gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201.

* gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/image.scm (libjpeg-turbo/fixed): New variable. (libjpeg-turbo)[replacement]: New field.
author: Marius Bakke <mbakke@fastmail.com> 2019-12-04 22:18:43 +0100
committer: Marius Bakke <mbakke@fastmail.com> 2019-12-04 23:18:24 +0100
commit: 0fa9f29a5100f19a8494521659a1fa3baaa7fd0e (patch)
tree: ad38f1e1230e517d62d009be46d30c19e665a708 /gnu/packages/image.scm
parent: 4fe7adcbcc5465da8adfd5d85375546905cf9eca (diff)
download: patches-0fa9f29a5100f19a8494521659a1fa3baaa7fd0e.tar
patches-0fa9f29a5100f19a8494521659a1fa3baaa7fd0e.tar.gz
1 files changed, 16 insertions, 1 deletions
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 731a1e8aed..71bd381cef 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2018 Joshua Sierles, Nextjournal <joshua@nextjournal.com>
 ;;; Copyright © 2018 Fis Trivial <ybbs.daans@hotmail.com>
 ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
-;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2018, 2019 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2018 Pierre-Antoine Rouby <contact@parouby.fr>
 ;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
 ;;; Copyright © 2018 Rutger Helling <rhelling@mykolab.com>
@@ -1489,6 +1489,7 @@ is hereby granted."))))
   (package
     (name "libjpeg-turbo")
     (version "2.0.2")
+    (replacement libjpeg-turbo/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
@@ -1518,6 +1519,20 @@ and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).")
                    license:ijg          ;the libjpeg library and associated tools
                    license:zlib))))     ;the libjpeg-turbo SIMD extensions
 
+;; Replacement package to fix CVE-2019-13960 and CVE-2019-2201.
+(define libjpeg-turbo/fixed
+  (package
+    (inherit libjpeg-turbo)
+    (version "2.0.3")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
+                                  version "/libjpeg-turbo-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1ds16bnj17v6hzd43w8pzijz3imd9am4hw75ir0fxm240m8dwij2"))
+              (patches (search-patches "libjpeg-turbo-CVE-2019-2201.patch"))))))
+
 (define-public niftilib
   (package
     (name "niftilib")
author	Marius Bakke <mbakke@fastmail.com>	2019-12-04 22:18:43 +0100
committer	Marius Bakke <mbakke@fastmail.com>	2019-12-04 23:18:24 +0100
commit	0fa9f29a5100f19a8494521659a1fa3baaa7fd0e (patch)
tree	ad38f1e1230e517d62d009be46d30c19e665a708 /gnu/packages/image.scm
parent	4fe7adcbcc5465da8adfd5d85375546905cf9eca (diff)
download	patches-0fa9f29a5100f19a8494521659a1fa3baaa7fd0e.tar patches-0fa9f29a5100f19a8494521659a1fa3baaa7fd0e.tar.gz