diff mbox

libgd security update

Message ID 20160715203212.GA10916@jasmine
State New
Headers show

Commit Message

Leo Famulari July 15, 2016, 8:32 p.m. UTC
Several security vulnerabilities in libgd have been discovered recently,
and today Debian issued a security update:
https://lists.debian.org/debian-security-announce/2016/msg00197.html

The first patch updates libgd to the latest release, 2.2.2, fixing some
of the bugs.

For the remaining bugs, I've taken patches from the master branch of the
libgd Git repo.

Two of the patches included binary files to be used in tests, which
`patch` cannot handle, so I've removed those parts of the patches.

This patch series was not trivial to create; removing the binary diffs
required some care, some of the patches depended on changes associated
with the removed binary diffs, and some upstream fixes were reverted and
re-committed with changes. Will someone double-check this patch series
for mistakes?

Comments

Ludovic Courtès July 16, 2016, 12:36 p.m. UTC | #1
Leo Famulari <leo@famulari.name> skribis:

> Several security vulnerabilities in libgd have been discovered recently,
> and today Debian issued a security update:
> https://lists.debian.org/debian-security-announce/2016/msg00197.html
>
> The first patch updates libgd to the latest release, 2.2.2, fixing some
> of the bugs.
>
> For the remaining bugs, I've taken patches from the master branch of the
> libgd Git repo.
>
> Two of the patches included binary files to be used in tests, which
> `patch` cannot handle, so I've removed those parts of the patches.
>
> This patch series was not trivial to create; removing the binary diffs
> required some care, some of the patches depended on changes associated
> with the removed binary diffs, and some upstream fixes were reverted and
> re-committed with changes. Will someone double-check this patch series
> for mistakes?

I am not familiar with neither gd nor this CVE, but at first sight the
changes make sense to me.  AIUI they are mostly those in upstream’s
repo, minus the binary test data, so that should be fine.

> From a27a22635f0615495d18b2d78eb90745d5989a0e Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 15 Jul 2016 14:47:47 -0400
> Subject: [PATCH 1/2] gnu: gd: Update to 2.2.2 [fixes CVE-2016-{5767,6161}].
>
> * gnu/packages/gd.scm (gd): Update to 2.2.2.

[...]

> From 2840ecffd86395bd63734406f924905bac727104 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 15 Jul 2016 14:48:09 -0400
> Subject: [PATCH 2/2] gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}.
>
> * gnu/packages/patches/gd-CVE-2016-5766.patch,
> gnu/packages/patches/gd-CVE-2016-6128.patch,
> gnu/packages/patches/gd-CVE-2016-6132.patch,
> gnu/packages/patches/gd-CVE-2016-6214.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/gd.scm (gd): Use patches.

I’d say OK for both.

Thanks!

Ludo’.
Leo Famulari July 16, 2016, 4:51 p.m. UTC | #2
On Sat, Jul 16, 2016 at 02:36:27PM +0200, Ludovic Courtès wrote:
> > This patch series was not trivial to create; removing the binary diffs
> > required some care, some of the patches depended on changes associated
> > with the removed binary diffs, and some upstream fixes were reverted and
> > re-committed with changes. Will someone double-check this patch series
> > for mistakes?
> 
> I am not familiar with neither gd nor this CVE, but at first sight the
> changes make sense to me.  AIUI they are mostly those in upstream’s
> repo, minus the binary test data, so that should be fine.

Right!

> I’d say OK for both.

Thanks for the review. Pushed!
diff mbox

Patch

From 2840ecffd86395bd63734406f924905bac727104 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 15 Jul 2016 14:48:09 -0400
Subject: [PATCH 2/2] gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}.

* gnu/packages/patches/gd-CVE-2016-5766.patch,
gnu/packages/patches/gd-CVE-2016-6128.patch,
gnu/packages/patches/gd-CVE-2016-6132.patch,
gnu/packages/patches/gd-CVE-2016-6214.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gd.scm (gd): Use patches.
---
 gnu/local.mk                                |   4 +
 gnu/packages/gd.scm                         |   4 +
 gnu/packages/patches/gd-CVE-2016-5766.patch |  81 +++++++++
 gnu/packages/patches/gd-CVE-2016-6128.patch | 253 ++++++++++++++++++++++++++++
 gnu/packages/patches/gd-CVE-2016-6132.patch |  55 ++++++
 gnu/packages/patches/gd-CVE-2016-6214.patch |  66 ++++++++
 6 files changed, 463 insertions(+)
 create mode 100644 gnu/packages/patches/gd-CVE-2016-5766.patch
 create mode 100644 gnu/packages/patches/gd-CVE-2016-6128.patch
 create mode 100644 gnu/packages/patches/gd-CVE-2016-6132.patch
 create mode 100644 gnu/packages/patches/gd-CVE-2016-6214.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 71409b9..536ecef 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -510,6 +510,10 @@  dist_patch_DATA =						\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
+  %D%/packages/patches/gd-CVE-2016-5766.patch			\
+  %D%/packages/patches/gd-CVE-2016-6128.patch			\
+  %D%/packages/patches/gd-CVE-2016-6132.patch			\
+  %D%/packages/patches/gd-CVE-2016-6214.patch			\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghostscript-CVE-2015-3228.patch		\
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index b4e6349..700de33 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -47,6 +47,10 @@ 
              (uri (string-append
                    "https://github.com/libgd/libgd/releases/download/gd-"
                    version "/libgd-" version ".tar.xz"))
+             (patches (search-patches "gd-CVE-2016-5766.patch"
+                                      "gd-CVE-2016-6128.patch"
+                                      "gd-CVE-2016-6132.patch"
+                                      "gd-CVE-2016-6214.patch"))
              (sha256
               (base32
                "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8"))))
diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch
new file mode 100644
index 0000000..400cb0a
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-5766.patch
@@ -0,0 +1,81 @@ 
+Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
+overflow).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
+
+Adapted from upstream commits:
+https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
+https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
+
+Since `patch` cannot apply Git binary diffs, we omit the addition of
+'tests/gd2/php_bug_72339.c' and its associated binary data.
+
+From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 28 Jun 2016 16:23:42 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow
+
+---
+ src/gd_gd2.c                    |   5 ++++-
+ tests/gd2/CMakeLists.txt        |   1 +
+ tests/gd2/Makemodule.am         |   6 ++++--
+ tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
+ tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
+ 5 files changed, 30 insertions(+), 3 deletions(-)
+ create mode 100644 tests/gd2/php_bug_72339.c
+ create mode 100644 tests/gd2/php_bug_72339_exp.gd2
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index fd1e0c9..bdbbecf 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 		nc = (*ncx) * (*ncy);
+ 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ 		sidx = sizeof (t_chunk_info) * nc;
++		if (overflow2(sidx, nc)) {
++			goto fail1;
++		}
+ 		cidx = gdCalloc (sidx, 1);
+-		if (!cidx) {
++		if (cidx == NULL) {
+ 			goto fail1;
+ 		}
+ 		for (i = 0; i < nc; i++) {
+From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Wed, 29 Jun 2016 09:36:26 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow. Sync with php's sync
+
+---
+ src/gd_gd2.c              | 7 ++++++-
+ tests/gd2/php_bug_72339.c | 2 +-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index bdbbecf..2837456 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 
+ 	if (gd2_compressed (*fmt)) {
+ 		nc = (*ncx) * (*ncy);
++
+ 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
++		if (overflow2(sizeof(t_chunk_info), nc)) {
++			goto fail1;
++		}
+ 		sidx = sizeof (t_chunk_info) * nc;
+-		if (overflow2(sidx, nc)) {
++		if (sidx <= 0) {
+ 			goto fail1;
+ 		}
++
+ 		cidx = gdCalloc (sidx, 1);
+ 		if (cidx == NULL) {
+ 			goto fail1;
+-- 
+2.9.1
+
diff --git a/gnu/packages/patches/gd-CVE-2016-6128.patch b/gnu/packages/patches/gd-CVE-2016-6128.patch
new file mode 100644
index 0000000..45ee6b0
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-6128.patch
@@ -0,0 +1,253 @@ 
+Fix CVE-2016-6128 (invalid color index is not properly handled leading
+to denial of service).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6128
+
+Copied from upstream commits:
+https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd
+
+From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:17:39 +0700
+Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ src/gd_crop.c        | 4 ++++
+ tests/CMakeLists.txt | 1 +
+ tests/Makefile.am    | 1 +
+ 3 files changed, 6 insertions(+)
+
+diff --git a/src/gd_crop.c b/src/gd_crop.c
+index 0296633..532b49b 100644
+--- a/src/gd_crop.c
++++ b/src/gd_crop.c
+@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
+ 		return NULL;
+ 	}
+ 
++	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
++		return NULL;
++	}
++
+ 	/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
+ 	 * for the true color and palette images
+ 	 * new formats will simply work with ptr
+diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
+index 6f5c786..5093d52 100644
+--- a/tests/CMakeLists.txt
++++ b/tests/CMakeLists.txt
+@@ -31,6 +31,7 @@ if (BUILD_TEST)
+ 		gdimagecolortransparent
+ 		gdimagecopy
+ 		gdimagecopyrotated
++        gdimagecrop
+ 		gdimagefile
+ 		gdimagefill
+ 		gdimagefilledellipse
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 4f6e756..5a0ebe8 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am
+ include gdimagecolortransparent/Makemodule.am
+ include gdimagecopy/Makemodule.am
+ include gdimagecopyrotated/Makemodule.am
++include gdimagecrop/Makemodule.am
+ include gdimagefile/Makemodule.am
+ include gdimagefill/Makemodule.am
+ include gdimagefilledellipse/Makemodule.am
+-- 
+2.9.1
+
+From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:20:07 +0700
+Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ tests/gdimagecrop/.gitignore | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 tests/gdimagecrop/.gitignore
+
+diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore
+new file mode 100644
+index 0000000..8e8c9c3
+--- /dev/null
++++ b/tests/gdimagecrop/.gitignore
+@@ -0,0 +1 @@
++/php_bug_72494
+-- 
+2.9.1
+
+From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:24:50 +0700
+Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ tests/gdimagecrop/CMakeLists.txt | 5 +++++
+ 1 file changed, 5 insertions(+)
+ create mode 100644 tests/gdimagecrop/CMakeLists.txt
+
+diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLists.txt
+new file mode 100644
+index 0000000..f7e4c7e
+--- /dev/null
++++ b/tests/gdimagecrop/CMakeLists.txt
+@@ -0,0 +1,5 @@
++SET(TESTS_FILES
++	php_bug_72494
++)
++
++ADD_GD_TESTS()
+-- 
+2.9.1
+
+From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:25:12 +0700
+Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ tests/gdimagecrop/Makemodule.am | 5 +++++
+ 1 file changed, 5 insertions(+)
+ create mode 100644 tests/gdimagecrop/Makemodule.am
+
+diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodule.am
+new file mode 100644
+index 0000000..210888b
+--- /dev/null
++++ b/tests/gdimagecrop/Makemodule.am
+@@ -0,0 +1,5 @@
++libgd_test_programs += \
++	gdimagecrop/php_bug_72494
++
++EXTRA_DIST += \
++	gdimagecrop/CMakeLists.txt
+-- 
+2.9.1
+
+From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:25:40 +0700
+Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+ create mode 100644 tests/gdimagecrop/php_bug_72494.c
+
+diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
+new file mode 100644
+index 0000000..adaa379
+--- /dev/null
++++ b/tests/gdimagecrop/php_bug_72494.c
+@@ -0,0 +1,23 @@
++#include <stdio.h>
++#include <stdlib.h>
++#include "gd.h"
++
++#include "gdtest.h"
++
++int main()
++{
++	gdImagePtr im, exp;
++	int error = 0;
++
++	im = gdImageCreate(50, 50);
++
++	if (!im) {
++		gdTestErrorMsg("gdImageCreate failed.\n");
++		return 1;
++	}
++
++	gdImageCropThreshold(im, 1337, 0);
++	gdImageDestroy(im);
++	/* this bug tests a crash, it never reaches this point if the bug exists*/
++	return 0;
++}
+-- 
+2.9.1
+
+From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:38:07 +0700
+Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, remove
+ useless <0 comparison
+
+---
+ src/gd_crop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_crop.c b/src/gd_crop.c
+index 532b49b..d51ad67 100644
+--- a/src/gd_crop.c
++++ b/src/gd_crop.c
+@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
+ 		return NULL;
+ 	}
+ 
+-	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
++	if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
+ 		return NULL;
+ 	}
+ 
+-- 
+2.9.1
+
+From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:51:40 +0700
+Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, remove
+ useless <0 comparison
+
+---
+ tests/gdimagecrop/php_bug_72494.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
+index adaa379..5cb589b 100644
+--- a/tests/gdimagecrop/php_bug_72494.c
++++ b/tests/gdimagecrop/php_bug_72494.c
+@@ -6,7 +6,7 @@
+ 
+ int main()
+ {
+-	gdImagePtr im, exp;
++	gdImagePtr im;
+ 	int error = 0;
+ 
+ 	im = gdImageCreate(50, 50);
+-- 
+2.9.1
+
+From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 12:04:25 +0700
+Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, remove
+ useless <0 comparison
+
+---
+ tests/gdimagecrop/php_bug_72494.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
+index 5cb589b..3bd19be 100644
+--- a/tests/gdimagecrop/php_bug_72494.c
++++ b/tests/gdimagecrop/php_bug_72494.c
+@@ -7,7 +7,6 @@
+ int main()
+ {
+ 	gdImagePtr im;
+-	int error = 0;
+ 
+ 	im = gdImageCreate(50, 50);
+ 
+-- 
+2.9.1
+
diff --git a/gnu/packages/patches/gd-CVE-2016-6132.patch b/gnu/packages/patches/gd-CVE-2016-6132.patch
new file mode 100644
index 0000000..4c475b7
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-6132.patch
@@ -0,0 +1,55 @@ 
+Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132
+
+Copied from upstream commit:
+https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d
+
+From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Tue, 12 Jul 2016 11:24:09 +0200
+Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
+ files (CVE-2016-6132)
+
+---
+ src/gd_tga.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index ef20f86..20fe2d2 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 			return -1;
+ 		}
+ 
+-		gdGetBuf(conversion_buffer, image_block_size, ctx);
++		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
++			gd_error("gd-tga: premature end of image data\n");
++			gdFree(conversion_buffer);
++			return -1;
++		}
+ 
+ 		while (buffer_caret < image_block_size) {
+ 			tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
+@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 		}
+ 		conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
+ 		if (conversion_buffer == NULL) {
++			gd_error("gd-tga: premature end of image data\n");
+ 			gdFree( decompression_buffer );
+ 			return -1;
+ 		}
+ 
+-		gdGetBuf( conversion_buffer, image_block_size, ctx );
++		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
++			gdFree(conversion_buffer);
++			gdFree(decompression_buffer);
++			return -1;
++		}
+ 
+ 		buffer_caret = 0;
+ 
+-- 
+2.9.1
+
diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/patches/gd-CVE-2016-6214.patch
new file mode 100644
index 0000000..7894a32
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-6214.patch
@@ -0,0 +1,66 @@ 
+Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
+
+Adapted from upstream commit:
+https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308
+
+Since `patch` cannot apply Git binary diffs, we omit the addition of
+'tests/tga/bug00247a.c' and its associated binary data.
+
+From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 12 Jul 2016 19:23:13 +0200
+Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
+ gracefully
+
+Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
+really supported. All other combinations will be rejected with a warning.
+
+(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
+---
+ src/gd_tga.c             |  16 ++++++----------
+ tests/tga/.gitignore     |   1 +
+ tests/tga/CMakeLists.txt |   1 +
+ tests/tga/Makemodule.am  |   4 +++-
+ tests/tga/bug00247a.c    |  19 +++++++++++++++++++
+ tests/tga/bug00247a.tga  | Bin 0 -> 36 bytes
+ 6 files changed, 30 insertions(+), 11 deletions(-)
+ create mode 100644 tests/tga/bug00247a.c
+ create mode 100644 tests/tga/bug00247a.tga
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index 20fe2d2..b4f8fa6 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
+ 			if (tga->bits == TGA_BPP_24) {
+ 				*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
+ 				bitmap_caret += 3;
+-			} else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
++			} else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
+ 				register int a = tga->bitmap[bitmap_caret + 3];
+ 
+ 				*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
+@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
+ 	printf("wxh: %i %i\n", tga->width, tga->height);
+ #endif
+ 
+-	switch(tga->bits) {
+-	case 8:
+-	case 16:
+-	case 24:
+-	case 32:
+-		break;
+-	default:
+-		gd_error("bps %i not supported", tga->bits);
++	if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
++		|| (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
++	{
++		gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
++			tga->bits, tga->alphabits);
+ 		return -1;
+-		break;
+ 	}
+ 
+ 	tga->ident = NULL;
-- 
2.9.1