[PATCH] gnu: gd: Replace with 2.2.5.

  • Done
  • quality assurance status badge
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Submitted by
Marius Bakke
Severity
normal
M
M
Marius Bakke wrote on 30 Aug 2017 23:45
(address . guix-patches@gnu.org)(name . Marius Bakke)(address . mbakke@fastmail.com)
20170830214556.14345-1-mbakke@fastmail.com
Fixes CVE-2017-6362 and CVE-2017-7890.

* gnu/packages/gd.scm (gd)[replacement]: New field.
(gd-2.2.5): New variable.
* gnu/packages/php.scm (gd-for-php): Remove variable
(php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5.
* gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
gnu/local.mk | 1 -
gnu/packages/gd.scm | 20 +++++++++++++++++--
gnu/packages/patches/gd-CVE-2017-7890.patch | 30 -----------------------------
gnu/packages/php.scm | 13 +------------
4 files changed, 19 insertions(+), 45 deletions(-)
delete mode 100644 gnu/packages/patches/gd-CVE-2017-7890.patch

Toggle diff (130 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 920796685..708b50e8b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -631,7 +631,6 @@ dist_patch_DATA = \
%D%/packages/patches/gcr-disable-failing-tests.patch \
%D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \
%D%/packages/patches/gdk-pixbuf-list-dir.patch \
- %D%/packages/patches/gd-CVE-2017-7890.patch \
%D%/packages/patches/gd-fix-gd2-read-test.patch \
%D%/packages/patches/gd-fix-tests-on-i686.patch \
%D%/packages/patches/gd-freetype-test-failure.patch \
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index b4e6ce435..169f040ee 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -37,12 +38,11 @@
(define-public gd
(package
(name "gd")
-
+ (replacement gd-2.2.5)
;; Note: With libgd.org now pointing to github.com, genuine old
;; tarballs are no longer available. Notably, versions 2.0.x are
;; missing.
(version "2.2.4")
-
(source (origin
(method url-fetch)
(uri (string-append
@@ -93,6 +93,22 @@ most common applications of GD involve website development.")
"See COPYING file in the distribution."))
(properties '((cpe-name . "libgd")))))
+;; For CVE-2017-6362 and CVE-2017-7890.
+(define-public gd-2.2.5
+ (package
+ (inherit gd)
+ (version "2.2.5")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append
+ "https://github.com/libgd/libgd/releases/download/gd-"
+ version "/libgd-" version ".tar.xz"))
+ (patches (search-patches "gd-fix-tests-on-i686.patch"
+ "gd-freetype-test-failure.patch"))
+ (sha256
+ (base32
+ "0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c"))))))
+
(define-public perl-gd
(package
(name "perl-gd")
diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch
deleted file mode 100644
index 66034c570..000000000
--- a/gnu/packages/patches/gd-CVE-2017-7890.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
-From: LEPILLER Julien <julien@lepiller.eu>
-Date: Thu, 3 Aug 2017 17:04:17 +0200
-Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
-
-The stack allocated color map buffers were not zeroed before usage, and
-so undefined palette indexes could cause information leakage.
-
-This is CVE-2017-7890.
----
- src/gd_gif_in.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
-index 008d1ec..c195448 100644
---- a/src/gd_gif_in.c
-+++ b/src/gd_gif_in.c
-@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
-
- gdImagePtr im = 0;
-
-+ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
-+ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
-+
- if(!ReadOK(fd, buf, 6)) {
- return 0;
- }
---
-2.13.3
-
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index d0afab093..44fa78d62 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -49,17 +49,6 @@
#:use-module (guix build-system gnu)
#:use-module ((guix licenses) #:prefix license:))
-(define gd-for-php
- (package
- (inherit gd)
- (source (origin
- (inherit (package-source gd))
- (patches
- (append
- (origin-patches (package-source gd))
- (search-patches "gd-CVE-2017-7890.patch")))))))
-
-
(define-public php
(package
(name "php")
@@ -293,7 +282,7 @@
("curl" ,curl)
("cyrus-sasl" ,cyrus-sasl)
("freetype" ,freetype)
- ("gd" ,gd-for-php)
+ ("gd" ,gd-2.2.5)
("gdbm" ,gdbm)
("glibc" ,glibc)
("gmp" ,gmp)
--
2.14.1
L
L
Leo Famulari wrote on 31 Aug 2017 02:59
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 28301@debbugs.gnu.org)
20170831005929.GA19327@jasmine.lan
On Wed, Aug 30, 2017 at 11:45:56PM +0200, Marius Bakke wrote:
Toggle quote (9 lines)
> Fixes CVE-2017-6362 and CVE-2017-7890.
>
> * gnu/packages/gd.scm (gd)[replacement]: New field.
> (gd-2.2.5): New variable.
> * gnu/packages/php.scm (gd-for-php): Remove variable
> (php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5.
> * gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.

LGTM, thank you!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmnX24ACgkQJkb6MLrK
fwg8Jw//duW89c2uYljOusctQIIKfp1jiwL4KhsqAb4nUpWMGfGCleAA0dwdlV3d
ANVHQuopVUXuzfHyVyf/4O9q8cXSKQHO0nze4n3JV6NR5aSCmSzQgWa83ERFt4Ve
O+El/5RHQqDB1LSGj45xfHZwyH0pdWAMIWhtctsOMF0sCFhIuZj6Y2C2a7Xgff77
pHcsvQxQRmT280MQgpCV9KvP04tF1vD4uCVzg/CBREd6tS68p0kdovwI7ZRxKSfL
S70/UZq6/+45htKE1Dyc7XALEnPwx0MuUAyYAUUDLO3wHJQbrWJOLaVoEhF0Xaut
HhCh1/J8uQIAq/KaRdTOtV8cPbKUWr5yJ5zF00E4Vy3W+cCdSjjHHJUghsr9icr4
W8hu0invHE5an+78rHrBcQBV74dXEA+GWdcasL+2GXmakbEdFT/v3XCVbcxQu9Mg
/nd0vGtUhLh1v5/PGchSAks6QZDVc8nXmG+zS5UCbPrCvZI7/k8PFh0T3Vm6WXnc
I+vTWLXQTuNvtrkQ16u+wOZn085kfpSGUpjgnS/18vmpnNJgPtI0TFTjewbgH98C
3ob2JWq+rXqI5F7Mf3DkorXrrgmF84gtM5VqA18J9jXRSwXAa5/plHiTFXKrL3O5
nSPQyke/x7YwWj9ijGvCFmerGoGNyXxSFK8WxgqW7N5LKQm9whM=
=ox+a
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 4 Sep 2017 15:27
control message for bug #28301
(address . control@debbugs.gnu.org)
87ingy1tn3.fsf@gnu.org
tags 28301 fixed
close 28301
?
Your comment

This issue is archived.

To comment on this conversation send an email to 28301@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 28301
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch