From bbf8832f160120d4f78b563653db49ab715e7c6c Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Fri, 23 Feb 2018 14:24:42 +0100 Subject: gnu: optipng: Update to 0.7.7 [security fixes]. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This release claims to fix 2 vulnerabilities: - ‘an integer overflow vulnerability in the TIFF decoder’ (CVE-2017-1000229, previously patched in Guix), and - ‘a buffer overflow vulnerability in the GIF decoder’. * gnu/packages/image.scm (optipng): Update to 0.7.7. [source]: Remove patch. [arguments]: Substitute INVOKE for SYSTEM* and end phase with #t. * gnu/packages/patches/optipng-CVE-2017-1000229.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/packages/image.scm | 17 ++++++++--------- .../patches/optipng-CVE-2017-1000229.patch | 22 ---------------------- 2 files changed, 8 insertions(+), 31 deletions(-) delete mode 100644 gnu/packages/patches/optipng-CVE-2017-1000229.patch (limited to 'gnu/packages') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 9052a34e96..93114d8e07 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -10,7 +10,7 @@ ;;; Copyright © 2016 Leo Famulari ;;; Copyright © 2016, 2017 Leo Famulari ;;; Copyright © 2016, 2017 Efraim Flashner -;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice +;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice ;;; Copyright © 2016 Eric Bavier ;;; Copyright © 2016, 2017 Arun Isaac ;;; Copyright © 2016, 2017 Kei Kebreau @@ -1091,29 +1091,28 @@ (define-public stb-image-for-extempore (define-public optipng (package (name "optipng") - (version "0.7.6") + (version "0.7.7") (source (origin (method url-fetch) (uri (string-append "http://prdownloads.sourceforge.net/optipng/optipng-" version ".tar.gz")) - (patches (search-patches "optipng-CVE-2017-1000229.patch")) (sha256 (base32 - "105yk5qykvhiahzag67gm36s2kplxf6qn5hay02md0nkrcgn6w28")))) + "0lj4clb851fzpaq446wgj0sfy922zs5l5misbpwv6w7qrqrz4cjg")))) (build-system gnu-build-system) (inputs `(("zlib" ,zlib))) (arguments '(#:phases (modify-phases %standard-phases - ;; configure script does not accept arguments CONFIG_SHELL and SHELL (replace 'configure (lambda* (#:key outputs #:allow-other-keys) - (zero? (system* "sh" "configure" - (string-append "--prefix=" (assoc-ref outputs "out"))))))))) - (synopsis "Optimizer that recompresses PNG image files to a -smaller size") + ;; configure script doesn't accept arguments CONFIG_SHELL and SHELL + (invoke "sh" "configure" + (string-append "--prefix=" (assoc-ref outputs "out"))) + #t))))) + (synopsis "Optimizer that recompresses PNG image files to a smaller size") (description "OptiPNG is a PNG optimizer that recompresses image files to a smaller size, without losing any information. This program also converts external formats (BMP, GIF, PNM and TIFF) to optimized diff --git a/gnu/packages/patches/optipng-CVE-2017-1000229.patch b/gnu/packages/patches/optipng-CVE-2017-1000229.patch deleted file mode 100644 index 2cb3b2f21c..0000000000 --- a/gnu/packages/patches/optipng-CVE-2017-1000229.patch +++ /dev/null @@ -1,22 +0,0 @@ -Fix CVE-2017-1000229: - -https://security-tracker.debian.org/tracker/CVE-2017-1000229 -https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000229.html -https://nvd.nist.gov/vuln/detail/CVE-2017-1000229 - -Patch copied from upstream bug tracker: -https://sourceforge.net/p/optipng/bugs/65/ - -diff --git a/src/minitiff/tiffread.c b/src/minitiff/tiffread.c -index b4910ec..5f9b376 100644 ---- a/src/minitiff/tiffread.c -+++ b/src/minitiff/tiffread.c -@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FILE *fp) - count = tiff_ptr->strip_offsets_count; - if (count == 0 || count > tiff_ptr->height) - goto err_invalid; -+ if (count > (size_t)-1 / sizeof(long)) -+ goto err_memory; - tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long)); - if (tiff_ptr->strip_offsets == NULL) - goto err_memory; -- cgit v1.2.3