From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:8:6d80::])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id iOtuOxQvX2CRSgAAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 27 Mar 2021 14:11:48 +0100
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id uHRmNRQvX2B2LAAA1q6Kng
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 27 Mar 2021 13:11:48 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 7B31F25FB3
	for <larch@yhetil.org>; Sat, 27 Mar 2021 14:11:44 +0100 (CET)
Received: from localhost ([::1]:38936 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lQ8j8-0002mj-Sx
	for larch@yhetil.org; Sat, 27 Mar 2021 09:11:42 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49394)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lQ8ij-0002md-AD
 for guix-devel@gnu.org; Sat, 27 Mar 2021 09:11:17 -0400
Received: from world.peace.net ([64.112.178.59]:59574)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lQ8ie-0002H5-FY
 for guix-devel@gnu.org; Sat, 27 Mar 2021 09:11:16 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1lQ8iX-0003gI-L9; Sat, 27 Mar 2021 09:11:06 -0400
From: Mark H Weaver <mhw@netris.org>
To: guix-devel@gnu.org
Subject: [PATCHES] ImageMagick security updates without grafting
Date: Sat, 27 Mar 2021 09:09:27 -0400
Message-ID: <878s68zqsd.fsf@netris.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org;
 helo=world.peace.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1616850704;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=NWJbH5H8UTsENHZRSm9e4QlCmW+JAtnMJVnV9xVzOUQ=;
	b=EeA5QGFbmqqKkY3cUlkqzJu2s/WUXQj9SswStUKJt7QfDiRaXZg5cXGkLMFeckLMqPRqIT
	rU/wbMsh82NQWS5yzagxTKVpPOYsXCaGCAESCIlHrOWYdbgCyLR6tYbR5InNZS17gW49a0
	xelDPNYDLFpThbboZ8OJgB+eYE1F9q5bGV3liiI4ZVT78WmC+Y/lbcgQQKMc77XrPxC/jQ
	wDSornYITLw70TLqclH+dsS/7r5IQI/PGi9jiwU1odBvXea6JhSSTVZjm6/mM1erAc+U2E
	3bTq1hRjzEdwzeyi4OctWHYPOldmZ3A1xGjVFhKmhtwY/9YW3W7ieA/k7uFmsg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616850704; a=rsa-sha256; cv=none;
	b=pxcddaw/ncLdGM3z9+hTCuJrnu6QciJSUgfcx7zRs25W4Fh2JVmfZRJK+tLhB+gNuqVB2C
	i57qKzaK9sFQIrkDnEXWI39v5Q0kUFq23eBRcoEaq2RyFASMxtJIY9mZByTSpNIvD/GLXk
	vbKMMi3aiALfAvLRgecrhcyJdcvUHO1czLWqKc6iNYBZzBgvGz5YIogFejbAndMoHo8aNt
	oqGbMfn4VLYujuUDimSnFYjI1FO1LDoimKf3uBOFa/Iac7Fsll847f1jbGJmnKtPI1hVsB
	w8KxKwClMYuRizfdPfOX91irTQ9O1vbHYsoB90gKLg5NgpbTT8CONwXj2Ga17w==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -0.92
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 7B31F25FB3
X-Spam-Score: -0.92
X-Migadu-Scanner: scn0.migadu.com
X-TUID: 0sW+NXbgAhUb

--=-=-=
Content-Type: text/plain

Hello Guix,

Here's a proposed patch set that will henceforth enable us to freely
update ImageMagick (and dblatex, and gtk-doc) on our 'master' branch
without grafts.  This is done by adding variables 'imagemagick/stable',
'dblatex/stable', and 'gtk-doc/stable', which are then used as
'native-inputs' in selected packages.

The idea here is that the overwhelming majority of dependencies on
'imagemagick' are via references to 'gtk-doc' in the 'native-inputs' of
GNOME libraries.  The risk of running buggy imagemagick code within Guix
build containers is presumably quite limited, and in any case, grafting
is no better in this regard.

The last 3 commits of this series apply more bug fixes beyond what we
currently have in 'master', including for CVE-2020-27829, as well as a
few other recent upstream commits that look to me potentially security
relevant.

Are there any comments or objections to this approach?

      Mark

Note: I haven't yet fully tested these commits.



--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0001-gnu-imagemagick-Remove-graft.patch
Content-Transfer-Encoding: quoted-printable
Content-Description: [PATCH 1/8] gnu: imagemagick: Remove graft

>From eaecf83224fdae115a533d03b6fe949794835d43 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:07:32 -0400
Subject: [PATCH 1/8] gnu: imagemagick: Remove graft.

Note that this commit does *not* integrate the fixes that were previously
applied via the graft.  This commit simply discards those fixes.  We will
address those security flaws, without grafting, in subsequent commits.

* gnu/packages/imagemagick.scm (imagemagick)[replacement]: Remove field.
(imagemagick/fixed): Remove variable.
---
 gnu/packages/imagemagick.scm | 40 ------------------------------------
 1 file changed, 40 deletions(-)

diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index a3562f2e13..cc5f1de4bf 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -51,7 +51,6 @@
     ;; maintained. Don't update to 7 until we've made sure that the ImageM=
agick
     ;; users are ready for the 7-series API.
     (version "6.9.11-48")
-    (replacement imagemagick/fixed)
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://imagemagick/ImageMagick-"
@@ -128,45 +127,6 @@ transform images, adjust image colors, apply various s=
pecial effects, or draw
 text, lines, polygons, ellipses and B=C3=A9zier curves.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.=
php"))))
=20
-(define-public imagemagick/fixed
-  (package
-    (inherit imagemagick)
-    (name "imagemagick")
-    ;; 'g' for 'guix', appended character to retain version length so graf=
ting
-    ;; works properly.
-    (version "6.9.12-2g")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://imagemagick/ImageMagick-"
-                                  ;; Hardcode the version here since we ha=
d to
-                                  ;; change it above.
-                                  "6.9.12-2.tar.xz"))
-              (sha256
-               (base32
-                "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))))
-    (arguments
-     (substitute-keyword-arguments (package-arguments imagemagick)
-       ((#:phases phases)
-        `(modify-phases ,phases
-           (add-after 'install 'fix-compat-cheat-rename-so
-             (lambda* (#:key outputs #:allow-other-keys)
-               (with-directory-excursion
-                   (string-append (assoc-ref outputs "out")
-                                  "/lib")
-                 (symlink "libMagick++-6.Q16.so.9.0.0"
-                          "libMagick++-6.Q16.so.8.0.0")
-                 (symlink "libMagick++-6.Q16.so.9"
-                          "libMagick++-6.Q16.so.8")
-                 (symlink "libMagickCore-6.Q16.so.7.0.0"
-                          "libMagickCore-6.Q16.so.6.0.0")
-                 (symlink "libMagickCore-6.Q16.so.7"
-                          "libMagickCore-6.Q16.so.6")
-                 (symlink "libMagickWand-6.Q16.so.7.0.0"
-                          "libMagickWand-6.Q16.so.6.0.0")
-                 (symlink "libMagickWand-6.Q16.so.7"
-                          "libMagickWand-6.Q16.so.6"))
-               #t))))))))
-
 (define-public perl-image-magick
   (package
     (name "perl-image-magick")
--=20
2.31.0


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0002-gnu-imagemagick-Add-imagemagick-stable-variant.patch
Content-Transfer-Encoding: quoted-printable
Content-Description: [PATCH 2/8] gnu: imagemagick: Add 'imagemagick/stable' variant

>From 370089473506c800cf3480f67a00860400fbed18 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:16:23 -0400
Subject: [PATCH 2/8] gnu: imagemagick: Add 'imagemagick/stable' variant.

* gnu/packages/imagemagick.scm (imagemagick/stable): New variable.
(imagemagick): This is now an alias to 'imagemagick/stable'.
---
 gnu/packages/imagemagick.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index cc5f1de4bf..6d4649fbac 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -44,7 +44,7 @@
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xorg))
=20
-(define-public imagemagick
+(define-public imagemagick/stable
   (package
     (name "imagemagick")
     ;; The 7 release series has an incompatible API, while the 6 series is=
 still
@@ -127,6 +127,9 @@ transform images, adjust image colors, apply various sp=
ecial effects, or draw
 text, lines, polygons, ellipses and B=C3=A9zier curves.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.=
php"))))
=20
+(define-public imagemagick
+  imagemagick/stable)
+
 (define-public perl-image-magick
   (package
     (name "perl-image-magick")
--=20
2.31.0


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0003-gnu-dblatex-Add-dblatex-stable-variant.patch
Content-Transfer-Encoding: quoted-printable
Content-Description: [PATCH 3/8] gnu: dblatex: Add 'dblatex/stable' variant

>From 8a251cdb8e730c364d79fc6f2fba21bafc82302a Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:27:25 -0400
Subject: [PATCH 3/8] gnu: dblatex: Add 'dblatex/stable' variant.

* gnu/packages/docbook.scm (dblatex/stable): New variable.
---
 gnu/packages/docbook.scm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/gnu/packages/docbook.scm b/gnu/packages/docbook.scm
index 012e86f6a5..9b2c70014d 100644
--- a/gnu/packages/docbook.scm
+++ b/gnu/packages/docbook.scm
@@ -5,6 +5,7 @@
 ;;; Copyright =C2=A9 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright =C2=A9 2020 Marius Bakke <marius@gnu.org>
 ;;; Copyright =C2=A9 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright =C2=A9 2021 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -33,6 +34,7 @@
   #:use-module (guix licenses)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module ((guix build utils) #:select (alist-replace))
   #:use-module (guix build-system trivial)
   #:use-module (guix build-system python))
=20
@@ -460,3 +462,8 @@ process.  MathML 2.0 markups are supported too.  It sta=
rted as a clone of
 DB2LaTeX.")
     ;; lib/contrib/which is under an X11 license
     (license gpl2+)))
+
+(define-public dblatex/stable
+  (package/inherit dblatex
+    (inputs (alist-replace "imagemagick" `(,imagemagick/stable)
+                           (package-inputs dblatex)))))
--=20
2.31.0


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0004-gnu-gtk-doc-Add-gtk-doc-stable-variant.patch
Content-Description: [PATCH 4/8] gnu: gtk-doc: Add 'gtk-doc/stable' variant

>From 9de91519a64c3a2fadd8a9730d6fb032d764885b Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:28:58 -0400
Subject: [PATCH 4/8] gnu: gtk-doc: Add 'gtk-doc/stable' variant.

* gnu/packages/gtk.scm (gtk-doc/stable): New variable.
---
 gnu/packages/gtk.scm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index cf9116214c..0cd1391fa2 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -48,6 +48,7 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix git-download)
+  #:use-module ((guix build utils) #:select (alist-replace))
   #:use-module (guix build-system glib-or-gtk)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system meson)
@@ -1829,6 +1830,11 @@ typically used to document the public API of GTK+ and GNOME libraries, but it
 can also be used to document application code.")
     (license license:gpl2+)))
 
+(define-public gtk-doc/stable
+  (package/inherit gtk-doc
+    (inputs (alist-replace "dblatex" `(,dblatex/stable)
+                           (package-inputs gtk-doc)))))
+
 (define-public gtk-engines
   (package
     (name "gtk-engines")
-- 
2.31.0


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0005-gnu-Use-gtk-doc-stable-in-native-inputs-of-selected-.patch
Content-Transfer-Encoding: quoted-printable
Content-Description: [PATCH 5/8] gnu: Use 'gtk-doc/stable' in native-inputs of selected packages

>From 941bcda1cb65d89974ebc775666a6bd432964a78 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:34:35 -0400
Subject: [PATCH 5/8] gnu: Use 'gtk-doc/stable' in native-inputs of selected
 packages.

* gnu/packages/calendar.scm (libical),
gnu/packages/check.scm (umockdev),
gnu/packages/fontutils.scm (libraqm),
gnu/packages/freedesktop.scm (appstream, farstream, libglib-testing)
(udisks, libfprint, libportal),
gnu/packages/geo.scm (memphis, osm-gps-map),
gnu/packages/glib.scm (template-glib),
gnu/packages/gnome.scm (gupnp-igd, libcloudproviders, libgrss, seed)
(gtx, dee, zeitgeist, phodav, gssdp, gupnp, gupnp-dlna, gupnp-av, rygel)
(libnma, gdl, libnotify, vte-ng, dconf, libxklavier, libsoup, colord)
(geoclue, geocode-glib, amtk, grilo, gvfs, gusb, network-manager)
(network-manager-applet, gfbgraph, libunique, cheese, libhandy)
(gnome-latex, libgda),
gnu/packages/gstreamer.scm (orc),
gnu/packages/gtk.scm (at-spi2-core, goocanvas),
gnu/packages/language.scm (nimf),
gnu/packages/networking.scm (libnice),
gnu/packages/video.scm (schroedinger),
gnu/packages/virtualization.scm (libosinfo),
gnu/packages/webkit.scm (wpewebkit, webkitgtk),
gnu/packages/xml.scm (libxmlb)[native-inputs]: Replace 'gtk-doc' with
'gtk-doc/stable'.
---
 gnu/packages/calendar.scm       |  2 +-
 gnu/packages/check.scm          |  2 +-
 gnu/packages/fontutils.scm      |  2 +-
 gnu/packages/freedesktop.scm    | 12 +++---
 gnu/packages/geo.scm            |  4 +-
 gnu/packages/glib.scm           |  2 +-
 gnu/packages/gnome.scm          | 70 ++++++++++++++++-----------------
 gnu/packages/gstreamer.scm      |  2 +-
 gnu/packages/gtk.scm            |  4 +-
 gnu/packages/language.scm       |  2 +-
 gnu/packages/networking.scm     |  2 +-
 gnu/packages/video.scm          |  2 +-
 gnu/packages/virtualization.scm |  2 +-
 gnu/packages/webkit.scm         |  4 +-
 gnu/packages/xml.scm            |  2 +-
 15 files changed, 57 insertions(+), 57 deletions(-)

diff --git a/gnu/packages/calendar.scm b/gnu/packages/calendar.scm
index 4e1e4f05b6..d473900ac5 100644
--- a/gnu/packages/calendar.scm
+++ b/gnu/packages/calendar.scm
@@ -156,7 +156,7 @@ the <tz.h> library for handling time zones and leap sec=
onds.")
     (native-inputs
      `(("docbook-xml" ,docbook-xml-4.3)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 21514d1bc4..a1e44ad81f 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -2732,7 +2732,7 @@ provides a simple way to achieve this.")
     (native-inputs
      `(("vala" ,vala)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
=20
        ;; For tests.
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index a4c92f5bea..1d9c81b8a6 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -965,7 +965,7 @@ Unicode Charts.  It was developed for use with DejaVu F=
onts project.")
     (arguments
      `(#:configure-flags (list "--disable-static")))
     (native-inputs
-     `(("gtk-doc" ,gtk-doc)
+     `(("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)))
     (inputs
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 4105dd7ca0..a9e96c9928 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -173,7 +173,7 @@
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
        ("gperf" ,gperf)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
        ("xsltproc" ,libxslt)))
@@ -261,7 +261,7 @@ application-centers for distributions.")
        ("docbook-xml" ,docbook-xml-4.1.2)
        ("docbook-xsl" ,docbook-xsl)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("libtool" ,libtool)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
@@ -313,7 +313,7 @@ for videoconferencing.")
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
        ("pkg-config" ,pkg-config)
-       ("gtk-doc" ,gtk-doc)))
+       ("gtk-doc" ,gtk-doc/stable)))
     (inputs
      `(("dbus" ,dbus)
        ("glib" ,glib)))
@@ -1202,7 +1202,7 @@ Analysis and Reporting Technology) functionality.")
        ("glib:bin" ,glib "bin")         ; for glib-mkenums
        ("gnome-common" ,gnome-common)   ; TODO: Why is this needed?
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("xsltproc" ,libxslt)))
@@ -1598,7 +1598,7 @@ wish to perform colour calibration.")
      `(("eudev" ,eudev)
        ("glib:bin" ,glib "bin")         ; for {glib-,}mkenums
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)             ; for 88 KiB of API documentation
+       ("gtk-doc" ,gtk-doc/stable)             ; for 88 KiB of API documen=
tation
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glib" ,glib)
@@ -2197,7 +2197,7 @@ fallback to generic Systray support if none of those =
are available.")
                  #t))))))
       (native-inputs
        `(("pkg-config" ,pkg-config)
-         ("gtk-doc" ,gtk-doc)
+         ("gtk-doc" ,gtk-doc/stable)
          ("docbook-xsl" ,docbook-xsl)
          ("docbook-xml" ,docbook-xml)
          ("libxml2" ,libxml2)
diff --git a/gnu/packages/geo.scm b/gnu/packages/geo.scm
index c988d6b114..97fa83b86b 100644
--- a/gnu/packages/geo.scm
+++ b/gnu/packages/geo.scm
@@ -151,7 +151,7 @@
        ("automake" ,automake)
        ("docbook-xml" ,docbook-xml-4.3)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -1138,7 +1138,7 @@ OpenStreetMap data files.")
     (build-system gnu-build-system)
     (native-inputs
      `(("gnome-common" ,gnome-common)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("cairo" ,cairo)
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 9c3cd75624..c04bd334e9 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -1165,7 +1165,7 @@ other API remains the same.")
      `(("bison" ,bison)
        ("flex" ,flex)
        ("glib:bin" ,glib "bin") ;; For glib-mkenums
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (home-page "https://gitlab.gnome.org/GNOME/template-glib")
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 7607db27f1..ce8a5e8f02 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -263,7 +263,7 @@
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
        ("gsettings-desktop-schemas" ,gsettings-desktop-schemas)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("glib" ,glib)
@@ -366,7 +366,7 @@ features to enable users to create their discs easily a=
nd quickly.")
     (native-inputs
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (inputs
@@ -415,7 +415,7 @@ services.")
     (native-inputs
      `(("docbook-xml" ,docbook-xml-4.1.2)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("glib" ,glib)
@@ -512,7 +512,7 @@ bindings.")
        ("docbook-xml" ,docbook-xml-4.1.2)
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)))
@@ -622,7 +622,7 @@ It is written in C using GObject and libsoup.")
                        "/share/gtk-doc/html"))))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("glib" ,glib)))
@@ -692,7 +692,7 @@ of writing test cases for asynchronous interactions.")
        ("dbus-test-runner" ,dbus-test-runner)
        ("docbook-xml" ,docbook-xml-4.3)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ;; Would only be required by configure flag "--enable-extended-test=
s".
        ;("gtx" ,gtx)
        ("pkg-config" ,pkg-config)
@@ -768,7 +768,7 @@ of known objects without needing a central registrar.")
        ("docbook-xml" ,docbook-xml-4.3)
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)
@@ -1177,7 +1177,7 @@ Library reference documentation.")
     `(("docbook-xml" ,docbook-xml-4.3)
       ("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("pkg-config" ,pkg-config)))
    (inputs
     `(("avahi" ,avahi)
@@ -1295,7 +1295,7 @@ It has miners for Facebook, Flickr, Google, ownCloud =
and SkyDrive.")
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("pkg-config" ,pkg-config)
       ("vala" ,vala)))
    (inputs
@@ -1326,7 +1326,7 @@ a debugging tool, @command{gssdp-device-sniffer}.")
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("pkg-config" ,pkg-config)
       ("vala" ,vala)))
    (inputs
@@ -1357,7 +1357,7 @@ for creating UPnP devices and control points, written=
 in C using
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("libxml" ,libxml2)
       ("pkg-config" ,pkg-config)
       ("vala" ,vala)))
@@ -1391,7 +1391,7 @@ given profile, etc.  DLNA is a subset of UPnP A/V.")
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("libxml" ,libxml2)
       ("pkg-config" ,pkg-config)))
    (inputs
@@ -1607,7 +1607,7 @@ preview files on the GNOME desktop.")
     (native-inputs
      `(("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (inputs
@@ -1669,7 +1669,7 @@ client devices can handle.")
      `(("docbook-xml" ,docbook-xml-4.3)
        ("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("gobject-introspection" ,gobject-introspection)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
@@ -2417,7 +2417,7 @@ GNOME Desktop.")
        ("automake" ,automake)
        ("glib" ,glib "bin")             ; for glib-genmarshal, etc.
        ("gnome-common" ,gnome-common)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("libtool" ,libtool)
@@ -3057,7 +3057,7 @@ configuring CUPS.")
        ("gobject-introspection" ,gobject-introspection)
=20
        ;; For the documentation.
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("xsltproc" ,libxslt)
        ("docbook-xsl" ,docbook-xsl)))
     (home-page "https://developer-next.gnome.org/libnotify/")
@@ -4503,7 +4503,7 @@ editors, IDEs, etc.")
                 "0rnm5c6m3abbm81jsfdas0y80z299ny54gr4syn4bfrms3s4g19l"))))
     (build-system meson-build-system)
     (native-inputs
-     `(("gtk-doc" ,gtk-doc)
+     `(("gtk-doc" ,gtk-doc/stable)
        ,@(package-native-inputs vte)))
     (arguments
      `(#:configure-flags '("-Ddocs=3Dtrue")))
@@ -4621,7 +4621,7 @@ and RDP protocols.")
        ("docbook-xml" ,docbook-xml-4.2)
        ("docbook-xsl" ,docbook-xsl)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (arguments
@@ -4689,7 +4689,7 @@ and objects.")
      `(("glib:bin"              ,glib "bin") ; for glib-mkenums, etc.
        ("gobject-introspection" ,gobject-introspection)
        ("pkg-config"            ,pkg-config)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("which" ,which)
        ("autoconf" ,autoconf)
@@ -4912,7 +4912,7 @@ libxml to ease remote use of the RESTful API.")
      `(("docbook-xml" ,docbook-xml-4.1.2)
        ("glib:bin" ,glib "bin")                   ; for glib-mkenums
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -5279,7 +5279,7 @@ keyboard shortcuts.")
      `(("glib:bin" ,glib "bin")         ; for glib-compile-resources, etc.
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (propagated-inputs
@@ -5324,7 +5324,7 @@ output devices.")
        ("gobject-introspection" ,gobject-introspection)
        ("modem-manager" ,modem-manager)
        ("libnotify" ,libnotify)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)))
     (inputs
      `(("avahi" ,avahi)
@@ -5369,7 +5369,7 @@ permission from user.")
        ("glibc-locales" ,glibc-locales) ; for tests
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("json-glib" ,json-glib)))
     (propagated-inputs
@@ -5675,7 +5675,7 @@ which are easy to play with the aid of a mouse.")
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
        ("glib:bin" ,glib "bin")         ; for glib-mkenums
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glib" ,glib)
@@ -6092,7 +6092,7 @@ as possible!")
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("vala" ,vala)))
     (inputs
      `(("cyrus-sasl" ,cyrus-sasl)
@@ -6526,7 +6526,7 @@ part of udev-extras, then udev, then systemd.  It's n=
ow a project on its own.")
     (native-inputs
      `(("glib:bin" ,glib "bin") ; for glib-genmarshal, etc.
        ("gettext" ,gettext-minimal)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("xsltproc" ,libxslt)))
     (inputs
@@ -6591,7 +6591,7 @@ DAV, and others.")
      `(("gobject-introspection" ,gobject-introspection)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)
-       ("gtk-doc" ,gtk-doc)))
+       ("gtk-doc" ,gtk-doc/stable)))
     (propagated-inputs
      ;; Both of these are required by gusb.pc.
      `(("glib" ,glib)
@@ -7795,7 +7795,7 @@ users.")
      `(("glib" ,glib)))
     (native-inputs
      `(("glib:bin" ,glib "bin")         ; for gdbus-codegen
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("gobject-introspection" ,gobject-introspection)
        ("docbook-xml" ,docbook-xml)
        ("docbook-xsl" ,docbook-xsl)
@@ -8052,7 +8052,7 @@ Cisco's AnyConnect SSL VPN.")
      `(("intltool" ,intltool)
        ("glib:bin" ,glib "bin") ; for glib-compile-resources, etc.
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      ;; libnm-gtk.pc refers to all these.
@@ -9800,7 +9800,7 @@ compiled.")
                            "--enable-introspection")))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
=20
        ;; The 0.2.4 =E2=80=98release=E2=80=99 tarball isn't bootstrapped.
@@ -9872,7 +9872,7 @@ environment, which can notably display keyboard layou=
ts.")
      `(("pkg-config" ,pkg-config)
        ("gobject-introspection" ,gobject-introspection)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)))
+       ("gtk-doc" ,gtk-doc/stable)))
     (propagated-inputs
      ;; Referred to in .h files and .pc.
      `(("gtk+" ,gtk+)))
@@ -10457,7 +10457,7 @@ photo-booth-like software, such as Cheese.")
        ("docbook-xml" ,docbook-xml-4.3)
        ("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("itstool" ,itstool)
        ("libxml2" ,libxml2)
        ("libxslt" ,libxslt)
@@ -10996,7 +10996,7 @@ tabs, and it supports drag and drop re-ordering of =
terminals.")
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection) ; for g-ir-scanner
        ("vala" ,vala)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("gettext" ,gettext-minimal)
=20
@@ -11531,7 +11531,7 @@ card sheets that you=E2=80=99ll find at most office=
 supply stores.")
      `(("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("itstool" ,itstool)
        ("pkg-config" ,pkg-config)
@@ -12123,7 +12123,7 @@ developed with the aim of being used with the Libre=
m 5 phone.")
        ("glib:bin" ,glib "bin")
        ("gnome-common" ,gnome-common)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 1c7ba98a86..6a4e14167d 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -384,7 +384,7 @@ http://www.tux.org/~ricdude/overview.html")
                 "if (error) return 77;"))
              #t)))))
     (native-inputs
-     `(("gtk-doc" ,gtk-doc)))
+     `(("gtk-doc" ,gtk-doc/stable)))
     (home-page "https://gstreamer.freedesktop.org/modules/orc.html")
     (synopsis "Oil runtime compiler")
     (description
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 0cd1391fa2..fdc946ca20 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -723,7 +723,7 @@ in the GNOME project.")
    (native-inputs
     `(("gettext" ,gettext-minimal)
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("glib" ,glib "bin")
       ("pkg-config" ,pkg-config)))
    (synopsis "Assistive Technology Service Provider Interface, core compon=
ents")
@@ -2241,7 +2241,7 @@ popovers.")
      `(("gettext" ,gettext-minimal)
        ("glib-bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("python" ,python)))
     (inputs
diff --git a/gnu/packages/language.scm b/gnu/packages/language.scm
index d4b9b8d4cb..5325445a24 100644
--- a/gnu/packages/language.scm
+++ b/gnu/packages/language.scm
@@ -170,7 +170,7 @@
        ("gobject-introspection" ,gobject-introspection)
        ("gtk+-2:bin" ,gtk+-2 "bin")
        ("gtk+:bin" ,gtk+ "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("libtool" ,libtool)
        ("perl" ,perl)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index ea3e3f67e7..ecc6f57f4e 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -302,7 +302,7 @@ Android, and ChromeOS.")
     (native-inputs
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("gstreamer" ,gstreamer)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index a17708c7dd..4853884d05 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -381,7 +381,7 @@ video decode, encode and filtering on Intel's Gen graph=
ics hardware platforms.")
                #t))))))
     (native-inputs
      `(("dash" ,dash)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glew" ,glew)
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.=
scm
index fabac5b984..96347adf7c 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -984,7 +984,7 @@ Debian or a derivative using @command{debootstrap}.")
     (native-inputs
      `(("glib" ,glib "bin")  ; glib-mkenums, etc.
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("vala" ,vala)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index 89eee74def..d8378354bd 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -174,7 +174,7 @@ engine that uses Wayland for graphics output.")
        ("docbook-xsl" ,docbook-xsl)
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -301,7 +301,7 @@ acceleration in mind, leveraging common 3D graphics API=
s for best performance.")
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
-       ("gtk-doc" ,gtk-doc) ; For documentation generation
+       ("gtk-doc" ,gtk-doc/stable) ; For documentation generation
        ("docbook-xml" ,docbook-xml) ; For documentation generation
        ("ruby" ,ruby)))
     (propagated-inputs
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index d05d326f5b..defc0323e6 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -99,7 +99,7 @@
      `(#:glib-or-gtk? #t))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("appstream-glib" ,appstream-glib)
--=20
2.31.0


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0006-gnu-imagemagick-Update-to-6.9.12-4.patch
Content-Transfer-Encoding: quoted-printable
Content-Description: [PATCH 6/8] gnu: imagemagick: Update to 6.9.12-4

>From 5f144be02171e93613184793e254a25c674e232e Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:48:37 -0400
Subject: [PATCH 6/8] gnu: imagemagick: Update to 6.9.12-4.

* gnu/packages/imagemagick.scm (imagemagick): Update to 6.9.12-4.
---
 gnu/packages/imagemagick.scm | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 6d4649fbac..4200ed1daf 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -3,7 +3,7 @@
 ;;; Copyright =C2=A9 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright =C2=A9 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright =C2=A9 2016 Leo Famulari <leo@famulari.name>
-;;; Copyright =C2=A9 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright =C2=A9 2016, 2021 Mark H Weaver <mhw@netris.org>
 ;;; Copyright =C2=A9 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright =C2=A9 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright =C2=A9 2018 Alex Vong <alexvong1995@gmail.com>
@@ -128,7 +128,19 @@ text, lines, polygons, ellipses and B=C3=A9zier curves=
.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.=
php"))))
=20
 (define-public imagemagick
-  imagemagick/stable)
+  (package
+    (inherit imagemagick/stable)
+    ;; The 7 release series has an incompatible API, while the 6 series is=
 still
+    ;; maintained. Don't update to 7 until we've made sure that the ImageM=
agick
+    ;; users are ready for the 7-series API.
+    (version "6.9.12-4")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://imagemagick/ImageMagick-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))))=
))
=20
 (define-public perl-image-magick
   (package
--=20
2.31.0


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0007-gnu-imagemagick-Fix-CVE-2020-27829.patch
Content-Transfer-Encoding: quoted-printable
Content-Description: [PATCH 7/8] gnu: imagemagick: Fix CVE-2020-27829

>From 986fa9c54db10e597f3b7d5db859e28b1c0f9317 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 08:08:10 -0400
Subject: [PATCH 7/8] gnu: imagemagick: Fix CVE-2020-27829.

* gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/imagemagick.scm (source): Add patch.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/imagemagick.scm                  |  4 ++-
 .../patches/imagemagick-CVE-2020-27829.patch  | 27 +++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0aec66414e..18799bac7f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1221,6 +1221,7 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/id3lib-UTF16-writing-bug.patch			\
   %D%/packages/patches/idris-disable-test.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
+  %D%/packages/patches/imagemagick-CVE-2020-27829.patch		\
   %D%/packages/patches/inetutils-hurd.patch			\
   %D%/packages/patches/inkscape-poppler-0.76.patch		\
   %D%/packages/patches/intel-xed-fix-nondeterminism.patch	\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 4200ed1daf..44598fbb73 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -140,7 +140,9 @@ text, lines, polygons, ellipses and B=C3=A9zier curves.=
")
                                   version ".tar.xz"))
               (sha256
                (base32
-                "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))))=
))
+                "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))
+              (patches
+               (search-patches "imagemagick-CVE-2020-27829.patch"))))))
=20
 (define-public perl-image-magick
   (package
diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/pa=
ckages/patches/imagemagick-CVE-2020-27829.patch
new file mode 100644
index 0000000000..b15c1d0879
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
@@ -0,0 +1,27 @@
+We omit the ChangeLog changes below, since they do not apply cleanly.
+
+
+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 30 Nov 2020 16:26:59 +0000
+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by
+ Hardik Shah)
+
+---
+ ChangeLog     | 6 ++++++
+ coders/tiff.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e98f927ab..1eecf17ae 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_i=
nfo,
+         extent+=3Dimage->columns*sizeof(uint32);
+ #endif
+         strip_pixels=3D(unsigned char *) AcquireQuantumMemory(extent,
+-          sizeof(*strip_pixels));
++          2*sizeof(*strip_pixels));
+         if (strip_pixels =3D=3D (unsigned char *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));
--=20
2.31.0


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0008-gnu-imagemagick-Add-more-upstream-fixes.patch
Content-Transfer-Encoding: quoted-printable
Content-Description: [PATCH 8/8] gnu: imagemagick: Add more upstream fixes

>From 66713ce145d4594f317d05ab1c89fcb051e9eb72 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:01:10 -0400
Subject: [PATCH 8/8] gnu: imagemagick: Add more upstream fixes.

* gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch,
gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch,
gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/imagemagick.scm (source): Add patches.
---
 gnu/local.mk                                  |  3 ++
 gnu/packages/imagemagick.scm                  |  5 ++-
 .../imagemagick-ReadDCMImage-fix.patch        | 26 ++++++++++++++
 .../imagemagick-ReadDCMPixels-fix.patch       | 35 +++++++++++++++++++
 .../imagemagick-WriteTHUMBNAILImage-fix.patch | 25 +++++++++++++
 5 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
 create mode 100644 gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
 create mode 100644 gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fi=
x.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 18799bac7f..bea6b8a569 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1222,6 +1222,9 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/idris-disable-test.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
   %D%/packages/patches/imagemagick-CVE-2020-27829.patch		\
+  %D%/packages/patches/imagemagick-ReadDCMImage-fix.patch	\
+  %D%/packages/patches/imagemagick-ReadDCMPixels-fix.patch	\
+  %D%/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch	\
   %D%/packages/patches/inetutils-hurd.patch			\
   %D%/packages/patches/inkscape-poppler-0.76.patch		\
   %D%/packages/patches/intel-xed-fix-nondeterminism.patch	\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 44598fbb73..f4cc488c43 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -142,7 +142,10 @@ text, lines, polygons, ellipses and B=C3=A9zier curves=
.")
                (base32
                 "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))
               (patches
-               (search-patches "imagemagick-CVE-2020-27829.patch"))))))
+               (search-patches "imagemagick-ReadDCMImage-fix.patch"
+                               "imagemagick-ReadDCMPixels-fix.patch"
+                               "imagemagick-WriteTHUMBNAILImage-fix.patch"
+                               "imagemagick-CVE-2020-27829.patch"))))))
=20
 (define-public perl-image-magick
   (package
diff --git a/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch b/gnu/=
packages/patches/imagemagick-ReadDCMImage-fix.patch
new file mode 100644
index 0000000000..42ece43682
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
@@ -0,0 +1,26 @@
+From 512668dfd92b20d0d08b91d62b422d8262573281 Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Wed, 24 Mar 2021 20:37:15 +0100
+Subject: [PATCH] Throw exception when no exception was raised but status w=
as
+ false (#3432).
+
+---
+ coders/dcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 7a68ed6e8..ed17c9567 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3989,6 +3989,8 @@ static Image *ReadDCMImage(const ImageInfo *image_in=
fo,ExceptionInfo *exception)
+         if (redmap !=3D (int *) NULL)
+           redmap=3D(int *) RelinquishMagickMemory(redmap);
+         image=3DDestroyImageList(image);
++        if ((status =3D=3D MagickFalse) && (exception->severity < ErrorEx=
ception))
++          ThrowReaderException(CorruptImageError,"CorruptImage");
+         return(GetFirstImageInList(images));
+       }
+     if (info.depth !=3D (1UL*MAGICKCORE_QUANTUM_DEPTH))
+--=20
+2.31.0
+
diff --git a/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch b/gnu=
/packages/patches/imagemagick-ReadDCMPixels-fix.patch
new file mode 100644
index 0000000000..a91999186b
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
@@ -0,0 +1,35 @@
+From c8f25953ad1dd38a8b2d92738f0f742ad7e0bce7 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Sun, 21 Mar 2021 21:21:15 -0400
+Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3D3=
2322
+
+---
+ coders/dcm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 29eed9618..7a68ed6e8 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -2984,12 +2984,12 @@ static MagickBooleanType ReadDCMPixels(Image *imag=
e,DCMInfo *info,
+         }
+       else
+         {
+-          SetPixelRed(q,(Quantum) (((ssize_t) pixel.red) |
+-            (((ssize_t) GetPixelRed(q)) << 8)));
+-          SetPixelGreen(q,(Quantum) (((ssize_t) pixel.green) |
+-            (((ssize_t) GetPixelGreen(q)) << 8)));
+-          SetPixelBlue(q,(Quantum) (((ssize_t) pixel.blue) |
+-            (((ssize_t) GetPixelBlue(q)) << 8)));
++          SetPixelRed(q,(Quantum) (((size_t) pixel.red) |
++            (((size_t) GetPixelRed(q)) << 8)));
++          SetPixelGreen(q,(Quantum) (((size_t) pixel.green) |
++            (((size_t) GetPixelGreen(q)) << 8)));
++          SetPixelBlue(q,(Quantum) (((size_t) pixel.blue) |
++            (((size_t) GetPixelBlue(q)) << 8)));
+         }
+       q++;
+     }
+--=20
+2.31.0
+
diff --git a/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch=
 b/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch
new file mode 100644
index 0000000000..f38a45b800
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch
@@ -0,0 +1,25 @@
+From 6a5d3575487487f2703383338bd17c8c25068f19 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Mar 2021 08:58:18 -0400
+Subject: [PATCH] eliminate compiler warning
+
+---
+ coders/thumbnail.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/thumbnail.c b/coders/thumbnail.c
+index 3833341b0..1e2bfe8c2 100644
+--- a/coders/thumbnail.c
++++ b/coders/thumbnail.c
+@@ -199,7 +199,7 @@ static MagickBooleanType WriteTHUMBNAILImage(const Ima=
geInfo *image_info,
+     q++;
+   }
+   if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
+-      (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)=
-q)))
++      ((ssize_t) length > (GetStringInfoDatum(profile)+GetStringInfoLengt=
h(profile)-q)))
+     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
+   thumbnail_image=3DBlobToImage(image_info,q,length,&image->exception);
+   if (thumbnail_image =3D=3D (Image *) NULL)
+--=20
+2.31.0
+
--=20
2.31.0


--=-=-=--