Re: [PATCH 1/1] gnu: gd: Replace with gd-2.2.4 [fixes CVE-2016-{6912, 9317} and others].

[Ludovic Courtès]

Leo Famulari <address@hidden> skribis:

> 'CHANGELOG.md' in the development repository lists several fixed bugs with
> potential security implications:
>
> https://github.com/libgd/libgd/blob/gd-2.2.4/CHANGELOG.md
>
> * gnu/packages/gd.scm (gd)[replacement]: New field.
> (gd-2.2.4): New variable.
> * gnu/packages/php.scm (gd-for-php): Remove variable.
> (php)[inputs]: Replace gd-for-php with gd.
> * gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch,
> gnu/packages/patches/gd-fix-truecolor-format-correction.patch: Delete files.
> * gnu/local.mk (dist_patch_DATA): Remove them.

[...]

> --- a/gnu/packages/php.scm
> +++ b/gnu/packages/php.scm
> @@ -50,17 +50,6 @@
>    #:use-module (guix build-system gnu)
>    #:use-module ((guix licenses) #:prefix license:))
>  
> -;; This fixes PHP bugs 73155 and 73159. Remove when gd
> -;; is updated to > 2.2.3.
> -(define gd-for-php
> -  (package (inherit gd)
> -           (source
> -            (origin
> -              (inherit (package-source gd))
> -              (patches (search-patches
> -                        "gd-fix-truecolor-format-correction.patch"
> -                        "gd-fix-chunk-size-on-boundaries.patch"))))))
> -
>  (define-public php
>    (package
>      (name "php")
> @@ -291,7 +280,7 @@
>         ("curl" ,curl)
>         ("cyrus-sasl" ,cyrus-sasl)
>         ("freetype" ,freetype)
> -       ("gd" ,gd-for-php)
> +       ("gd" ,gd)

I don’t think we can do this since gd (not its replacement) is still
2.2.3.

WDYT?

Otherwise LGTM.

Thank you!

Ludo’.