From unknown Thu Aug 21 14:54:35 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#64676] [PATCH] gnu: libwebp: Replace with 1.3.1. [fixes CVE-2023-1999] Resent-From: Hilton Chain Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Jul 2023 07:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 64676 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64676@debbugs.gnu.org Cc: Hilton Chain X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.168957897217719 (code B ref -1); Mon, 17 Jul 2023 07:30:02 +0000 Received: (at submit) by debbugs.gnu.org; 17 Jul 2023 07:29:32 +0000 Received: from localhost ([127.0.0.1]:48932 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLIfj-0004bi-Vy for submit@debbugs.gnu.org; Mon, 17 Jul 2023 03:29:32 -0400 Received: from lists.gnu.org ([2001:470:142::17]:49138) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLIfh-0004bQ-RV for submit@debbugs.gnu.org; Mon, 17 Jul 2023 03:29:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qLIfc-0006bl-F1 for guix-patches@gnu.org; Mon, 17 Jul 2023 03:29:24 -0400 Received: from mail.boiledscript.com ([144.168.59.46]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qLIfa-0007k1-Kd for guix-patches@gnu.org; Mon, 17 Jul 2023 03:29:24 -0400 From: Hilton Chain DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1689578712; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=hY2M7uu/ZcoeAT8pmzkocUxyMfke9/UzJh2a17ZSVyI=; b=aA7BnvPsx1Jx3R+wmkjafV+XhdHXtDsKlUcJMyeQb42klaolbrMvPoQ6ODU+BNkuSmXCqQ kzVY48qeSDLM7BUrW2I35pNHhUBoGDGqRFTmQs4QzqPGdNZz0VqnobYePgCjqmtNP/aNbi iPgJ+w6x0nelDeMWA/RNyuMPMEORQm4BlHW36YkApzreDSmUB+fwHIjLH8X6kKaBkqIWYg Gte3Y/iiYXx1V5lkw93NyYekyDNyfCHr7gVz7Dm7AiioO5BqIAKaVoJR+JU53Qczpf2/pM QTBHlNMU+Uo/NVFsqsKHgf92N75+pbWmiXIgp1aZl6/6c5Ew1EWECyRTcBbFwA== Date: Mon, 17 Jul 2023 15:29:03 +0800 Message-ID: <2f4a01203e0875f1a17857d73d41f30f20eb9a96.1689578899.git.hako@ultrarare.space> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: + Authentication-Results: mail.boiledscript.com; auth=pass smtp.mailfrom=hako@ultrarare.space X-Spam-Level: * Received-SPF: pass client-ip=144.168.59.46; envelope-from=hako@ultrarare.space; helo=mail.boiledscript.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * gnu/packages/image.scm (libwebp/fixed): New variable. (libwebp)[replacement]: Assign it to new field. --- gnu/packages/image.scm | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 50af2001ad..d4390fe3f3 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1432,6 +1432,7 @@ (define-public libwebp (package (name "libwebp") (version "1.2.4") + (replacement libwebp/fixed) (source (origin ;; No tarballs are provided for >0.6.1. @@ -1470,6 +1471,22 @@ (define-public libwebp channels.") (license license:bsd-3))) +(define libwebp/fixed + (package + (inherit libwebp) + (name "libwebp") + (version "1.3.1") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://chromium.googlesource.com/webm/libwebp") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1aas6gwy7kfcq34cil781kcsl286khh9grwcx7k4d2n1g7zcpl3m")))))) + (define-public libmng (package (name "libmng") base-commit: 3755941f038ec66fba568fa88d6b2d295e196723 -- 2.41.0 From unknown Thu Aug 21 14:54:35 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Hilton Chain Subject: bug#64676: closed (Re: bug#64676: [PATCH] gnu: libwebp: Replace with 1.3.1. [fixes CVE-2023-1999]) Message-ID: References: <87jztu3e1j.fsf@gnu.org> <2f4a01203e0875f1a17857d73d41f30f20eb9a96.1689578899.git.hako@ultrarare.space> X-Gnu-PR-Message: they-closed 64676 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 64676@debbugs.gnu.org Date: Wed, 16 Aug 2023 20:54:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1692219242-9559-1" This is a multi-part message in MIME format... ------------=_1692219242-9559-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #64676: [PATCH] gnu: libwebp: Replace with 1.3.1. [fixes CVE-2023-1999] which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 64676@debbugs.gnu.org. --=20 64676: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D64676 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1692219242-9559-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 64676-done) by debbugs.gnu.org; 16 Aug 2023 20:53:05 +0000 Received: from localhost ([127.0.0.1]:42237 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qWNVp-0002Sl-8f for submit@debbugs.gnu.org; Wed, 16 Aug 2023 16:53:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59904) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qWNVn-0002SF-84 for 64676-done@debbugs.gnu.org; Wed, 16 Aug 2023 16:53:04 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qWNVh-0002ek-UR; Wed, 16 Aug 2023 16:52:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=GFxKsSwdtp054MZ7qXPjcE0N5tWOPb7KjuSGFGSOwPs=; b=hW66rwUE6scmCqmuSGoi z35oMDLqnFO8CK75F/QWcKDja1q+y2M/9pkVcPGjPUi+sDRHqIqsMI8qHMl5aCTdg2WGpb0AYRaOS aLFKkji2Uz8pU/iQI+2ZT1Yki4zRF03UrwK4E0DGpw3sbtMZ2BHVh36RWJz6FK/LniTjfbdhWIm1V vJVzJTjBFMTqjNCmPxjb/sIE7ElWSpXqpOlnhXXuyiie49Qnbh2om7tYvLEIEfoDLipwnrXB8ySai kWiYbjSYQ9LsT+2ENkwB4y+bDmcpZvpLbKQgHGA0V8SOipCQgKkbxg2pATLRivvdi7WmJiqqpmQW3 dFJVt+h9skSV5A==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Hilton Chain Subject: Re: bug#64676: [PATCH] gnu: libwebp: Replace with 1.3.1. [fixes CVE-2023-1999] References: <2f4a01203e0875f1a17857d73d41f30f20eb9a96.1689578899.git.hako@ultrarare.space> Date: Wed, 16 Aug 2023 22:52:56 +0200 In-Reply-To: <2f4a01203e0875f1a17857d73d41f30f20eb9a96.1689578899.git.hako@ultrarare.space> (Hilton Chain's message of "Mon, 17 Jul 2023 15:29:03 +0800") Message-ID: <87jztu3e1j.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 64676-done Cc: 64676-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hilton Chain skribis: > * gnu/packages/image.scm (libwebp/fixed): New variable. > (libwebp)[replacement]: Assign it to new field. Hi! Finally applied, thanks! Ludo=E2=80=99. ------------=_1692219242-9559-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 17 Jul 2023 07:29:32 +0000 Received: from localhost ([127.0.0.1]:48932 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLIfj-0004bi-Vy for submit@debbugs.gnu.org; Mon, 17 Jul 2023 03:29:32 -0400 Received: from lists.gnu.org ([2001:470:142::17]:49138) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLIfh-0004bQ-RV for submit@debbugs.gnu.org; Mon, 17 Jul 2023 03:29:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qLIfc-0006bl-F1 for guix-patches@gnu.org; Mon, 17 Jul 2023 03:29:24 -0400 Received: from mail.boiledscript.com ([144.168.59.46]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qLIfa-0007k1-Kd for guix-patches@gnu.org; Mon, 17 Jul 2023 03:29:24 -0400 From: Hilton Chain DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1689578712; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=hY2M7uu/ZcoeAT8pmzkocUxyMfke9/UzJh2a17ZSVyI=; b=aA7BnvPsx1Jx3R+wmkjafV+XhdHXtDsKlUcJMyeQb42klaolbrMvPoQ6ODU+BNkuSmXCqQ kzVY48qeSDLM7BUrW2I35pNHhUBoGDGqRFTmQs4QzqPGdNZz0VqnobYePgCjqmtNP/aNbi iPgJ+w6x0nelDeMWA/RNyuMPMEORQm4BlHW36YkApzreDSmUB+fwHIjLH8X6kKaBkqIWYg Gte3Y/iiYXx1V5lkw93NyYekyDNyfCHr7gVz7Dm7AiioO5BqIAKaVoJR+JU53Qczpf2/pM QTBHlNMU+Uo/NVFsqsKHgf92N75+pbWmiXIgp1aZl6/6c5Ew1EWECyRTcBbFwA== To: guix-patches@gnu.org Subject: [PATCH] gnu: libwebp: Replace with 1.3.1. [fixes CVE-2023-1999] Date: Mon, 17 Jul 2023 15:29:03 +0800 Message-ID: <2f4a01203e0875f1a17857d73d41f30f20eb9a96.1689578899.git.hako@ultrarare.space> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: + Authentication-Results: mail.boiledscript.com; auth=pass smtp.mailfrom=hako@ultrarare.space X-Spam-Level: * Received-SPF: pass client-ip=144.168.59.46; envelope-from=hako@ultrarare.space; helo=mail.boiledscript.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: Hilton Chain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * gnu/packages/image.scm (libwebp/fixed): New variable. (libwebp)[replacement]: Assign it to new field. --- gnu/packages/image.scm | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 50af2001ad..d4390fe3f3 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1432,6 +1432,7 @@ (define-public libwebp (package (name "libwebp") (version "1.2.4") + (replacement libwebp/fixed) (source (origin ;; No tarballs are provided for >0.6.1. @@ -1470,6 +1471,22 @@ (define-public libwebp channels.") (license license:bsd-3))) +(define libwebp/fixed + (package + (inherit libwebp) + (name "libwebp") + (version "1.3.1") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://chromium.googlesource.com/webm/libwebp") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1aas6gwy7kfcq34cil781kcsl286khh9grwcx7k4d2n1g7zcpl3m")))))) + (define-public libmng (package (name "libmng") base-commit: 3755941f038ec66fba568fa88d6b2d295e196723 -- 2.41.0 ------------=_1692219242-9559-1--