[PATCH] gnu: gd: Replace with 2.2.5.

DoneSubmitted by Marius Bakke.
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Severity
normal
M
M
Marius Bakke wrote on 30 Aug 2017 23:45
(address . guix-patches@gnu.org)(name . Marius Bakke)(address . mbakke@fastmail.com)
20170830214556.14345-1-mbakke@fastmail.com
Fixes CVE-2017-6362 and CVE-2017-7890.
* gnu/packages/gd.scm (gd)[replacement]: New field.(gd-2.2.5): New variable.* gnu/packages/php.scm (gd-for-php): Remove variable(php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5.* gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file.* gnu/local.mk (dist_patch_DATA): Remove it.--- gnu/local.mk | 1 - gnu/packages/gd.scm | 20 +++++++++++++++++-- gnu/packages/patches/gd-CVE-2017-7890.patch | 30 ----------------------------- gnu/packages/php.scm | 13 +------------ 4 files changed, 19 insertions(+), 45 deletions(-) delete mode 100644 gnu/packages/patches/gd-CVE-2017-7890.patch
Toggle diff (130 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 920796685..708b50e8b 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -631,7 +631,6 @@ dist_patch_DATA = \ %D%/packages/patches/gcr-disable-failing-tests.patch \ %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \ %D%/packages/patches/gdk-pixbuf-list-dir.patch \- %D%/packages/patches/gd-CVE-2017-7890.patch \ %D%/packages/patches/gd-fix-gd2-read-test.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-freetype-test-failure.patch \diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scmindex b4e6ce435..169f040ee 100644--- a/gnu/packages/gd.scm+++ b/gnu/packages/gd.scm@@ -4,6 +4,7 @@ ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org> ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> ;;; ;;; This file is part of GNU Guix. ;;;@@ -37,12 +38,11 @@ (define-public gd (package (name "gd")-+ (replacement gd-2.2.5) ;; Note: With libgd.org now pointing to github.com, genuine old ;; tarballs are no longer available. Notably, versions 2.0.x are ;; missing. (version "2.2.4")- (source (origin (method url-fetch) (uri (string-append@@ -93,6 +93,22 @@ most common applications of GD involve website development.") "See COPYING file in the distribution.")) (properties '((cpe-name . "libgd"))))) +;; For CVE-2017-6362 and CVE-2017-7890.+(define-public gd-2.2.5+ (package+ (inherit gd)+ (version "2.2.5")+ (source (origin+ (method url-fetch)+ (uri (string-append+ "https://github.com/libgd/libgd/releases/download/gd-"+ version "/libgd-" version ".tar.xz"))+ (patches (search-patches "gd-fix-tests-on-i686.patch"+ "gd-freetype-test-failure.patch"))+ (sha256+ (base32+ "0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c"))))))+ (define-public perl-gd (package (name "perl-gd")diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patchdeleted file mode 100644index 66034c570..000000000--- a/gnu/packages/patches/gd-CVE-2017-7890.patch+++ /dev/null@@ -1,30 +0,0 @@-From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001-From: LEPILLER Julien <julien@lepiller.eu>-Date: Thu, 3 Aug 2017 17:04:17 +0200-Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.--The stack allocated color map buffers were not zeroed before usage, and-so undefined palette indexes could cause information leakage.--This is CVE-2017-7890.----- src/gd_gif_in.c | 3 +++- 1 file changed, 3 insertions(+)--diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c-index 008d1ec..c195448 100644---- a/src/gd_gif_in.c-+++ b/src/gd_gif_in.c-@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)- - gdImagePtr im = 0;- -+ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);-+ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);-+- if(!ReadOK(fd, buf, 6)) {- return 0;- }--- -2.13.3-diff --git a/gnu/packages/php.scm b/gnu/packages/php.scmindex d0afab093..44fa78d62 100644--- a/gnu/packages/php.scm+++ b/gnu/packages/php.scm@@ -49,17 +49,6 @@ #:use-module (guix build-system gnu) #:use-module ((guix licenses) #:prefix license:)) -(define gd-for-php- (package- (inherit gd)- (source (origin- (inherit (package-source gd))- (patches - (append- (origin-patches (package-source gd))- (search-patches "gd-CVE-2017-7890.patch")))))))-- (define-public php (package (name "php")@@ -293,7 +282,7 @@ ("curl" ,curl) ("cyrus-sasl" ,cyrus-sasl) ("freetype" ,freetype)- ("gd" ,gd-for-php)+ ("gd" ,gd-2.2.5) ("gdbm" ,gdbm) ("glibc" ,glibc) ("gmp" ,gmp)-- 2.14.1
L
L
Leo Famulari wrote on 31 Aug 2017 02:59
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 28301@debbugs.gnu.org)
20170831005929.GA19327@jasmine.lan
On Wed, Aug 30, 2017 at 11:45:56PM +0200, Marius Bakke wrote:
Toggle quote (9 lines)> Fixes CVE-2017-6362 and CVE-2017-7890.> > * gnu/packages/gd.scm (gd)[replacement]: New field.> (gd-2.2.5): New variable.> * gnu/packages/php.scm (gd-for-php): Remove variable> (php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5.> * gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file.> * gnu/local.mk (dist_patch_DATA): Remove it.
LGTM, thank you!
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmnX24ACgkQJkb6MLrKfwg8Jw//duW89c2uYljOusctQIIKfp1jiwL4KhsqAb4nUpWMGfGCleAA0dwdlV3dANVHQuopVUXuzfHyVyf/4O9q8cXSKQHO0nze4n3JV6NR5aSCmSzQgWa83ERFt4VeO+El/5RHQqDB1LSGj45xfHZwyH0pdWAMIWhtctsOMF0sCFhIuZj6Y2C2a7Xgff77pHcsvQxQRmT280MQgpCV9KvP04tF1vD4uCVzg/CBREd6tS68p0kdovwI7ZRxKSfLS70/UZq6/+45htKE1Dyc7XALEnPwx0MuUAyYAUUDLO3wHJQbrWJOLaVoEhF0XautHhCh1/J8uQIAq/KaRdTOtV8cPbKUWr5yJ5zF00E4Vy3W+cCdSjjHHJUghsr9icr4W8hu0invHE5an+78rHrBcQBV74dXEA+GWdcasL+2GXmakbEdFT/v3XCVbcxQu9Mg/nd0vGtUhLh1v5/PGchSAks6QZDVc8nXmG+zS5UCbPrCvZI7/k8PFh0T3Vm6WXncI+vTWLXQTuNvtrkQ16u+wOZn085kfpSGUpjgnS/18vmpnNJgPtI0TFTjewbgH98C3ob2JWq+rXqI5F7Mf3DkorXrrgmF84gtM5VqA18J9jXRSwXAa5/plHiTFXKrL3O5nSPQyke/x7YwWj9ijGvCFmerGoGNyXxSFK8WxgqW7N5LKQm9whM==ox+a-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 4 Sep 2017 15:27
control message for bug #28301
(address . control@debbugs.gnu.org)
87ingy1tn3.fsf@gnu.org
tags 28301 fixedclose 28301
?
Your comment

This issue is archived.

To comment on this conversation send email to 28301@debbugs.gnu.org