GNU bug report logs - #28301
[PATCH] gnu: gd: Replace with 2.2.5.

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Wed, 30 Aug 2017 21:47:02 UTC

Severity: normal

Tags: fixed, patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28301 in the body.
You can then email your comments to 28301 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#28301; Package guix-patches. (Wed, 30 Aug 2017 21:47:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Wed, 30 Aug 2017 21:47:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Cc: Marius Bakke <mbakke <at> fastmail.com>
Subject: [PATCH] gnu: gd: Replace with 2.2.5.
Date: Wed, 30 Aug 2017 23:45:56 +0200

Fixes CVE-2017-6362 and CVE-2017-7890.

* gnu/packages/gd.scm (gd)[replacement]: New field.
(gd-2.2.5): New variable.
* gnu/packages/php.scm (gd-for-php): Remove variable
(php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5.
* gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
 gnu/local.mk                                |  1 -
 gnu/packages/gd.scm                         | 20 +++++++++++++++++--
 gnu/packages/patches/gd-CVE-2017-7890.patch | 30 -----------------------------
 gnu/packages/php.scm                        | 13 +------------
 4 files changed, 19 insertions(+), 45 deletions(-)
 delete mode 100644 gnu/packages/patches/gd-CVE-2017-7890.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 920796685..708b50e8b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -631,7 +631,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcr-disable-failing-tests.patch		\
   %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch	\
   %D%/packages/patches/gdk-pixbuf-list-dir.patch		\
-  %D%/packages/patches/gd-CVE-2017-7890.patch		\
   %D%/packages/patches/gd-fix-gd2-read-test.patch		\
   %D%/packages/patches/gd-fix-tests-on-i686.patch		\
   %D%/packages/patches/gd-freetype-test-failure.patch		\
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index b4e6ce435..169f040ee 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2015 Eric Bavier <bavier <at> member.fsf.org>
 ;;; Copyright © 2016, 2017 Leo Famulari <leo <at> famulari.name>
 ;;; Copyright © 2017 Efraim Flashner <efraim <at> flashner.co.il>
+;;; Copyright © 2017 Marius Bakke <mbakke <at> fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -37,12 +38,11 @@
 (define-public gd
   (package
     (name "gd")
-
+    (replacement gd-2.2.5)
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
     (version "2.2.4")
-
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -93,6 +93,22 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
+;; For CVE-2017-6362 and CVE-2017-7890.
+(define-public gd-2.2.5
+  (package
+    (inherit gd)
+    (version "2.2.5")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://github.com/libgd/libgd/releases/download/gd-"
+                    version "/libgd-" version ".tar.xz"))
+              (patches (search-patches "gd-fix-tests-on-i686.patch"
+                                       "gd-freetype-test-failure.patch"))
+              (sha256
+               (base32
+                "0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c"))))))
+
 (define-public perl-gd
   (package
     (name "perl-gd")
diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch
deleted file mode 100644
index 66034c570..000000000
--- a/gnu/packages/patches/gd-CVE-2017-7890.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
-From: LEPILLER Julien <julien <at> lepiller.eu>
-Date: Thu, 3 Aug 2017 17:04:17 +0200
-Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
-
-The stack allocated color map buffers were not zeroed before usage, and
-so undefined palette indexes could cause information leakage.
-
-This is CVE-2017-7890.
----
- src/gd_gif_in.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
-index 008d1ec..c195448 100644
---- a/src/gd_gif_in.c
-+++ b/src/gd_gif_in.c
-@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
- 
- 	gdImagePtr im = 0;
- 
-+	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
-+	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
-+
- 	if(!ReadOK(fd, buf, 6)) {
- 		return 0;
- 	}
--- 
-2.13.3
-
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index d0afab093..44fa78d62 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -49,17 +49,6 @@
   #:use-module (guix build-system gnu)
   #:use-module ((guix licenses) #:prefix license:))
 
-(define gd-for-php
-  (package
-    (inherit gd)
-    (source (origin
-             (inherit (package-source gd))
-             (patches 
-               (append
-                 (origin-patches (package-source gd))
-                 (search-patches "gd-CVE-2017-7890.patch")))))))
-
-
 (define-public php
   (package
     (name "php")
@@ -293,7 +282,7 @@
        ("curl" ,curl)
        ("cyrus-sasl" ,cyrus-sasl)
        ("freetype" ,freetype)
-       ("gd" ,gd-for-php)
+       ("gd" ,gd-2.2.5)
        ("gdbm" ,gdbm)
        ("glibc" ,glibc)
        ("gmp" ,gmp)
-- 
2.14.1
Information forwarded to guix-patches <at> gnu.org:
bug#28301; Package guix-patches. (Thu, 31 Aug 2017 01:00:01 GMT) Full text and rfc822 format available.

Message #8 received at 28301 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 28301 <at> debbugs.gnu.org
Subject: Re: [bug#28301] [PATCH] gnu: gd: Replace with 2.2.5.
Date: Wed, 30 Aug 2017 20:59:29 -0400

[Message part 1 (text/plain, inline)]
On Wed, Aug 30, 2017 at 11:45:56PM +0200, Marius Bakke wrote:
> Fixes CVE-2017-6362 and CVE-2017-7890.
> 
> * gnu/packages/gd.scm (gd)[replacement]: New field.
> (gd-2.2.5): New variable.
> * gnu/packages/php.scm (gd-for-php): Remove variable
> (php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5.
> * gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.

LGTM, thank you!

[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Mon, 04 Sep 2017 13:29:02 GMT) Full text and rfc822 format available.
bug closed, send any further explanations to 28301 <at> debbugs.gnu.org and Marius Bakke <mbakke <at> fastmail.com> Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Mon, 04 Sep 2017 13:29:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 03 Oct 2017 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 257 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.