From unknown Tue Jun 17 01:34:15 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#28301 <28301@debbugs.gnu.org> To: bug#28301 <28301@debbugs.gnu.org> Subject: Status: [PATCH] gnu: gd: Replace with 2.2.5. Reply-To: bug#28301 <28301@debbugs.gnu.org> Date: Tue, 17 Jun 2025 08:34:15 +0000 retitle 28301 [PATCH] gnu: gd: Replace with 2.2.5. reassign 28301 guix-patches submitter 28301 Marius Bakke severity 28301 normal tag 28301 patch fixed thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 30 17:46:29 2017 Received: (at submit) by debbugs.gnu.org; 30 Aug 2017 21:46:29 +0000 Received: from localhost ([127.0.0.1]:35251 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnAoY-0002q4-9S for submit@debbugs.gnu.org; Wed, 30 Aug 2017 17:46:29 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55567) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnAoT-0002po-4r for submit@debbugs.gnu.org; Wed, 30 Aug 2017 17:46:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnAoM-00042u-PF for submit@debbugs.gnu.org; Wed, 30 Aug 2017 17:46:12 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:60857) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnAoM-00042o-LY for submit@debbugs.gnu.org; Wed, 30 Aug 2017 17:46:10 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46530) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnAoK-000344-UV for guix-patches@gnu.org; Wed, 30 Aug 2017 17:46:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnAoE-00041G-Nk for guix-patches@gnu.org; Wed, 30 Aug 2017 17:46:09 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:51667) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnAoE-00041B-Gp for guix-patches@gnu.org; Wed, 30 Aug 2017 17:46:02 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id D003E21D59; Wed, 30 Aug 2017 17:46:01 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Wed, 30 Aug 2017 17:46:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=AhmGB4Y2fFBqD297riTuuyZV5EaepmX2i9pxxGSEi 6k=; b=cDlyEPomI1P1GrenMkYTYqtQHwBeCPP/SDd4tAcAwkCLY0aFFy++TL9mQ IjMcLtsPLx+cM+mXepHzkWc/GSzl8n9vePohJrSoCsQ+c8J54byL7I0X4VySVRhu SOYpWHazRd/jTfhroFTGRYV/IF4x8kCl4zF2PffebVp+mgO8JiLLd4AwKxbWZqRE p17y/2AQbiY2C7Eu2la/fU3G3VippfZsWZZTJDzdYHNvkUsOqOi5dBX+0NzrH6X7 WE7+TnuA3EbPk6vPVjUET7eusREQ+FodrlydiJxn7zaMBeuIsoVE7BTQjisvA5ej xRcboliaZqv+EHF8K+YawHUWMrNNQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=AhmGB4Y2fFBqD297ri TuuyZV5EaepmX2i9pxxGSEi6k=; b=THPDxzRPGiXltKDPEynhQP41JVJe+2i5rh 1TzwGYXThmBvqZmthmBSvhevHit0woEXw2baUJTHbaEny65Zz9PJFEk25w+z11QK i6XkL/2LRtxS8Dhpq13tIj1zV/vs+d06Cf405AZUfuwra9ddhGnmY+XzUV2xcaXB ZVbuejFxMk/XjuiPufoIZAajmvwkz6ObjZlf19XtjA6TB85JNX+f6oQtu7/JrkvN acbRCB2mt7R+hE5kLCoAOqVhkwst8kJz12ScZxLGyX4gQZA0KqMIXH+OD3vSfZ8b pX0qD8kt7S8RMnIORlYY8pCVKxjiGwCHI/adUaxVLhPnod++3anA== X-ME-Sender: X-Sasl-enc: /2pibAC9JaiFR3LAFqRplWrFLxhg0om+gZwkBJ83CRcC 1504129561 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 5B09224A12; Wed, 30 Aug 2017 17:46:01 -0400 (EDT) From: Marius Bakke To: guix-patches@gnu.org Subject: [PATCH] gnu: gd: Replace with 2.2.5. Date: Wed, 30 Aug 2017 23:45:56 +0200 Message-Id: <20170830214556.14345-1-mbakke@fastmail.com> X-Mailer: git-send-email 2.14.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.3 (----) X-Debbugs-Envelope-To: submit Cc: Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.7 (/) Fixes CVE-2017-6362 and CVE-2017-7890. * gnu/packages/gd.scm (gd)[replacement]: New field. (gd-2.2.5): New variable. * gnu/packages/php.scm (gd-for-php): Remove variable (php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5. * gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/gd.scm | 20 +++++++++++++++++-- gnu/packages/patches/gd-CVE-2017-7890.patch | 30 ----------------------------- gnu/packages/php.scm | 13 +------------ 4 files changed, 19 insertions(+), 45 deletions(-) delete mode 100644 gnu/packages/patches/gd-CVE-2017-7890.patch diff --git a/gnu/local.mk b/gnu/local.mk index 920796685..708b50e8b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -631,7 +631,6 @@ dist_patch_DATA = \ %D%/packages/patches/gcr-disable-failing-tests.patch \ %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \ %D%/packages/patches/gdk-pixbuf-list-dir.patch \ - %D%/packages/patches/gd-CVE-2017-7890.patch \ %D%/packages/patches/gd-fix-gd2-read-test.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-freetype-test-failure.patch \ diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index b4e6ce435..169f040ee 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2015 Eric Bavier ;;; Copyright © 2016, 2017 Leo Famulari ;;; Copyright © 2017 Efraim Flashner +;;; Copyright © 2017 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -37,12 +38,11 @@ (define-public gd (package (name "gd") - + (replacement gd-2.2.5) ;; Note: With libgd.org now pointing to github.com, genuine old ;; tarballs are no longer available. Notably, versions 2.0.x are ;; missing. (version "2.2.4") - (source (origin (method url-fetch) (uri (string-append @@ -93,6 +93,22 @@ most common applications of GD involve website development.") "See COPYING file in the distribution.")) (properties '((cpe-name . "libgd"))))) +;; For CVE-2017-6362 and CVE-2017-7890. +(define-public gd-2.2.5 + (package + (inherit gd) + (version "2.2.5") + (source (origin + (method url-fetch) + (uri (string-append + "https://github.com/libgd/libgd/releases/download/gd-" + version "/libgd-" version ".tar.xz")) + (patches (search-patches "gd-fix-tests-on-i686.patch" + "gd-freetype-test-failure.patch")) + (sha256 + (base32 + "0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c")))))) + (define-public perl-gd (package (name "perl-gd") diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch deleted file mode 100644 index 66034c570..000000000 --- a/gnu/packages/patches/gd-CVE-2017-7890.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001 -From: LEPILLER Julien -Date: Thu, 3 Aug 2017 17:04:17 +0200 -Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory. - -The stack allocated color map buffers were not zeroed before usage, and -so undefined palette indexes could cause information leakage. - -This is CVE-2017-7890. ---- - src/gd_gif_in.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c -index 008d1ec..c195448 100644 ---- a/src/gd_gif_in.c -+++ b/src/gd_gif_in.c -@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) - - gdImagePtr im = 0; - -+ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE); -+ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE); -+ - if(!ReadOK(fd, buf, 6)) { - return 0; - } --- -2.13.3 - diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm index d0afab093..44fa78d62 100644 --- a/gnu/packages/php.scm +++ b/gnu/packages/php.scm @@ -49,17 +49,6 @@ #:use-module (guix build-system gnu) #:use-module ((guix licenses) #:prefix license:)) -(define gd-for-php - (package - (inherit gd) - (source (origin - (inherit (package-source gd)) - (patches - (append - (origin-patches (package-source gd)) - (search-patches "gd-CVE-2017-7890.patch"))))))) - - (define-public php (package (name "php") @@ -293,7 +282,7 @@ ("curl" ,curl) ("cyrus-sasl" ,cyrus-sasl) ("freetype" ,freetype) - ("gd" ,gd-for-php) + ("gd" ,gd-2.2.5) ("gdbm" ,gdbm) ("glibc" ,glibc) ("gmp" ,gmp) -- 2.14.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 30 20:59:38 2017 Received: (at 28301) by debbugs.gnu.org; 31 Aug 2017 00:59:38 +0000 Received: from localhost ([127.0.0.1]:35514 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnDpZ-0000qD-R6 for submit@debbugs.gnu.org; Wed, 30 Aug 2017 20:59:38 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:42407) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnDpV-0000q0-9V for 28301@debbugs.gnu.org; Wed, 30 Aug 2017 20:59:36 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 1B7CC21893; Wed, 30 Aug 2017 20:59:31 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Wed, 30 Aug 2017 20:59:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=HIgQPISDcx1kYh/jWwFvZh651bENA2GdO50VvF w9Bio=; b=fQd99Woqvr7u4DhDpk4ZfhLvKmE5mdDvvjVBwk4A9izMmpe4G+eu6u L1mwwjn5KN7ttIJ7N/+hJ5mh6W02nDmtUNgfNPXcxRBtHkicHAfJJ0k58hxwhclw 970brwq26jeNdpGewLqMVz2hjWyD1+FF9IMms6h0C7HOO4iMCrNbI= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=HIgQPISDcx1kYh/jWw FvZh651bENA2GdO50VvFw9Bio=; b=hQHvF5azUacdFCtHZ+xO9HmFV3vflrN+RQ /EntzjuCVehOE+hPo4arEq77P5UHSh3xHIAhzi0dEI4Zo8LPOPAgwqKsndO2nSz0 SoUguOfElsscZ8l//ud2kmD/XGpsh67gHADxuyfK/NIL1e8jh03KuY/LON8Im3Mk Srfgt4JWmuXZ5H9cLSsaHkcYiJFllnmsD162GS7wrvwoBYxmFEBjvvg9tJCDOuaX /ZzQAEIBTvysuksqshG0E8MphFxXjtSOQG5tyiB2+YS3M52Rczc3YRKFV2XYmfZG b6DklRhMGw88j2GtG/Nmx7/hGNwj+Uq8GmFC9GBw68bKdxzQsLzw== X-ME-Sender: X-Sasl-enc: CEl0wCIpMgkuB4ew+l+Irq9p/klHETtTwOh6tfbvcW9E 1504141170 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id C35A17E186; Wed, 30 Aug 2017 20:59:30 -0400 (EDT) Date: Wed, 30 Aug 2017 20:59:29 -0400 From: Leo Famulari To: Marius Bakke Subject: Re: [bug#28301] [PATCH] gnu: gd: Replace with 2.2.5. Message-ID: <20170831005929.GA19327@jasmine.lan> References: <20170830214556.14345-1-mbakke@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline In-Reply-To: <20170830214556.14345-1-mbakke@fastmail.com> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28301 Cc: 28301@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 30, 2017 at 11:45:56PM +0200, Marius Bakke wrote: > Fixes CVE-2017-6362 and CVE-2017-7890. >=20 > * gnu/packages/gd.scm (gd)[replacement]: New field. > (gd-2.2.5): New variable. > * gnu/packages/php.scm (gd-for-php): Remove variable > (php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5. > * gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file. > * gnu/local.mk (dist_patch_DATA): Remove it. LGTM, thank you! --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmnX24ACgkQJkb6MLrK fwg8Jw//duW89c2uYljOusctQIIKfp1jiwL4KhsqAb4nUpWMGfGCleAA0dwdlV3d ANVHQuopVUXuzfHyVyf/4O9q8cXSKQHO0nze4n3JV6NR5aSCmSzQgWa83ERFt4Ve O+El/5RHQqDB1LSGj45xfHZwyH0pdWAMIWhtctsOMF0sCFhIuZj6Y2C2a7Xgff77 pHcsvQxQRmT280MQgpCV9KvP04tF1vD4uCVzg/CBREd6tS68p0kdovwI7ZRxKSfL S70/UZq6/+45htKE1Dyc7XALEnPwx0MuUAyYAUUDLO3wHJQbrWJOLaVoEhF0Xaut HhCh1/J8uQIAq/KaRdTOtV8cPbKUWr5yJ5zF00E4Vy3W+cCdSjjHHJUghsr9icr4 W8hu0invHE5an+78rHrBcQBV74dXEA+GWdcasL+2GXmakbEdFT/v3XCVbcxQu9Mg /nd0vGtUhLh1v5/PGchSAks6QZDVc8nXmG+zS5UCbPrCvZI7/k8PFh0T3Vm6WXnc I+vTWLXQTuNvtrkQ16u+wOZn085kfpSGUpjgnS/18vmpnNJgPtI0TFTjewbgH98C 3ob2JWq+rXqI5F7Mf3DkorXrrgmF84gtM5VqA18J9jXRSwXAa5/plHiTFXKrL3O5 nSPQyke/x7YwWj9ijGvCFmerGoGNyXxSFK8WxgqW7N5LKQm9whM= =ox+a -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 04 09:28:17 2017 Received: (at control) by debbugs.gnu.org; 4 Sep 2017 13:28:17 +0000 Received: from localhost ([127.0.0.1]:48041 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dorQF-0000lH-8T for submit@debbugs.gnu.org; Mon, 04 Sep 2017 09:28:15 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55149) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dorQE-0000l5-Al for control@debbugs.gnu.org; Mon, 04 Sep 2017 09:28:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dorPG-0008Fl-H7 for control@debbugs.gnu.org; Mon, 04 Sep 2017 09:28:09 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57391) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dorPG-0008Fc-Cz for control@debbugs.gnu.org; Mon, 04 Sep 2017 09:27:14 -0400 Received: from [193.50.110.184] (port=33272 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dorPF-0001Ne-TO for control@debbugs.gnu.org; Mon, 04 Sep 2017 09:27:14 -0400 Date: Mon, 04 Sep 2017 15:27:12 +0200 Message-Id: <87ingy1tn3.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #28301 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) tags 28301 fixed close 28301 From unknown Tue Jun 17 01:34:15 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 03 Oct 2017 11:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator