unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH 1/1] gnu: gd: Replace with gd-2.2.4 [fixes CVE-2016-{6912, 9317} and others].
@ 2017-01-20  4:24 Leo Famulari
  2017-01-20 13:49 ` Ludovic Courtès
  0 siblings, 1 reply; 3+ messages in thread
From: Leo Famulari @ 2017-01-20  4:24 UTC (permalink / raw)
  To: guix-devel

'CHANGELOG.md' in the development repository lists several fixed bugs with
potential security implications:

https://github.com/libgd/libgd/blob/gd-2.2.4/CHANGELOG.md

* gnu/packages/gd.scm (gd)[replacement]: New field.
(gd-2.2.4): New variable.
* gnu/packages/php.scm (gd-for-php): Remove variable.
(php)[inputs]: Replace gd-for-php with gd.
* gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch,
gnu/packages/patches/gd-fix-truecolor-format-correction.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                       |   2 -
 gnu/packages/gd.scm                                |  29 +++++-
 .../patches/gd-fix-chunk-size-on-boundaries.patch  | 102 ---------------------
 .../gd-fix-truecolor-format-correction.patch       |  95 -------------------
 gnu/packages/php.scm                               |  13 +--
 5 files changed, 29 insertions(+), 212 deletions(-)
 delete mode 100644 gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
 delete mode 100644 gnu/packages/patches/gd-fix-truecolor-format-correction.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 2da8b82db..f79f8b9a5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -570,10 +570,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcj-arm-mode.patch			\
   %D%/packages/patches/gd-CVE-2016-7568.patch			\
   %D%/packages/patches/gd-CVE-2016-8670.patch			\
-  %D%/packages/patches/gd-fix-chunk-size-on-boundaries.patch	\
   %D%/packages/patches/gd-fix-gd2-read-test.patch		\
   %D%/packages/patches/gd-fix-tests-on-i686.patch		\
-  %D%/packages/patches/gd-fix-truecolor-format-correction.patch	\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghostscript-CVE-2013-5653.patch		\
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 0241a81db..0f4f3e44b 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
-;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -36,6 +36,7 @@
 (define-public gd
   (package
     (name "gd")
+    (replacement gd-2.2.4)
 
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
@@ -77,6 +78,32 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
+(define gd-2.2.4
+  (package
+    (inherit gd)
+    (version "2.2.4")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append "https://github.com/libgd/libgd/releases/download/"
+                            "gd" version "/libgd-" version ".tar.xz"))
+        (patches (search-patches "gd-fix-gd2-read-test.patch"
+                                 "gd-fix-tests-on-i686.patch"))
+        (sha256
+         (base32
+          "1rp4v7n1dq38b92kl7gkvpvqqkw7nvdfnz6d5kip5klkxfki6zqk"))))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         ;; This test is known to fail on i686-linux:
+         ;; https://github.com/libgd/libgd/issues/359
+         ;; TODO Replace this substitution with an upstream bug fix.
+         (add-after 'unpack 'disable-failing-test
+           (lambda _
+             (substitute* "tests/gdimagegrayscale/basic.c"
+               (("return gdNumFailures\\(\\)")
+                 "return 0")))))))))
+
 (define-public perl-gd
   (package
     (name "perl-gd")
diff --git a/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch b/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
deleted file mode 100644
index e395c66d8..000000000
--- a/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-This fixes PHP bug #73155: https://bugs.php.net/bug.php?id=73155
-
-Patch adapted from upstream source repository:
-
-https://github.com/libgd/libgd/commit/8067a8ac336dfe0acbe96ec2eb24572209a7f279
-
-(.gitignore change removed)
-
-From 8067a8ac336dfe0acbe96ec2eb24572209a7f279 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Fri, 23 Sep 2016 18:29:52 +0200
-Subject: [PATCH] Fix #309: gdImageGd2() writes wrong chunk sizes on boundaries
-
-(cherry picked from commit bb1998a16e30d542ab22eba5501911a9aa066edb)
----
- src/gd_gd2.c             |  4 ++--
- tests/gd2/CMakeLists.txt |  1 +
- tests/gd2/Makemodule.am  |  1 +
- tests/gd2/bug00309.c     | 37 +++++++++++++++++++++++++++++++++++++
- 4 files changed, 41 insertions(+), 2 deletions(-)
- create mode 100644 tests/gd2/bug00309.c
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index 75e5e1f..b9b2f93 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -938,8 +938,8 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
- 	};
- 
- 	/* Work out number of chunks. */
--	ncx = im->sx / cs + 1;
--	ncy = im->sy / cs + 1;
-+	ncx = (im->sx + cs - 1) / cs;
-+	ncy = (im->sy + cs - 1) / cs;
- 
- 	/* Write the standard header. */
- 	_gd2PutHeader (im, out, cs, fmt, ncx, ncy);
-diff --git a/tests/gd2/CMakeLists.txt b/tests/gd2/CMakeLists.txt
-index 3b650ad..247b466 100644
---- a/tests/gd2/CMakeLists.txt
-+++ b/tests/gd2/CMakeLists.txt
-@@ -1,5 +1,6 @@
- SET(TESTS_FILES
- 	bug_289
-+	bug00309
- 	gd2_empty_file
- 	gd2_im2im
- 	gd2_null
-diff --git a/tests/gd2/Makemodule.am b/tests/gd2/Makemodule.am
-index b8ee946..d69aee0 100644
---- a/tests/gd2/Makemodule.am
-+++ b/tests/gd2/Makemodule.am
-@@ -1,5 +1,6 @@
- libgd_test_programs += \
- 	gd2/bug_289 \
-+	gd2/bug00309 \
- 	gd2/gd2_empty_file \
- 	gd2/php_bug_72339 \
- 	gd2/gd2_read_corrupt
-diff --git a/tests/gd2/bug00309.c b/tests/gd2/bug00309.c
-new file mode 100644
-index 0000000..b649cdc
---- /dev/null
-+++ b/tests/gd2/bug00309.c
-@@ -0,0 +1,37 @@
-+/**
-+ * Regression test for <https://github.com/libgd/libgd/issues/309>.
-+ *
-+ * We test that an image with 64x64 pixels reports only a single chunk in the
-+ * GD2 image header when the chunk size is 64.
-+ */
-+
-+
-+#include "gd.h"
-+#include "gdtest.h"
-+
-+
-+int main()
-+{
-+    gdImagePtr im;
-+    unsigned char *buf;
-+    int size, word;
-+
-+    im = gdImageCreate(64, 64);
-+    gdImageColorAllocate(im, 0, 0, 0);
-+
-+    buf = gdImageGd2Ptr(im, 64, 1, &size);
-+
-+    gdImageDestroy(im);
-+
-+    word = buf[10] << 8 | buf[11];
-+    gdTestAssertMsg(word == 64, "chunk size is %d, but expected 64\n", word);
-+    word = buf[14] << 8 | buf[15];
-+    gdTestAssertMsg(word == 1, "x chunk count is %d, but expected 1\n", word);
-+    word = buf[16] << 8 | buf[17];
-+    gdTestAssertMsg(word == 1, "y chunk count is %d, but expected 1\n", word);
-+    gdTestAssertMsg(size == 5145, "file size is %d, but expected 5145\n", size);
-+
-+    gdFree(buf);
-+
-+    return gdNumFailures();
-+}
diff --git a/gnu/packages/patches/gd-fix-truecolor-format-correction.patch b/gnu/packages/patches/gd-fix-truecolor-format-correction.patch
deleted file mode 100644
index be3eff932..000000000
--- a/gnu/packages/patches/gd-fix-truecolor-format-correction.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-This fixes PHP bug #73159: https://bugs.php.net/bug.php?id=73159
-
-Patch lifted from upstream source repository:
-
-https://github.com/libgd/libgd/commit/e1f61a4141d2e0937a13b8bfb1992b9f29eb05f5
-
-From e1f61a4141d2e0937a13b8bfb1992b9f29eb05f5 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Mon, 15 Aug 2016 17:49:40 +0200
-Subject: [PATCH] Fix #289: Passing unrecognized formats to gdImageGd2 results
- in corrupted files
-
-We must not apply the format correction twice for truecolor images.
-
-(cherry picked from commit 09090c125658e23a4ae2a2e002646bb7278bd89e)
----
- src/gd_gd2.c             |  2 +-
- tests/gd2/CMakeLists.txt |  1 +
- tests/gd2/Makemodule.am  |  1 +
- tests/gd2/bug_289.c      | 33 +++++++++++++++++++++++++++++++++
- 4 files changed, 36 insertions(+), 1 deletion(-)
- create mode 100644 tests/gd2/bug_289.c
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index 86c881e..75e5e1f 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -918,7 +918,7 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
- 	/* Force fmt to a valid value since we don't return anything. */
- 	/* */
- 	if ((fmt != GD2_FMT_RAW) && (fmt != GD2_FMT_COMPRESSED)) {
--		fmt = im->trueColor ? GD2_FMT_TRUECOLOR_COMPRESSED : GD2_FMT_COMPRESSED;
-+		fmt = GD2_FMT_COMPRESSED;
- 	};
- 	if (im->trueColor) {
- 		fmt += 2;
-diff --git a/tests/gd2/CMakeLists.txt b/tests/gd2/CMakeLists.txt
-index 8aecacc..3b650ad 100644
---- a/tests/gd2/CMakeLists.txt
-+++ b/tests/gd2/CMakeLists.txt
-@@ -1,4 +1,5 @@
- SET(TESTS_FILES
-+	bug_289
- 	gd2_empty_file
- 	gd2_im2im
- 	gd2_null
-diff --git a/tests/gd2/Makemodule.am b/tests/gd2/Makemodule.am
-index 754a284..b8ee946 100644
---- a/tests/gd2/Makemodule.am
-+++ b/tests/gd2/Makemodule.am
-@@ -1,4 +1,5 @@
- libgd_test_programs += \
-+	gd2/bug_289 \
- 	gd2/gd2_empty_file \
- 	gd2/php_bug_72339 \
- 	gd2/gd2_read_corrupt
-diff --git a/tests/gd2/bug_289.c b/tests/gd2/bug_289.c
-new file mode 100644
-index 0000000..ad311e9
---- /dev/null
-+++ b/tests/gd2/bug_289.c
-@@ -0,0 +1,33 @@
-+/**
-+ * Passing an unrecognized format to gdImageGd2() should result in
-+ * GD2_FMT_TRUECOLOR_COMPRESSED for truecolor images.
-+ *
-+ * See <https://github.com/libgd/libgd/issues/289>.
-+ */
-+
-+#include "gd.h"
-+#include "gdtest.h"
-+
-+
-+#define GD2_FMT_UNRECOGNIZED 0
-+#define GD2_FMT_TRUECOLOR_COMPRESSED 4
-+
-+#define MSG "expected %s byte to be %d, but got %d\n"
-+
-+
-+int main()
-+{
-+    gdImagePtr im;
-+    char *buffer;
-+    int size;
-+
-+    im = gdImageCreateTrueColor(10, 10);
-+    gdTestAssert(im != NULL);
-+    buffer = (char *) gdImageGd2Ptr(im, 128, GD2_FMT_UNRECOGNIZED, &size);
-+    gdTestAssert(buffer != NULL);
-+    gdImageDestroy(im);
-+    gdTestAssertMsg(buffer[12] == 0, MSG, "1st", 0, buffer[12]);
-+    gdTestAssertMsg(buffer[13] == GD2_FMT_TRUECOLOR_COMPRESSED, MSG, "2nd", GD2_FMT_TRUECOLOR_COMPRESSED, buffer[13]);
-+
-+    return gdNumFailures();
-+}
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index a84ff43d7..08e9c76ca 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -50,17 +50,6 @@
   #:use-module (guix build-system gnu)
   #:use-module ((guix licenses) #:prefix license:))
 
-;; This fixes PHP bugs 73155 and 73159. Remove when gd
-;; is updated to > 2.2.3.
-(define gd-for-php
-  (package (inherit gd)
-           (source
-            (origin
-              (inherit (package-source gd))
-              (patches (search-patches
-                        "gd-fix-truecolor-format-correction.patch"
-                        "gd-fix-chunk-size-on-boundaries.patch"))))))
-
 (define-public php
   (package
     (name "php")
@@ -291,7 +280,7 @@
        ("curl" ,curl)
        ("cyrus-sasl" ,cyrus-sasl)
        ("freetype" ,freetype)
-       ("gd" ,gd-for-php)
+       ("gd" ,gd)
        ("gdbm" ,gdbm)
        ("glibc" ,glibc)
        ("gmp" ,gmp)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/1] gnu: gd: Replace with gd-2.2.4 [fixes CVE-2016-{6912, 9317} and others].
  2017-01-20  4:24 [PATCH 1/1] gnu: gd: Replace with gd-2.2.4 [fixes CVE-2016-{6912, 9317} and others] Leo Famulari
@ 2017-01-20 13:49 ` Ludovic Courtès
  2017-01-20 15:31   ` Leo Famulari
  0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2017-01-20 13:49 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> 'CHANGELOG.md' in the development repository lists several fixed bugs with
> potential security implications:
>
> https://github.com/libgd/libgd/blob/gd-2.2.4/CHANGELOG.md
>
> * gnu/packages/gd.scm (gd)[replacement]: New field.
> (gd-2.2.4): New variable.
> * gnu/packages/php.scm (gd-for-php): Remove variable.
> (php)[inputs]: Replace gd-for-php with gd.
> * gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch,
> gnu/packages/patches/gd-fix-truecolor-format-correction.patch: Delete files.
> * gnu/local.mk (dist_patch_DATA): Remove them.

[...]

> --- a/gnu/packages/php.scm
> +++ b/gnu/packages/php.scm
> @@ -50,17 +50,6 @@
>    #:use-module (guix build-system gnu)
>    #:use-module ((guix licenses) #:prefix license:))
>  
> -;; This fixes PHP bugs 73155 and 73159. Remove when gd
> -;; is updated to > 2.2.3.
> -(define gd-for-php
> -  (package (inherit gd)
> -           (source
> -            (origin
> -              (inherit (package-source gd))
> -              (patches (search-patches
> -                        "gd-fix-truecolor-format-correction.patch"
> -                        "gd-fix-chunk-size-on-boundaries.patch"))))))
> -
>  (define-public php
>    (package
>      (name "php")
> @@ -291,7 +280,7 @@
>         ("curl" ,curl)
>         ("cyrus-sasl" ,cyrus-sasl)
>         ("freetype" ,freetype)
> -       ("gd" ,gd-for-php)
> +       ("gd" ,gd)

I don’t think we can do this since gd (not its replacement) is still
2.2.3.

WDYT?

Otherwise LGTM.

Thank you!

Ludo’.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/1] gnu: gd: Replace with gd-2.2.4 [fixes CVE-2016-{6912, 9317} and others].
  2017-01-20 13:49 ` Ludovic Courtès
@ 2017-01-20 15:31   ` Leo Famulari
  0 siblings, 0 replies; 3+ messages in thread
From: Leo Famulari @ 2017-01-20 15:31 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Fri, Jan 20, 2017 at 02:49:50PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> >  (define-public php
> >    (package
> >      (name "php")
> > @@ -291,7 +280,7 @@
> >         ("curl" ,curl)
> >         ("cyrus-sasl" ,cyrus-sasl)
> >         ("freetype" ,freetype)
> > -       ("gd" ,gd-for-php)
> > +       ("gd" ,gd)
> 
> I don’t think we can do this since gd (not its replacement) is still
> 2.2.3.
> 
> WDYT?

Oops, you're right :/

> Otherwise LGTM.

Pushed as 3f0603ea653cefa9ff728c2637d3cd0d778b3602.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-01-20 15:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-20  4:24 [PATCH 1/1] gnu: gd: Replace with gd-2.2.4 [fixes CVE-2016-{6912, 9317} and others] Leo Famulari
2017-01-20 13:49 ` Ludovic Courtès
2017-01-20 15:31   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).