GNU bug report logs - #64676
[PATCH] gnu: libwebp: Replace with 1.3.1. [fixes CVE-2023-1999]

Previous Next

Package: guix-patches;

Reported by: Hilton Chain <hako <at> ultrarare.space>

Date: Mon, 17 Jul 2023 07:30:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 64676 in the body.
You can then email your comments to 64676 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#64676; Package guix-patches. (Mon, 17 Jul 2023 07:30:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Hilton Chain <hako <at> ultrarare.space>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 17 Jul 2023 07:30:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Hilton Chain <hako <at> ultrarare.space>
To: guix-patches <at> gnu.org
Cc: Hilton Chain <hako <at> ultrarare.space>
Subject: [PATCH] gnu: libwebp: Replace with 1.3.1. [fixes CVE-2023-1999]
Date: Mon, 17 Jul 2023 15:29:03 +0800

* gnu/packages/image.scm (libwebp/fixed): New variable.
(libwebp)[replacement]: Assign it to new field.
---
 gnu/packages/image.scm | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 50af2001ad..d4390fe3f3 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1432,6 +1432,7 @@ (define-public libwebp
   (package
     (name "libwebp")
     (version "1.2.4")
+    (replacement libwebp/fixed)
     (source
      (origin
        ;; No tarballs are provided for >0.6.1.
@@ -1470,6 +1471,22 @@ (define-public libwebp
 channels.")
     (license license:bsd-3)))
 
+(define libwebp/fixed
+  (package
+    (inherit libwebp)
+    (name "libwebp")
+    (version "1.3.1")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://chromium.googlesource.com/webm/libwebp")
+             (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32
+         "1aas6gwy7kfcq34cil781kcsl286khh9grwcx7k4d2n1g7zcpl3m"))))))
+
 (define-public libmng
   (package
     (name "libmng")

base-commit: 3755941f038ec66fba568fa88d6b2d295e196723
-- 
2.41.0
Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Wed, 16 Aug 2023 20:54:01 GMT) Full text and rfc822 format available.
Notification sent to Hilton Chain <hako <at> ultrarare.space>:
bug acknowledged by developer. (Wed, 16 Aug 2023 20:54:01 GMT) Full text and rfc822 format available.

Message #10 received at 64676-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Hilton Chain <hako <at> ultrarare.space>
Cc: 64676-done <at> debbugs.gnu.org
Subject: Re: bug#64676: [PATCH] gnu: libwebp: Replace with 1.3.1. [fixes
 CVE-2023-1999]
Date: Wed, 16 Aug 2023 22:52:56 +0200

Hilton Chain <hako <at> ultrarare.space> skribis:

> * gnu/packages/image.scm (libwebp/fixed): New variable.
> (libwebp)[replacement]: Assign it to new field.

Hi! Finally applied, thanks!

Ludo’.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 14 Sep 2023 11:24:13 GMT) Full text and rfc822 format available.
This bug report was last modified 1 year and 341 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.