guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/02: gnu: gd: Replace with 2.2.5.


From: Marius Bakke
Subject: 01/02: gnu: gd: Replace with 2.2.5.
Date: Wed, 30 Aug 2017 21:10:01 -0400 (EDT)

mbakke pushed a commit to branch master
in repository guix.

commit 4f6815614097630dfe507df7bae768d37f3f0627
Author: Marius Bakke <address@hidden>
Date:   Wed Aug 30 23:41:08 2017 +0200

    gnu: gd: Replace with 2.2.5.
    
    Fixes CVE-2017-6362 and CVE-2017-7890.
    
    * gnu/packages/gd.scm (gd)[replacement]: New field.
    (gd-2.2.5): New variable.
    * gnu/packages/php.scm (gd-for-php): Remove variable
    (php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5.
    * gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file.
    * gnu/local.mk (dist_patch_DATA): Remove it.
---
 gnu/local.mk                                |  1 -
 gnu/packages/gd.scm                         | 20 +++++++++++++++++--
 gnu/packages/patches/gd-CVE-2017-7890.patch | 30 -----------------------------
 gnu/packages/php.scm                        | 13 +------------
 4 files changed, 19 insertions(+), 45 deletions(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 9207966..708b50e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -631,7 +631,6 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/gcr-disable-failing-tests.patch         \
   %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch      
\
   %D%/packages/patches/gdk-pixbuf-list-dir.patch               \
-  %D%/packages/patches/gd-CVE-2017-7890.patch          \
   %D%/packages/patches/gd-fix-gd2-read-test.patch              \
   %D%/packages/patches/gd-fix-tests-on-i686.patch              \
   %D%/packages/patches/gd-freetype-test-failure.patch          \
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index b4e6ce4..169f040 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2015 Eric Bavier <address@hidden>
 ;;; Copyright © 2016, 2017 Leo Famulari <address@hidden>
 ;;; Copyright © 2017 Efraim Flashner <address@hidden>
+;;; Copyright © 2017 Marius Bakke <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -37,12 +38,11 @@
 (define-public gd
   (package
     (name "gd")
-
+    (replacement gd-2.2.5)
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
     (version "2.2.4")
-
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -93,6 +93,22 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
+;; For CVE-2017-6362 and CVE-2017-7890.
+(define-public gd-2.2.5
+  (package
+    (inherit gd)
+    (version "2.2.5")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://github.com/libgd/libgd/releases/download/gd-";
+                    version "/libgd-" version ".tar.xz"))
+              (patches (search-patches "gd-fix-tests-on-i686.patch"
+                                       "gd-freetype-test-failure.patch"))
+              (sha256
+               (base32
+                "0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c"))))))
+
 (define-public perl-gd
   (package
     (name "perl-gd")
diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch 
b/gnu/packages/patches/gd-CVE-2017-7890.patch
deleted file mode 100644
index 66034c5..0000000
--- a/gnu/packages/patches/gd-CVE-2017-7890.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
-From: LEPILLER Julien <address@hidden>
-Date: Thu, 3 Aug 2017 17:04:17 +0200
-Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
-
-The stack allocated color map buffers were not zeroed before usage, and
-so undefined palette indexes could cause information leakage.
-
-This is CVE-2017-7890.
----
- src/gd_gif_in.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
-index 008d1ec..c195448 100644
---- a/src/gd_gif_in.c
-+++ b/src/gd_gif_in.c
-@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr 
fd)
- 
-       gdImagePtr im = 0;
- 
-+      memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
-+      memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
-+
-       if(!ReadOK(fd, buf, 6)) {
-               return 0;
-       }
--- 
-2.13.3
-
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index d0afab0..44fa78d 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -49,17 +49,6 @@
   #:use-module (guix build-system gnu)
   #:use-module ((guix licenses) #:prefix license:))
 
-(define gd-for-php
-  (package
-    (inherit gd)
-    (source (origin
-             (inherit (package-source gd))
-             (patches 
-               (append
-                 (origin-patches (package-source gd))
-                 (search-patches "gd-CVE-2017-7890.patch")))))))
-
-
 (define-public php
   (package
     (name "php")
@@ -293,7 +282,7 @@
        ("curl" ,curl)
        ("cyrus-sasl" ,cyrus-sasl)
        ("freetype" ,freetype)
-       ("gd" ,gd-for-php)
+       ("gd" ,gd-2.2.5)
        ("gdbm" ,gdbm)
        ("glibc" ,glibc)
        ("gmp" ,gmp)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]