Package: guix-patches;
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Wed, 30 Aug 2017 21:47:02 UTC
Severity: normal
Tags: fixed, patch
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: Marius Bakke <mbakke <at> fastmail.com> To: 28301 <at> debbugs.gnu.org Cc: Marius Bakke <mbakke <at> fastmail.com> Subject: [bug#28301] [PATCH] gnu: gd: Replace with 2.2.5. Date: Wed, 30 Aug 2017 23:45:56 +0200
Fixes CVE-2017-6362 and CVE-2017-7890. * gnu/packages/gd.scm (gd)[replacement]: New field. (gd-2.2.5): New variable. * gnu/packages/php.scm (gd-for-php): Remove variable (php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5. * gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/gd.scm | 20 +++++++++++++++++-- gnu/packages/patches/gd-CVE-2017-7890.patch | 30 ----------------------------- gnu/packages/php.scm | 13 +------------ 4 files changed, 19 insertions(+), 45 deletions(-) delete mode 100644 gnu/packages/patches/gd-CVE-2017-7890.patch diff --git a/gnu/local.mk b/gnu/local.mk index 920796685..708b50e8b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -631,7 +631,6 @@ dist_patch_DATA = \ %D%/packages/patches/gcr-disable-failing-tests.patch \ %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \ %D%/packages/patches/gdk-pixbuf-list-dir.patch \ - %D%/packages/patches/gd-CVE-2017-7890.patch \ %D%/packages/patches/gd-fix-gd2-read-test.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-freetype-test-failure.patch \ diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index b4e6ce435..169f040ee 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2015 Eric Bavier <bavier <at> member.fsf.org> ;;; Copyright © 2016, 2017 Leo Famulari <leo <at> famulari.name> ;;; Copyright © 2017 Efraim Flashner <efraim <at> flashner.co.il> +;;; Copyright © 2017 Marius Bakke <mbakke <at> fastmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -37,12 +38,11 @@ (define-public gd (package (name "gd") - + (replacement gd-2.2.5) ;; Note: With libgd.org now pointing to github.com, genuine old ;; tarballs are no longer available. Notably, versions 2.0.x are ;; missing. (version "2.2.4") - (source (origin (method url-fetch) (uri (string-append @@ -93,6 +93,22 @@ most common applications of GD involve website development.") "See COPYING file in the distribution.")) (properties '((cpe-name . "libgd"))))) +;; For CVE-2017-6362 and CVE-2017-7890. +(define-public gd-2.2.5 + (package + (inherit gd) + (version "2.2.5") + (source (origin + (method url-fetch) + (uri (string-append + "https://github.com/libgd/libgd/releases/download/gd-" + version "/libgd-" version ".tar.xz")) + (patches (search-patches "gd-fix-tests-on-i686.patch" + "gd-freetype-test-failure.patch")) + (sha256 + (base32 + "0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c")))))) + (define-public perl-gd (package (name "perl-gd") diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch deleted file mode 100644 index 66034c570..000000000 --- a/gnu/packages/patches/gd-CVE-2017-7890.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001 -From: LEPILLER Julien <julien <at> lepiller.eu> -Date: Thu, 3 Aug 2017 17:04:17 +0200 -Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory. - -The stack allocated color map buffers were not zeroed before usage, and -so undefined palette indexes could cause information leakage. - -This is CVE-2017-7890. ---- - src/gd_gif_in.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c -index 008d1ec..c195448 100644 ---- a/src/gd_gif_in.c -+++ b/src/gd_gif_in.c -@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) - - gdImagePtr im = 0; - -+ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE); -+ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE); -+ - if(!ReadOK(fd, buf, 6)) { - return 0; - } --- -2.13.3 - diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm index d0afab093..44fa78d62 100644 --- a/gnu/packages/php.scm +++ b/gnu/packages/php.scm @@ -49,17 +49,6 @@ #:use-module (guix build-system gnu) #:use-module ((guix licenses) #:prefix license:)) -(define gd-for-php - (package - (inherit gd) - (source (origin - (inherit (package-source gd)) - (patches - (append - (origin-patches (package-source gd)) - (search-patches "gd-CVE-2017-7890.patch"))))))) - - (define-public php (package (name "php") @@ -293,7 +282,7 @@ ("curl" ,curl) ("cyrus-sasl" ,cyrus-sasl) ("freetype" ,freetype) - ("gd" ,gd-for-php) + ("gd" ,gd-2.2.5) ("gdbm" ,gdbm) ("glibc" ,glibc) ("gmp" ,gmp) -- 2.14.1
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.