2019_6977(); exit 0; @@ -284,3 +285,14 @@ is($image, undef); ok($@, 'caught corrupt png'); } + +sub test_cve2019_6977 { + my $img1 = GD::Image->new(0xfff, 0xfff, 1); + my $img2 = GD::Image->new(0xfff, 0xfff, 0); + $img2->colorAllocate(0, 0, 0); + $img2->setPixel (0, 0, 255); + if (GD::LIBGD_VERSION() >= 2.10) { + $img1->colorMatch ($img2); + } + ok(1, 'survived CVE 2019-6977'); # fails only under valgrind or asan +} diff -Nru libgd-perl-2.71/t/z_manifest.t libgd-perl-2.72/t/z_manifest.t --- libgd-perl-2.71/t/z_manifest.t 2019-01-10 13:53:38.000000000 +0000 +++ libgd-perl-2.72/t/z_manifest.t 2020-07-17 17:42:12.000000000 +0000 @@ -6,7 +6,7 @@ plan tests => 1; system("git ls-tree -r --name-only HEAD |" - ." egrep -v '(.gitignore|.appveyor.yml|.travis.yml)' >MANIFEST.git"); + ." egrep -v '(.gitignore|.appveyor.yml|.whitesource|.travis.yml)' >MANIFEST.git"); if (-e "MANIFEST.git") { #diag "MANIFEST.git created with git ls-tree"; is(`diff -bu MANIFEST.git MANIFEST`, "", "MANIFEST.git compared to MANIFEST")