gnu: gd: Replace with 2.2.5.

Fixes CVE-2017-6362 and CVE-2017-7890.

* gnu/packages/gd.scm (gd)[replacement]: New field.
(gd-2.2.5): New variable.
* gnu/packages/php.scm (gd-for-php): Remove variable
(php)[inputs]: Replace GD-FOR-PHP with GD-2.2.5.
* gnu/packages/patches/gd-CVE-2017-7890.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
This commit is contained in:
Marius Bakke 2017-08-30 23:41:08 +02:00
parent cad88b8533
commit 4f68156140
No known key found for this signature in database
GPG key ID: A2A06DF2A33A54FA
4 changed files with 19 additions and 45 deletions

View file

@ -631,7 +631,6 @@ dist_patch_DATA = \
%D%/packages/patches/gcr-disable-failing-tests.patch \
%D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \
%D%/packages/patches/gdk-pixbuf-list-dir.patch \
%D%/packages/patches/gd-CVE-2017-7890.patch \
%D%/packages/patches/gd-fix-gd2-read-test.patch \
%D%/packages/patches/gd-fix-tests-on-i686.patch \
%D%/packages/patches/gd-freetype-test-failure.patch \

View file

@ -4,6 +4,7 @@
;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@ -37,12 +38,11 @@ (define-module (gnu packages gd)
(define-public gd
(package
(name "gd")
(replacement gd-2.2.5)
;; Note: With libgd.org now pointing to github.com, genuine old
;; tarballs are no longer available. Notably, versions 2.0.x are
;; missing.
(version "2.2.4")
(source (origin
(method url-fetch)
(uri (string-append
@ -93,6 +93,22 @@ (define-public gd
"See COPYING file in the distribution."))
(properties '((cpe-name . "libgd")))))
;; For CVE-2017-6362 and CVE-2017-7890.
(define-public gd-2.2.5
(package
(inherit gd)
(version "2.2.5")
(source (origin
(method url-fetch)
(uri (string-append
"https://github.com/libgd/libgd/releases/download/gd-"
version "/libgd-" version ".tar.xz"))
(patches (search-patches "gd-fix-tests-on-i686.patch"
"gd-freetype-test-failure.patch"))
(sha256
(base32
"0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c"))))))
(define-public perl-gd
(package
(name "perl-gd")

View file

@ -1,30 +0,0 @@
From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
From: LEPILLER Julien <julien@lepiller.eu>
Date: Thu, 3 Aug 2017 17:04:17 +0200
Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
The stack allocated color map buffers were not zeroed before usage, and
so undefined palette indexes could cause information leakage.
This is CVE-2017-7890.
---
src/gd_gif_in.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
index 008d1ec..c195448 100644
--- a/src/gd_gif_in.c
+++ b/src/gd_gif_in.c
@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
gdImagePtr im = 0;
+ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
+ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
+
if(!ReadOK(fd, buf, 6)) {
return 0;
}
--
2.13.3

View file

@ -49,17 +49,6 @@ (define-module (gnu packages php)
#:use-module (guix build-system gnu)
#:use-module ((guix licenses) #:prefix license:))
(define gd-for-php
(package
(inherit gd)
(source (origin
(inherit (package-source gd))
(patches
(append
(origin-patches (package-source gd))
(search-patches "gd-CVE-2017-7890.patch")))))))
(define-public php
(package
(name "php")
@ -293,7 +282,7 @@ (define-public php
("curl" ,curl)
("cyrus-sasl" ,cyrus-sasl)
("freetype" ,freetype)
("gd" ,gd-for-php)
("gd" ,gd-2.2.5)
("gdbm" ,gdbm)
("glibc" ,glibc)
("gmp" ,gmp)