From ad3306f62fc607fe553fca7c4b01f87a46499e03 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 29 Aug 2018 02:52:47 +0200 Subject: gnu: perl-gd: Update to 2.69. * gnu/packages/gd.scm (perl-gd): Update to 2.69. --- gnu/packages/gd.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/gd.scm') diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index 56553a6745..c374695524 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -94,7 +94,7 @@ most common applications of GD involve website development.") (define-public perl-gd (package (name "perl-gd") - (version "2.68") + (version "2.69") (source (origin (method url-fetch) @@ -102,7 +102,7 @@ most common applications of GD involve website development.") "GD-" version ".tar.gz")) (sha256 (base32 - "0p2ya641nl5cvcqgw829xgabh835qijfd6vq2ba12862946xx8va")))) + "0palmq7l42fibqxhrabnjm7di4q8kciq9323902d717x3i4jvc6x")))) (build-system perl-build-system) (inputs `(("fontconfig" ,fontconfig) -- cgit v1.2.3 From ced98c7e89a22c551dd23acd7a1b4f861958d876 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 9 Sep 2018 17:48:24 -0400 Subject: gnu: libgd: Fix CVE-2018-{5711,1000222}. * gnu/packages/patches/gd-CVE-2018-1000222.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gd.scm (gd/fixed): New variable. * gnu/packages/php.scm (gd-for-php)[source]: Use 'gd-CVE-2018-1000222.patch'. --- gnu/local.mk | 1 + gnu/packages/gd.scm | 11 ++++ gnu/packages/patches/gd-CVE-2018-1000222.patch | 87 ++++++++++++++++++++++++++ gnu/packages/php.scm | 3 +- 4 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/gd-CVE-2018-1000222.patch (limited to 'gnu/packages/gd.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 0407fdc597..374e25165e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -719,6 +719,7 @@ dist_patch_DATA = \ %D%/packages/patches/gcr-disable-failing-tests.patch \ %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch \ %D%/packages/patches/gd-CVE-2018-5711.patch \ + %D%/packages/patches/gd-CVE-2018-1000222.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-freetype-test-failure.patch \ %D%/packages/patches/gdm-CVE-2018-14424.patch \ diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index c374695524..327a1f1545 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -39,6 +39,7 @@ (define-public gd (package (name "gd") + (replacement gd/fixed) ;; Note: With libgd.org now pointing to github.com, genuine old ;; tarballs are no longer available. Notably, versions 2.0.x are ;; missing. @@ -91,6 +92,16 @@ most common applications of GD involve website development.") "See COPYING file in the distribution.")) (properties '((cpe-name . "libgd"))))) +(define-public gd/fixed + (hidden-package + (package + (inherit gd) + (source (origin + (inherit (package-source gd)) + (patches (append (origin-patches (package-source gd)) + (search-patches "gd-CVE-2018-5711.patch" + "gd-CVE-2018-1000222.patch")))))))) + (define-public perl-gd (package (name "perl-gd") diff --git a/gnu/packages/patches/gd-CVE-2018-1000222.patch b/gnu/packages/patches/gd-CVE-2018-1000222.patch new file mode 100644 index 0000000000..7e94295bb6 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2018-1000222.patch @@ -0,0 +1,87 @@ +Fix CVE-2018-1000222: + +https://github.com/libgd/libgd/issues/447 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222 + +Patch copied from upstream source repository: + +https://github.com/libgd/libgd/commit/4b1e18a00ce7c4b7e6919c3b3109a034393b805a + +From 4b1e18a00ce7c4b7e6919c3b3109a034393b805a Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sat, 14 Jul 2018 13:54:08 -0400 +Subject: [PATCH] bmp: check return value in gdImageBmpPtr + +Closes #447. + +(cherry picked from commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5) +--- + src/gd_bmp.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/src/gd_bmp.c b/src/gd_bmp.c +index ccafdcd..d625da1 100644 +--- a/src/gd_bmp.c ++++ b/src/gd_bmp.c +@@ -48,6 +48,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp + static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); + static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); + ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); ++ + #define BMP_DEBUG(s) + + static int gdBMPPutWord(gdIOCtx *out, int w) +@@ -88,8 +90,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageBmpCtx(im, out, compression); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageBmpCtx(im, out, compression)) ++ rv = gdDPExtractData(out, size); ++ else ++ rv = NULL; + out->gd_free(out); + return rv; + } +@@ -142,6 +146,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) + compression - whether to apply RLE or not. + */ + BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) ++{ ++ _gdImageBmpCtx(im, out, compression); ++} ++ ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + { + int bitmap_size = 0, info_size, total_size, padding; + int i, row, xpos, pixel; +@@ -149,6 +158,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; + FILE *tmpfile_for_compression = NULL; + gdIOCtxPtr out_original = NULL; ++ int ret = 1; + + /* No compression if its true colour or we don't support seek */ + if (im->trueColor) { +@@ -326,6 +336,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + out_original = NULL; + } + ++ ret = 0; + cleanup: + if (tmpfile_for_compression) { + #ifdef _WIN32 +@@ -339,7 +350,7 @@ cleanup: + if (out_original) { + out_original->gd_free(out_original); + } +- return; ++ return ret; + } + + static int compress_row(unsigned char *row, int length) +-- +2.18.0 + diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm index 121ffab767..4981c60554 100644 --- a/gnu/packages/php.scm +++ b/gnu/packages/php.scm @@ -57,7 +57,8 @@ (inherit (package-source gd)) (patches (search-patches "gd-fix-tests-on-i686.patch" "gd-freetype-test-failure.patch" - "gd-CVE-2018-5711.patch")))))) + "gd-CVE-2018-5711.patch" + "gd-CVE-2018-1000222.patch")))))) (define-public php (package -- cgit v1.2.3 From 68a08dfbe53301fb5c15470b52185e0578b5293e Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Mon, 10 Sep 2018 01:30:06 +0200 Subject: gnu: libgd: Incorporate grafted changes. * gnu/packages/gd.scm (gd)[replacement]: Remove field. [source](patches): Add "gd-CVE-2018-5711.patch" and "gd-CVE-2018-1000222.patch". (gd/fixed): Remove variable. * gnu/packages/php.scm (gd-for-php): Remove variable. (php)[inputs]: Change GD-FOR-PHP to GD. --- gnu/packages/gd.scm | 16 ++++------------ gnu/packages/php.scm | 12 +----------- 2 files changed, 5 insertions(+), 23 deletions(-) (limited to 'gnu/packages/gd.scm') diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index 327a1f1545..1fe69577fd 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -39,7 +39,6 @@ (define-public gd (package (name "gd") - (replacement gd/fixed) ;; Note: With libgd.org now pointing to github.com, genuine old ;; tarballs are no longer available. Notably, versions 2.0.x are ;; missing. @@ -52,7 +51,10 @@ (sha256 (base32 "0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c")) - (patches (search-patches "gd-fix-tests-on-i686.patch" + + (patches (search-patches "gd-CVE-2018-5711.patch" + "gd-CVE-2018-1000222.patch" + "gd-fix-tests-on-i686.patch" "gd-freetype-test-failure.patch")))) (build-system gnu-build-system) (arguments @@ -92,16 +94,6 @@ most common applications of GD involve website development.") "See COPYING file in the distribution.")) (properties '((cpe-name . "libgd"))))) -(define-public gd/fixed - (hidden-package - (package - (inherit gd) - (source (origin - (inherit (package-source gd)) - (patches (append (origin-patches (package-source gd)) - (search-patches "gd-CVE-2018-5711.patch" - "gd-CVE-2018-1000222.patch")))))))) - (define-public perl-gd (package (name "perl-gd") diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm index 4981c60554..0efbec8057 100644 --- a/gnu/packages/php.scm +++ b/gnu/packages/php.scm @@ -50,16 +50,6 @@ #:use-module (guix build-system gnu) #:use-module ((guix licenses) #:prefix license:)) -(define gd-for-php - (package - (inherit gd) - (source (origin - (inherit (package-source gd)) - (patches (search-patches "gd-fix-tests-on-i686.patch" - "gd-freetype-test-failure.patch" - "gd-CVE-2018-5711.patch" - "gd-CVE-2018-1000222.patch")))))) - (define-public php (package (name "php") @@ -312,7 +302,7 @@ ("curl" ,curl) ("cyrus-sasl" ,cyrus-sasl) ("freetype" ,freetype) - ("gd" ,gd-for-php) + ("gd" ,gd) ("gdbm" ,gdbm) ("glibc" ,glibc) ("gmp" ,gmp) -- cgit v1.2.3 From 4851af9ebe3949354a2d22ca932bbecb072c5024 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 27 Jun 2018 21:01:27 -0400 Subject: gnu: perl: Return #t from all phases. * gnu/packages/gd.scm (perl-gd-securityimage) * gnu/packages/libevent.scm (perl-ev) * gnu/packages/markup.scm (perl-text-markdown-discount) * gnu/packages/perl-check.scm (perl-test2-bundle-extended) * gnu/packages/perl.scm (perl-digest-md5, perl-encode-hanextra) (perl-ipc-run, perl-pathtools) * gnu/packages/photo.scm (perl-image-exiftool): Return #t from all phases. --- gnu/packages/gd.scm | 2 +- gnu/packages/markup.scm | 3 ++- gnu/packages/perl-check.scm | 2 +- gnu/packages/perl.scm | 11 +++++++---- gnu/packages/photo.scm | 3 ++- 5 files changed, 13 insertions(+), 8 deletions(-) (limited to 'gnu/packages/gd.scm') diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index 1fe69577fd..a53a4f2c2f 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -142,7 +142,7 @@ you can create PNG images on the fly or modify existing files.") '(#:phases (modify-phases %standard-phases (add-after 'unpack 'set-env - (lambda _ (setenv "PERL_USE_UNSAFE_INC" "1")))))) + (lambda _ (setenv "PERL_USE_UNSAFE_INC" "1") #t))))) (native-inputs `(("perl-module-build" ,perl-module-build))) (propagated-inputs diff --git a/gnu/packages/markup.scm b/gnu/packages/markup.scm index cdcfbc7898..20da258029 100644 --- a/gnu/packages/markup.scm +++ b/gnu/packages/markup.scm @@ -173,7 +173,8 @@ convert it to structurally valid XHTML (or HTML).") (string-append "OTHERLDFLAGS = -lmarkdown -Wl,-rpath=" (assoc-ref inputs "discount") - "/lib")))))))) + "/lib"))) + #t))))) (inputs `(("discount" ,discount))) (home-page diff --git a/gnu/packages/perl-check.scm b/gnu/packages/perl-check.scm index 98b4e392c7..d0abb39254 100644 --- a/gnu/packages/perl-check.scm +++ b/gnu/packages/perl-check.scm @@ -82,7 +82,7 @@ lexically, just dynamically.") '(#:phases (modify-phases %standard-phases (add-after 'unpack 'set-env - (lambda _ (setenv "PERL_USE_UNSAFE_INC" "1")))))) + (lambda _ (setenv "PERL_USE_UNSAFE_INC" "1") #t))))) (propagated-inputs `(("perl-importer" ,perl-importer) ("perl-term-table" ,perl-term-table) diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm index d6ea360b8e..8c854e88df 100644 --- a/gnu/packages/perl.scm +++ b/gnu/packages/perl.scm @@ -2877,7 +2877,8 @@ interface for the RFC 2104 HMAC mechanism.") (add-after 'build 'set-permissions (lambda _ ;; Make MD5.so read-write so it can be stripped. - (chmod "blib/arch/auto/Digest/MD5/MD5.so" #o755)))))) + (chmod "blib/arch/auto/Digest/MD5/MD5.so" #o755) + #t))))) (home-page "https://metacpan.org/release/Digest-MD5") (synopsis "Perl interface to the MD-5 algorithm") (description @@ -3003,7 +3004,7 @@ also known as JIS 2000.") '(#:phases (modify-phases %standard-phases (add-after 'unpack 'set-env - (lambda _ (setenv "PERL_USE_UNSAFE_INC" "1")))))) + (lambda _ (setenv "PERL_USE_UNSAFE_INC" "1") #t))))) (home-page "https://metacpan.org/release/Encode-HanExtra") (synopsis "Additional Chinese encodings") (description "This Perl module provides Chinese encodings that are not @@ -4278,7 +4279,8 @@ run interactively. It also has an option to capture output/error buffers.") (lambda _ ;; This test fails, and we're not really interested in ;; it, so disable it. - (delete-file "t/win32_compile.t")))))) + (delete-file "t/win32_compile.t") + #t))))) (home-page "https://metacpan.org/release/IPC-Run") (synopsis "Run system() and background procs w/ piping, redirs, ptys") (description "IPC::Run allows you run and interact with child processes @@ -6867,7 +6869,8 @@ directory specifications in a cross-platform manner.") (substitute* "Cwd.pm" (("'/bin/pwd'") (string-append "'" (assoc-ref inputs "coreutils") - "/bin/pwd'")))))))) + "/bin/pwd'"))) + #t))))) (inputs `(("coreutils" ,coreutils))) (home-page "https://metacpan.org/release/PathTools") diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm index 1cd789b802..713342658b 100644 --- a/gnu/packages/photo.scm +++ b/gnu/packages/photo.scm @@ -227,7 +227,8 @@ MTP, and much more.") (pm (find-files out "^ExifTool\\.pm$")) (lib (dirname (dirname (car pm))))) (wrap-program (string-append out "/bin/exiftool") - `("PERL5LIB" prefix (,lib))))))))) + `("PERL5LIB" prefix (,lib))) + #t)))))) (home-page "https://metacpan.org/release/Image-ExifTool") (synopsis "Program and Perl library to manipulate EXIF and other metadata") (description "This package provides the @code{exiftool} command and the -- cgit v1.2.3