* [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes CVE-2016-{8677, 8862}].
@ 2016-10-25 20:12 Kei Kebreau
2016-10-26 1:42 ` Leo Famulari
0 siblings, 1 reply; 3+ messages in thread
From: Kei Kebreau @ 2016-10-25 20:12 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 231 bytes --]
See:
https://blogs.gentoo.org/ago/2016/10/07/imagemagick-memory-allocate-failure-in-acquirequantumpixels-quantum-c
and
https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/.
[-- Attachment #1.2: 0001-gnu-imagemagick-Update-to-7.0.3-4-Fixes-CVE-2016-867.patch --]
[-- Type: text/plain, Size: 1245 bytes --]
From 82f792a33f55e6514d3d4f8285e9be3b8c6e161a Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Tue, 25 Oct 2016 16:03:26 -0400
Subject: [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes
CVE-2016-{8677,8862}].
* gnu/packages/imagemagick.scm (imagemagick): Update to 7.0.3-4.
---
gnu/packages/imagemagick.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 4c3c636..0a95920 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -43,14 +43,14 @@
(define-public imagemagick
(package
(name "imagemagick")
- (version "6.9.6-2")
+ (version "7.0.3-4")
(source (origin
(method url-fetch)
(uri (string-append "mirror://imagemagick/ImageMagick-"
version ".tar.xz"))
(sha256
(base32
- "139h9lycxw3lszn052m34xm0rqyanin4nb529vxjcrkkzqilh91r"))))
+ "1jj7w9cg9qim0ib880mb4mxhd007045h721hm6318ayyfx0g18c6"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags '("--with-frozenpaths" "--without-gcc-arch")
--
2.10.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes CVE-2016-{8677, 8862}].
2016-10-25 20:12 [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes CVE-2016-{8677, 8862}] Kei Kebreau
@ 2016-10-26 1:42 ` Leo Famulari
2016-10-26 3:13 ` Kei Kebreau
0 siblings, 1 reply; 3+ messages in thread
From: Leo Famulari @ 2016-10-26 1:42 UTC (permalink / raw)
To: Kei Kebreau; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1152 bytes --]
On Tue, Oct 25, 2016 at 04:12:50PM -0400, Kei Kebreau wrote:
> From 82f792a33f55e6514d3d4f8285e9be3b8c6e161a Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Tue, 25 Oct 2016 16:03:26 -0400
> Subject: [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes
> CVE-2016-{8677,8862}].
>
> * gnu/packages/imagemagick.scm (imagemagick): Update to 7.0.3-4.
So far, we've packaged ImageMagick 6, which is still maintained.
Apparently the API changed in 7. I don't know the status of adoption of
the new version.
> See:
> https://blogs.gentoo.org/ago/2016/10/07/imagemagick-memory-allocate-failure-in-acquirequantumpixels-quantum-c
On the ImageMagick-6 branch, this was fixed in
524349d2b3fed7fa0e53de2c908458474eb24418 and released as 6.9.5-10.
http://git.imagemagick.org/repos/ImageMagick/commit/524349d2b3fed7fa0e53de2c908458474eb24418
> and
> https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/.
I don't see this fix on the 6 branch, but a similar change was made
earlier in 3c9533980a9476caa649de3b248dfefd3f182866 and released in
6.9.4-0.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes CVE-2016-{8677, 8862}].
2016-10-26 1:42 ` Leo Famulari
@ 2016-10-26 3:13 ` Kei Kebreau
0 siblings, 0 replies; 3+ messages in thread
From: Kei Kebreau @ 2016-10-26 3:13 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1278 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Tue, Oct 25, 2016 at 04:12:50PM -0400, Kei Kebreau wrote:
>> From 82f792a33f55e6514d3d4f8285e9be3b8c6e161a Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei@openmailbox.org>
>> Date: Tue, 25 Oct 2016 16:03:26 -0400
>> Subject: [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes
>> CVE-2016-{8677,8862}].
>>
>> * gnu/packages/imagemagick.scm (imagemagick): Update to 7.0.3-4.
>
> So far, we've packaged ImageMagick 6, which is still maintained.
> Apparently the API changed in 7. I don't know the status of adoption of
> the new version.
>
>> See:
>> https://blogs.gentoo.org/ago/2016/10/07/imagemagick-memory-allocate-failure-in-acquirequantumpixels-quantum-c
>
> On the ImageMagick-6 branch, this was fixed in
> 524349d2b3fed7fa0e53de2c908458474eb24418 and released as 6.9.5-10.
>
> http://git.imagemagick.org/repos/ImageMagick/commit/524349d2b3fed7fa0e53de2c908458474eb24418
>
>> and
>> https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/.
>
> I don't see this fix on the 6 branch, but a similar change was made
> earlier in 3c9533980a9476caa649de3b248dfefd3f182866 and released in
> 6.9.4-0.
Well, I guess we were fine to begin with!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-10-26 3:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-25 20:12 [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes CVE-2016-{8677, 8862}] Kei Kebreau
2016-10-26 1:42 ` Leo Famulari
2016-10-26 3:13 ` Kei Kebreau
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).