diff mbox

libgd security update / i686 issues

Message ID 20160728072337.GA1011@jasmine
State New
Headers show

Commit Message

Leo Famulari July 28, 2016, 7:23 a.m. UTC
libgd 2.2.3 has been released [0], which includes fixes for
CVE-2016-6207.

I built it on x86_64, and also cross-built to i686-linux. The 32-bit rounding
issue that Mark fixed with commit 27326064 was reported upstream [1],
and the suggested workaround is to add "-msse -mfpmath=sse" to CFLAGS
[2].

Having removed Mark's patch, I can cross-build to i686-linux using those
flags. The patch has gone stale with the 2.2.3 release:

---
gdimagerotate/bug00067.c: In function ‘main’:
gdimagerotate/bug00067.c:11:14: error: unused variable ‘filename’ [-Werror=unused-variable]
  char *path, filename[2048];
              ^
gdimagerotate/bug00067.c:11:8: error: unused variable ‘path’ [-Werror=unused-variable]
  char *path, filename[2048];
        ^
cc1: all warnings being treated as errors
Makefile:3120: recipe for target 'gdimagerotate/bug00067.o' failed
---

Should these CFLAGS values be applied unconditionally, as in the
attached patch, or should they be applied only while building on or for
specific architectures? Or something else?

[0]
https://github.com/libgd/libgd/releases/tag/gd-2.2.3

[1]
https://github.com/libgd/libgd/issues/242

[2]
https://github.com/libgd/libgd/commit/62ecc651e7780add5e4035bfc0e6cd060e90f6a9

Comments

Andreas Enge July 28, 2016, 8:34 a.m. UTC | #1
On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote:
> Should these CFLAGS values be applied unconditionally, as in the
> attached patch, or should they be applied only while building on or for
> specific architectures? Or something else?

They only work on x86 processors, almost by definition: SSE stands for
a certain instruction set. So one would need to check whether the problem
occurs for other architectures. I would assume that it happens on all 32
bit architectures, in particular armhf. Their code is too fragile: One
should not rely on fine details of the processor architecture or instruction
set to hope for an expected rounding behaviour.

Andreas
Andreas Enge July 28, 2016, 8:40 a.m. UTC | #2
On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote:
> I built it on x86_64, and also cross-built to i686-linux. The 32-bit rounding
> issue that Mark fixed with commit 27326064 was reported upstream [1],
> and the suggested workaround is to add "-msse -mfpmath=sse" to CFLAGS
> [2].

Well, the bug report states that the result is correct on armv7. Apparently
i686 is not IEEE compliant by default, while armv7 is. So it should be okay
to apply the flags only on i686. We assume that SSE, but not SSE2 or later
are supported, see our Qt package.

Andreas
diff mbox

Patch

From d429ce44a39543b8f5e64f22bc722ee8bc22bd01 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 28 Jul 2016 02:46:23 -0400
Subject: [PATCH] gnu: gd: Update to 2.2.3.

Fixes CVE-2016-6207.

* gnu/packages/gd.scm (gd): Update to 2.2.3.
[arguments]: Add "-msse -mfpmath=sse" to CFLAGS.
* gnu/packages/patches/gd-CVE-2016-5766.patch,
gnu/packages/patches/gd-CVE-2016-6128.patch,
gnu/packages/patches/gd-CVE-2016-6132.patch,
gnu/packages/patches/gd-CVE-2016-6214.patch,
gnu/packages/patches/gd-fix-test-on-i686.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                   |   5 -
 gnu/packages/gd.scm                            |  11 +-
 gnu/packages/patches/gd-CVE-2016-5766.patch    |  81 --------
 gnu/packages/patches/gd-CVE-2016-6128.patch    | 253 -------------------------
 gnu/packages/patches/gd-CVE-2016-6132.patch    |  55 ------
 gnu/packages/patches/gd-CVE-2016-6214.patch    |  66 -------
 gnu/packages/patches/gd-fix-test-on-i686.patch |  34 ----
 7 files changed, 4 insertions(+), 501 deletions(-)
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-5766.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6128.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6132.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6214.patch
 delete mode 100644 gnu/packages/patches/gd-fix-test-on-i686.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c143dd7..2f4dda1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -512,11 +512,6 @@  dist_patch_DATA =						\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
-  %D%/packages/patches/gd-CVE-2016-5766.patch			\
-  %D%/packages/patches/gd-CVE-2016-6128.patch			\
-  %D%/packages/patches/gd-CVE-2016-6132.patch			\
-  %D%/packages/patches/gd-CVE-2016-6214.patch			\
-  %D%/packages/patches/gd-fix-test-on-i686.patch		\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghostscript-CVE-2015-3228.patch		\
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 3313ee6..46a2912 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -40,22 +40,19 @@ 
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
-    (version "2.2.2")
+    (version "2.2.3")
 
     (source (origin
              (method url-fetch)
              (uri (string-append
                    "https://github.com/libgd/libgd/releases/download/gd-"
                    version "/libgd-" version ".tar.xz"))
-             (patches (search-patches "gd-fix-test-on-i686.patch"
-                                      "gd-CVE-2016-5766.patch"
-                                      "gd-CVE-2016-6128.patch"
-                                      "gd-CVE-2016-6132.patch"
-                                      "gd-CVE-2016-6214.patch"))
              (sha256
               (base32
-               "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8"))))
+               "0g3xz8jpz1pl2zzmssglrpa9nxiaa7rmcmvgpbrjz8k9cyynqsvl"))))
     (build-system gnu-build-system)
+    (arguments
+     '(#:configure-flags '("CFLAGS=-msse -mfpmath=sse")))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (inputs
diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch
deleted file mode 100644
index 400cb0a..0000000
--- a/gnu/packages/patches/gd-CVE-2016-5766.patch
+++ /dev/null
@@ -1,81 +0,0 @@ 
-Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
-overflow).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
-
-Adapted from upstream commits:
-https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
-https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
-
-Since `patch` cannot apply Git binary diffs, we omit the addition of
-'tests/gd2/php_bug_72339.c' and its associated binary data.
-
-From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Tue, 28 Jun 2016 16:23:42 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow
-
----
- src/gd_gd2.c                    |   5 ++++-
- tests/gd2/CMakeLists.txt        |   1 +
- tests/gd2/Makemodule.am         |   6 ++++--
- tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
- tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
- 5 files changed, 30 insertions(+), 3 deletions(-)
- create mode 100644 tests/gd2/php_bug_72339.c
- create mode 100644 tests/gd2/php_bug_72339_exp.gd2
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index fd1e0c9..bdbbecf 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 		nc = (*ncx) * (*ncy);
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
- 		sidx = sizeof (t_chunk_info) * nc;
-+		if (overflow2(sidx, nc)) {
-+			goto fail1;
-+		}
- 		cidx = gdCalloc (sidx, 1);
--		if (!cidx) {
-+		if (cidx == NULL) {
- 			goto fail1;
- 		}
- 		for (i = 0; i < nc; i++) {
-From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Wed, 29 Jun 2016 09:36:26 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow. Sync with php's sync
-
----
- src/gd_gd2.c              | 7 ++++++-
- tests/gd2/php_bug_72339.c | 2 +-
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index bdbbecf..2837456 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 
- 	if (gd2_compressed (*fmt)) {
- 		nc = (*ncx) * (*ncy);
-+
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
-+		if (overflow2(sizeof(t_chunk_info), nc)) {
-+			goto fail1;
-+		}
- 		sidx = sizeof (t_chunk_info) * nc;
--		if (overflow2(sidx, nc)) {
-+		if (sidx <= 0) {
- 			goto fail1;
- 		}
-+
- 		cidx = gdCalloc (sidx, 1);
- 		if (cidx == NULL) {
- 			goto fail1;
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6128.patch b/gnu/packages/patches/gd-CVE-2016-6128.patch
deleted file mode 100644
index 45ee6b0..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6128.patch
+++ /dev/null
@@ -1,253 +0,0 @@ 
-Fix CVE-2016-6128 (invalid color index is not properly handled leading
-to denial of service).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6128
-
-Copied from upstream commits:
-https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd
-
-From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:17:39 +0700
-Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- src/gd_crop.c        | 4 ++++
- tests/CMakeLists.txt | 1 +
- tests/Makefile.am    | 1 +
- 3 files changed, 6 insertions(+)
-
-diff --git a/src/gd_crop.c b/src/gd_crop.c
-index 0296633..532b49b 100644
---- a/src/gd_crop.c
-+++ b/src/gd_crop.c
-@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
- 		return NULL;
- 	}
- 
-+	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
-+		return NULL;
-+	}
-+
- 	/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
- 	 * for the true color and palette images
- 	 * new formats will simply work with ptr
-diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
-index 6f5c786..5093d52 100644
---- a/tests/CMakeLists.txt
-+++ b/tests/CMakeLists.txt
-@@ -31,6 +31,7 @@ if (BUILD_TEST)
- 		gdimagecolortransparent
- 		gdimagecopy
- 		gdimagecopyrotated
-+        gdimagecrop
- 		gdimagefile
- 		gdimagefill
- 		gdimagefilledellipse
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 4f6e756..5a0ebe8 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am
- include gdimagecolortransparent/Makemodule.am
- include gdimagecopy/Makemodule.am
- include gdimagecopyrotated/Makemodule.am
-+include gdimagecrop/Makemodule.am
- include gdimagefile/Makemodule.am
- include gdimagefill/Makemodule.am
- include gdimagefilledellipse/Makemodule.am
--- 
-2.9.1
-
-From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:20:07 +0700
-Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/.gitignore | 1 +
- 1 file changed, 1 insertion(+)
- create mode 100644 tests/gdimagecrop/.gitignore
-
-diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore
-new file mode 100644
-index 0000000..8e8c9c3
---- /dev/null
-+++ b/tests/gdimagecrop/.gitignore
-@@ -0,0 +1 @@
-+/php_bug_72494
--- 
-2.9.1
-
-From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:24:50 +0700
-Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/CMakeLists.txt | 5 +++++
- 1 file changed, 5 insertions(+)
- create mode 100644 tests/gdimagecrop/CMakeLists.txt
-
-diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLists.txt
-new file mode 100644
-index 0000000..f7e4c7e
---- /dev/null
-+++ b/tests/gdimagecrop/CMakeLists.txt
-@@ -0,0 +1,5 @@
-+SET(TESTS_FILES
-+	php_bug_72494
-+)
-+
-+ADD_GD_TESTS()
--- 
-2.9.1
-
-From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:25:12 +0700
-Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/Makemodule.am | 5 +++++
- 1 file changed, 5 insertions(+)
- create mode 100644 tests/gdimagecrop/Makemodule.am
-
-diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodule.am
-new file mode 100644
-index 0000000..210888b
---- /dev/null
-+++ b/tests/gdimagecrop/Makemodule.am
-@@ -0,0 +1,5 @@
-+libgd_test_programs += \
-+	gdimagecrop/php_bug_72494
-+
-+EXTRA_DIST += \
-+	gdimagecrop/CMakeLists.txt
--- 
-2.9.1
-
-From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:25:40 +0700
-Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
- create mode 100644 tests/gdimagecrop/php_bug_72494.c
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-new file mode 100644
-index 0000000..adaa379
---- /dev/null
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -0,0 +1,23 @@
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include "gd.h"
-+
-+#include "gdtest.h"
-+
-+int main()
-+{
-+	gdImagePtr im, exp;
-+	int error = 0;
-+
-+	im = gdImageCreate(50, 50);
-+
-+	if (!im) {
-+		gdTestErrorMsg("gdImageCreate failed.\n");
-+		return 1;
-+	}
-+
-+	gdImageCropThreshold(im, 1337, 0);
-+	gdImageDestroy(im);
-+	/* this bug tests a crash, it never reaches this point if the bug exists*/
-+	return 0;
-+}
--- 
-2.9.1
-
-From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:38:07 +0700
-Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- src/gd_crop.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/gd_crop.c b/src/gd_crop.c
-index 532b49b..d51ad67 100644
---- a/src/gd_crop.c
-+++ b/src/gd_crop.c
-@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
- 		return NULL;
- 	}
- 
--	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
-+	if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
- 		return NULL;
- 	}
- 
--- 
-2.9.1
-
-From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:51:40 +0700
-Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- tests/gdimagecrop/php_bug_72494.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-index adaa379..5cb589b 100644
---- a/tests/gdimagecrop/php_bug_72494.c
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -6,7 +6,7 @@
- 
- int main()
- {
--	gdImagePtr im, exp;
-+	gdImagePtr im;
- 	int error = 0;
- 
- 	im = gdImageCreate(50, 50);
--- 
-2.9.1
-
-From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 12:04:25 +0700
-Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- tests/gdimagecrop/php_bug_72494.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-index 5cb589b..3bd19be 100644
---- a/tests/gdimagecrop/php_bug_72494.c
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -7,7 +7,6 @@
- int main()
- {
- 	gdImagePtr im;
--	int error = 0;
- 
- 	im = gdImageCreate(50, 50);
- 
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6132.patch b/gnu/packages/patches/gd-CVE-2016-6132.patch
deleted file mode 100644
index 4c475b7..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6132.patch
+++ /dev/null
@@ -1,55 +0,0 @@ 
-Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132
-
-Copied from upstream commit:
-https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d
-
-From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
-Date: Tue, 12 Jul 2016 11:24:09 +0200
-Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
- files (CVE-2016-6132)
-
----
- src/gd_tga.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_tga.c b/src/gd_tga.c
-index ef20f86..20fe2d2 100644
---- a/src/gd_tga.c
-+++ b/src/gd_tga.c
-@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
- 			return -1;
- 		}
- 
--		gdGetBuf(conversion_buffer, image_block_size, ctx);
-+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
-+			gd_error("gd-tga: premature end of image data\n");
-+			gdFree(conversion_buffer);
-+			return -1;
-+		}
- 
- 		while (buffer_caret < image_block_size) {
- 			tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
-@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
- 		}
- 		conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
- 		if (conversion_buffer == NULL) {
-+			gd_error("gd-tga: premature end of image data\n");
- 			gdFree( decompression_buffer );
- 			return -1;
- 		}
- 
--		gdGetBuf( conversion_buffer, image_block_size, ctx );
-+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
-+			gdFree(conversion_buffer);
-+			gdFree(decompression_buffer);
-+			return -1;
-+		}
- 
- 		buffer_caret = 0;
- 
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/patches/gd-CVE-2016-6214.patch
deleted file mode 100644
index 7894a32..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6214.patch
+++ /dev/null
@@ -1,66 +0,0 @@ 
-Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
-
-Adapted from upstream commit:
-https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308
-
-Since `patch` cannot apply Git binary diffs, we omit the addition of
-'tests/tga/bug00247a.c' and its associated binary data.
-
-From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Tue, 12 Jul 2016 19:23:13 +0200
-Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
- gracefully
-
-Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
-really supported. All other combinations will be rejected with a warning.
-
-(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
----
- src/gd_tga.c             |  16 ++++++----------
- tests/tga/.gitignore     |   1 +
- tests/tga/CMakeLists.txt |   1 +
- tests/tga/Makemodule.am  |   4 +++-
- tests/tga/bug00247a.c    |  19 +++++++++++++++++++
- tests/tga/bug00247a.tga  | Bin 0 -> 36 bytes
- 6 files changed, 30 insertions(+), 11 deletions(-)
- create mode 100644 tests/tga/bug00247a.c
- create mode 100644 tests/tga/bug00247a.tga
-
-diff --git a/src/gd_tga.c b/src/gd_tga.c
-index 20fe2d2..b4f8fa6 100644
---- a/src/gd_tga.c
-+++ b/src/gd_tga.c
-@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
- 			if (tga->bits == TGA_BPP_24) {
- 				*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
- 				bitmap_caret += 3;
--			} else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
-+			} else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
- 				register int a = tga->bitmap[bitmap_caret + 3];
- 
- 				*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
-@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
- 	printf("wxh: %i %i\n", tga->width, tga->height);
- #endif
- 
--	switch(tga->bits) {
--	case 8:
--	case 16:
--	case 24:
--	case 32:
--		break;
--	default:
--		gd_error("bps %i not supported", tga->bits);
-+	if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
-+		|| (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
-+	{
-+		gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
-+			tga->bits, tga->alphabits);
- 		return -1;
--		break;
- 	}
- 
- 	tga->ident = NULL;
diff --git a/gnu/packages/patches/gd-fix-test-on-i686.patch b/gnu/packages/patches/gd-fix-test-on-i686.patch
deleted file mode 100644
index 6dd2e0f..0000000
--- a/gnu/packages/patches/gd-fix-test-on-i686.patch
+++ /dev/null
@@ -1,34 +0,0 @@ 
-Disable part of the gdimagerotate test on architectures such as i686
-where intermediate floating-point operations are done with 80-bit long
-doubles, and typically later rounded to 64-bit doubles.  This double
-rounding causes small differences in the resulting pixel values
-compared with other architectures, causing the image comparison to
-fail.
-
-Patch by Mark H Weaver <mhw@netris.org>.
-
---- libgd-2.2.2/tests/gdimagerotate/bug00067.c	1969-12-31 19:00:00.000000000 -0500
-+++ libgd-2.2.2/tests/gdimagerotate/bug00067.c	2016-07-18 12:19:19.885423132 -0400
-@@ -1,5 +1,6 @@
- #include <stdio.h>
- #include <stdlib.h>
-+#include <float.h>
- #include "gd.h"
- 
- #include "gdtest.h"
-@@ -41,6 +42,7 @@
- 			return 1;
- 		}
- 
-+#if FLT_EVAL_METHOD != 2
- 		sprintf(filename, "bug00067_%03d_exp.png", angle);
- 		path = gdTestFilePath2("gdimagerotate", filename);
- 		if (!gdAssertImageEqualsToFile(path, exp)) {
-@@ -48,6 +50,7 @@
- 			error += 1;
- 		}
- 		free(path);
-+#endif
- 
- 		gdImageDestroy(exp);
- 	}
-- 
2.9.2