[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#27937] Update php to 7.1.8
|
From: |
Leo Famulari |
|
Subject: |
[bug#27937] Update php to 7.1.8 |
|
Date: |
Thu, 3 Aug 2017 18:20:10 -0400 |
|
User-agent: |
Mutt/1.8.3 (2017-05-23) |
On Thu, Aug 03, 2017 at 08:22:00PM +0200, Julien Lepiller wrote:
> Hi,
>
> a new version of php has been released. Here is a patch to update it.
> From 49de4d05b1b292af598755bfa7754661519218b8 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <address@hidden>
> Date: Thu, 3 Aug 2017 20:14:56 +0200
> Subject: [PATCH] gnu: php: Update to 7.1.8.
>
> * gnu/packages/patches/gd-CVE-2017-7890.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it
> * gnu/packages/php.scm (php): Update to 7.1.8.
Thanks! Overall LGTM.
Could this close <https://bugs.gnu.org/27808>?
> diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch
> b/gnu/packages/patches/gd-CVE-2017-7890.patch
> new file mode 100644
> index 000000000..743fc6d3d
> --- /dev/null
> +++ b/gnu/packages/patches/gd-CVE-2017-7890.patch
> @@ -0,0 +1,30 @@
> +From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
> +From: LEPILLER Julien <address@hidden>
> +Date: Thu, 3 Aug 2017 17:04:17 +0200
> +Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
> +
> +The stack allocated color map buffers were not zeroed before usage, and
> +so undefined palette indexes could cause information leakage.
> +
> +This is CVE-2017-7890.
Would this patch be valuable for the "regular" gd package as well, or is
it specific to gd-for-php?
> +(define gd-for-php
> + (package
> + (inherit gd)
> + (source (origin
> + (inherit (package-source gd))
> + (patches (search-patches "gd-fix-gd2-read-test.patch"
> + "gd-fix-tests-on-i686.patch"
> + "gd-freetype-test-failure.patch"
> +
> "gd-php-73968-Fix-109-XBM-reading.patch"
> + "gd-CVE-2017-7890.patch"))))))
^
This indentation is too far to the left.
signature.asc
Description: PGP signature