guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: libpng: Use 1.5.24 as a replacement [fixes CVE-2015-8126].

From: Ludovic Courtès
Subject: 01/01: gnu: libpng: Use 1.5.24 as a replacement [fixes CVE-2015-8126].
Date: Mon, 16 Nov 2015 08:51:55 +0000 
civodul pushed a commit to branch master
in repository guix.

commit 1b076e630f4a7245d14634b047e1d1a91ee2659e
Author: Ludovic Courtès <address@hidden>
Date:   Mon Nov 16 09:50:33 2015 +0100

    gnu: libpng: Use 1.5.24 as a replacement [fixes CVE-2015-8126].
    
    Reported by Leo Famulari <address@hidden>.
    
    * gnu/packages/image.scm (libpng-urls): New procedure.
      (libpng)[source]: Use it.
      [replacement]: New field.
      (libpng-1.5.24): New variable.
---
 gnu/packages/image.scm |   29 ++++++++++++++++++++++-------
 1 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index bde327c..b7b8eac 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -46,23 +46,28 @@
   #:use-module (guix build-system cmake)
   #:use-module (srfi srfi-1))
 
+(define (libpng-urls version)
+  "Return a list of URLs for libpng VERSION."
+  ;; Note: upstream removes older tarballs.
+  (list (string-append "mirror://sourceforge/libpng/libpng15/"
+                       version "/libpng-" version ".tar.xz")
+        (string-append
+         "ftp://ftp.simplesystems.org/pub/libpng/png/src";
+         "/libpng15/libpng-" version ".tar.xz")))
+
 (define-public libpng
   (package
    (name "libpng")
    (version "1.5.21")
    (source (origin
             (method url-fetch)
-
-            ;; Note: upstream removes older tarballs.
-            (uri (list (string-append "mirror://sourceforge/libpng/libpng15/"
-                                      version "/libpng-" version ".tar.xz")
-                       (string-append
-                        "ftp://ftp.simplesystems.org/pub/libpng/png/src";
-                        "/libpng15/libpng-" version ".tar.xz")))
+            (uri (libpng-urls version))
             (sha256
              (base32 "19yvzw6sf9gf7v25ha9bla8bw1nijh82wj8ag6brjj3hpij1q5dm"))))
    (build-system gnu-build-system)
 
+   (replacement libpng-1.5.24)                    ;CVE-2015-8126
+
    ;; libpng.la says "-lz", so propagate it.
    (propagated-inputs `(("zlib" ,zlib)))
 
@@ -73,6 +78,16 @@ library.  It supports almost all PNG features and is 
extensible.")
    (license license:zlib)
    (home-page "http://www.libpng.org/pub/png/libpng.html";)))
 
+(define libpng-1.5.24
+  (package
+    (inherit libpng)
+    (source (origin
+              (method url-fetch)
+              (uri (libpng-urls "1.5.24"))
+              (sha256
+               (base32
+                "1qhvfk1ypsaf6q6xkspyqqzmghpbahhq54ms8fa5ssqkyds38bmr"))))))
+
 (define-public libjpeg
   (package
    (name "libjpeg")
reply via email to
[Prev in Thread] Current Thread [Next in Thread]