[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: gd: Update to 2.2.1 [fixes CVE-2015-{8874, 8877}].
|
From: |
Leo Famulari |
|
Subject: |
01/01: gnu: gd: Update to 2.2.1 [fixes CVE-2015-{8874, 8877}]. |
|
Date: |
Fri, 27 May 2016 16:33:57 +0000 (UTC) |
lfam pushed a commit to branch master
in repository guix.
commit b5d08d7c2834610b5243db1795bd4b0724c8ff2a
Author: Leo Famulari <address@hidden>
Date: Fri May 27 11:42:22 2016 -0400
gnu: gd: Update to 2.2.1 [fixes CVE-2015-{8874, 8877}].
* gnu/packages/patches/gd-CVE-2016-3074.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
* gnu/packages/gd.scm (gd): Update to 2.2.1.
[source]: Remove patch. Update source URL.
---
gnu/local.mk | 1 -
gnu/packages/gd.scm | 11 ++++----
gnu/packages/patches/gd-CVE-2016-3074.patch | 36 ---------------------------
3 files changed, 5 insertions(+), 43 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index f36389f..86b56d4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -498,7 +498,6 @@ dist_patch_DATA =
\
%D%/packages/patches/gcc-cross-environment-variables.patch \
%D%/packages/patches/gcc-libvtv-runpath.patch \
%D%/packages/patches/gcc-5.0-libvtv-runpath.patch \
- %D%/packages/patches/gd-CVE-2016-3074.patch \
%D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghostscript-CVE-2015-3228.patch \
%D%/packages/patches/ghostscript-runpath.patch \
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index e52a030..4d6b1a3 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -37,20 +37,19 @@
(package
(name "gd")
- ;; Note: With libgd.org now pointing to bitbucket.org, genuine old
+ ;; Note: With libgd.org now pointing to github.com, genuine old
;; tarballs are no longer available. Notably, versions 2.0.x are
;; missing.
- (version "2.1.1")
+ (version "2.2.1")
(source (origin
(method url-fetch)
(uri (string-append
- "https://bitbucket.org/libgd/gd-libgd/downloads/";
- "libgd-" version ".tar.xz"))
+ "https://github.com/libgd/libgd/releases/download/gd-";
+ version "/libgd-" version ".tar.xz"))
(sha256
(base32
- "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls"))
- (patches (search-patches "gd-CVE-2016-3074.patch"))))
+ "0xmrqka1ggqgml84xbmkw1y0r0lg7qn657v5b1my8pry92p651vh"))))
(build-system gnu-build-system)
(native-inputs
`(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/patches/gd-CVE-2016-3074.patch
b/gnu/packages/patches/gd-CVE-2016-3074.patch
deleted file mode 100644
index a90c51d..0000000
--- a/gnu/packages/patches/gd-CVE-2016-3074.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19
-(gd2: handle corrupt images better (CVE-2016-3074)).
-
-This patch omits the upstream changes to '.gitignore', and the test
-added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and
-'tests/gd2/invalid_neg_size.gd2'.
-
-We omit the test because its input data,
-'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff,
-which is not supported by `patch`.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
-https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
----
- .gitignore | 1 +
- src/gd_gd2.c | 2 ++
- tests/Makefile.am | 3 ++-
- tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++
- tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
- 5 files changed, 30 insertions(+), 1 deletion(-)
- create mode 100644 tests/gd2/gd2_read_corrupt.c
- create mode 100644 tests/gd2/invalid_neg_size.gd2
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index 6f28461..a50b33d 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- if (gdGetInt (&cidx[i].size, in) != 1) {
- goto fail2;
- };
-+ if (cidx[i].offset < 0 || cidx[i].size < 0)
-+ goto fail2;
- };
- *chunkIdx = cidx;
- };