unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCHES] ImageMagick security updates without grafting
@ 2021-03-27 13:09 Mark H Weaver
  2021-03-27 14:36 ` Maxime Devos
  0 siblings, 1 reply; 15+ messages in thread
From: Mark H Weaver @ 2021-03-27 13:09 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 980 bytes --]

Hello Guix,

Here's a proposed patch set that will henceforth enable us to freely
update ImageMagick (and dblatex, and gtk-doc) on our 'master' branch
without grafts.  This is done by adding variables 'imagemagick/stable',
'dblatex/stable', and 'gtk-doc/stable', which are then used as
'native-inputs' in selected packages.

The idea here is that the overwhelming majority of dependencies on
'imagemagick' are via references to 'gtk-doc' in the 'native-inputs' of
GNOME libraries.  The risk of running buggy imagemagick code within Guix
build containers is presumably quite limited, and in any case, grafting
is no better in this regard.

The last 3 commits of this series apply more bug fixes beyond what we
currently have in 'master', including for CVE-2020-27829, as well as a
few other recent upstream commits that look to me potentially security
relevant.

Are there any comments or objections to this approach?

      Mark

Note: I haven't yet fully tested these commits.



[-- Attachment #2: [PATCH 1/8] gnu: imagemagick: Remove graft --]
[-- Type: text/x-patch, Size: 3336 bytes --]

From eaecf83224fdae115a533d03b6fe949794835d43 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:07:32 -0400
Subject: [PATCH 1/8] gnu: imagemagick: Remove graft.

Note that this commit does *not* integrate the fixes that were previously
applied via the graft.  This commit simply discards those fixes.  We will
address those security flaws, without grafting, in subsequent commits.

* gnu/packages/imagemagick.scm (imagemagick)[replacement]: Remove field.
(imagemagick/fixed): Remove variable.
---
 gnu/packages/imagemagick.scm | 40 ------------------------------------
 1 file changed, 40 deletions(-)

diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index a3562f2e13..cc5f1de4bf 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -51,7 +51,6 @@
     ;; maintained. Don't update to 7 until we've made sure that the ImageMagick
     ;; users are ready for the 7-series API.
     (version "6.9.11-48")
-    (replacement imagemagick/fixed)
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://imagemagick/ImageMagick-"
@@ -128,45 +127,6 @@ transform images, adjust image colors, apply various special effects, or draw
 text, lines, polygons, ellipses and Bézier curves.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.php"))))
 
-(define-public imagemagick/fixed
-  (package
-    (inherit imagemagick)
-    (name "imagemagick")
-    ;; 'g' for 'guix', appended character to retain version length so grafting
-    ;; works properly.
-    (version "6.9.12-2g")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://imagemagick/ImageMagick-"
-                                  ;; Hardcode the version here since we had to
-                                  ;; change it above.
-                                  "6.9.12-2.tar.xz"))
-              (sha256
-               (base32
-                "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))))
-    (arguments
-     (substitute-keyword-arguments (package-arguments imagemagick)
-       ((#:phases phases)
-        `(modify-phases ,phases
-           (add-after 'install 'fix-compat-cheat-rename-so
-             (lambda* (#:key outputs #:allow-other-keys)
-               (with-directory-excursion
-                   (string-append (assoc-ref outputs "out")
-                                  "/lib")
-                 (symlink "libMagick++-6.Q16.so.9.0.0"
-                          "libMagick++-6.Q16.so.8.0.0")
-                 (symlink "libMagick++-6.Q16.so.9"
-                          "libMagick++-6.Q16.so.8")
-                 (symlink "libMagickCore-6.Q16.so.7.0.0"
-                          "libMagickCore-6.Q16.so.6.0.0")
-                 (symlink "libMagickCore-6.Q16.so.7"
-                          "libMagickCore-6.Q16.so.6")
-                 (symlink "libMagickWand-6.Q16.so.7.0.0"
-                          "libMagickWand-6.Q16.so.6.0.0")
-                 (symlink "libMagickWand-6.Q16.so.7"
-                          "libMagickWand-6.Q16.so.6"))
-               #t))))))))
-
 (define-public perl-image-magick
   (package
     (name "perl-image-magick")
-- 
2.31.0


[-- Attachment #3: [PATCH 2/8] gnu: imagemagick: Add 'imagemagick/stable' variant --]
[-- Type: text/x-patch, Size: 1314 bytes --]

From 370089473506c800cf3480f67a00860400fbed18 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:16:23 -0400
Subject: [PATCH 2/8] gnu: imagemagick: Add 'imagemagick/stable' variant.

* gnu/packages/imagemagick.scm (imagemagick/stable): New variable.
(imagemagick): This is now an alias to 'imagemagick/stable'.
---
 gnu/packages/imagemagick.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index cc5f1de4bf..6d4649fbac 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -44,7 +44,7 @@
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xorg))
 
-(define-public imagemagick
+(define-public imagemagick/stable
   (package
     (name "imagemagick")
     ;; The 7 release series has an incompatible API, while the 6 series is still
@@ -127,6 +127,9 @@ transform images, adjust image colors, apply various special effects, or draw
 text, lines, polygons, ellipses and Bézier curves.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.php"))))
 
+(define-public imagemagick
+  imagemagick/stable)
+
 (define-public perl-image-magick
   (package
     (name "perl-image-magick")
-- 
2.31.0


[-- Attachment #4: [PATCH 3/8] gnu: dblatex: Add 'dblatex/stable' variant --]
[-- Type: text/x-patch, Size: 1489 bytes --]

From 8a251cdb8e730c364d79fc6f2fba21bafc82302a Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:27:25 -0400
Subject: [PATCH 3/8] gnu: dblatex: Add 'dblatex/stable' variant.

* gnu/packages/docbook.scm (dblatex/stable): New variable.
---
 gnu/packages/docbook.scm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/gnu/packages/docbook.scm b/gnu/packages/docbook.scm
index 012e86f6a5..9b2c70014d 100644
--- a/gnu/packages/docbook.scm
+++ b/gnu/packages/docbook.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
 ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -33,6 +34,7 @@
   #:use-module (guix licenses)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module ((guix build utils) #:select (alist-replace))
   #:use-module (guix build-system trivial)
   #:use-module (guix build-system python))
 
@@ -460,3 +462,8 @@ process.  MathML 2.0 markups are supported too.  It started as a clone of
 DB2LaTeX.")
     ;; lib/contrib/which is under an X11 license
     (license gpl2+)))
+
+(define-public dblatex/stable
+  (package/inherit dblatex
+    (inputs (alist-replace "imagemagick" `(,imagemagick/stable)
+                           (package-inputs dblatex)))))
-- 
2.31.0


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #5: [PATCH 4/8] gnu: gtk-doc: Add 'gtk-doc/stable' variant --]
[-- Type: text/x-patch, Size: 1232 bytes --]

From 9de91519a64c3a2fadd8a9730d6fb032d764885b Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:28:58 -0400
Subject: [PATCH 4/8] gnu: gtk-doc: Add 'gtk-doc/stable' variant.

* gnu/packages/gtk.scm (gtk-doc/stable): New variable.
---
 gnu/packages/gtk.scm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index cf9116214c..0cd1391fa2 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -48,6 +48,7 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix git-download)
+  #:use-module ((guix build utils) #:select (alist-replace))
   #:use-module (guix build-system glib-or-gtk)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system meson)
@@ -1829,6 +1830,11 @@ typically used to document the public API of GTK+ and GNOME libraries, but it
 can also be used to document application code.")
     (license license:gpl2+)))
 
+(define-public gtk-doc/stable
+  (package/inherit gtk-doc
+    (inputs (alist-replace "dblatex" `(,dblatex/stable)
+                           (package-inputs gtk-doc)))))
+
 (define-public gtk-engines
   (package
     (name "gtk-engines")
-- 
2.31.0


[-- Attachment #6: [PATCH 5/8] gnu: Use 'gtk-doc/stable' in native-inputs of selected packages --]
[-- Type: text/x-patch, Size: 24504 bytes --]

From 941bcda1cb65d89974ebc775666a6bd432964a78 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:34:35 -0400
Subject: [PATCH 5/8] gnu: Use 'gtk-doc/stable' in native-inputs of selected
 packages.

* gnu/packages/calendar.scm (libical),
gnu/packages/check.scm (umockdev),
gnu/packages/fontutils.scm (libraqm),
gnu/packages/freedesktop.scm (appstream, farstream, libglib-testing)
(udisks, libfprint, libportal),
gnu/packages/geo.scm (memphis, osm-gps-map),
gnu/packages/glib.scm (template-glib),
gnu/packages/gnome.scm (gupnp-igd, libcloudproviders, libgrss, seed)
(gtx, dee, zeitgeist, phodav, gssdp, gupnp, gupnp-dlna, gupnp-av, rygel)
(libnma, gdl, libnotify, vte-ng, dconf, libxklavier, libsoup, colord)
(geoclue, geocode-glib, amtk, grilo, gvfs, gusb, network-manager)
(network-manager-applet, gfbgraph, libunique, cheese, libhandy)
(gnome-latex, libgda),
gnu/packages/gstreamer.scm (orc),
gnu/packages/gtk.scm (at-spi2-core, goocanvas),
gnu/packages/language.scm (nimf),
gnu/packages/networking.scm (libnice),
gnu/packages/video.scm (schroedinger),
gnu/packages/virtualization.scm (libosinfo),
gnu/packages/webkit.scm (wpewebkit, webkitgtk),
gnu/packages/xml.scm (libxmlb)[native-inputs]: Replace 'gtk-doc' with
'gtk-doc/stable'.
---
 gnu/packages/calendar.scm       |  2 +-
 gnu/packages/check.scm          |  2 +-
 gnu/packages/fontutils.scm      |  2 +-
 gnu/packages/freedesktop.scm    | 12 +++---
 gnu/packages/geo.scm            |  4 +-
 gnu/packages/glib.scm           |  2 +-
 gnu/packages/gnome.scm          | 70 ++++++++++++++++-----------------
 gnu/packages/gstreamer.scm      |  2 +-
 gnu/packages/gtk.scm            |  4 +-
 gnu/packages/language.scm       |  2 +-
 gnu/packages/networking.scm     |  2 +-
 gnu/packages/video.scm          |  2 +-
 gnu/packages/virtualization.scm |  2 +-
 gnu/packages/webkit.scm         |  4 +-
 gnu/packages/xml.scm            |  2 +-
 15 files changed, 57 insertions(+), 57 deletions(-)

diff --git a/gnu/packages/calendar.scm b/gnu/packages/calendar.scm
index 4e1e4f05b6..d473900ac5 100644
--- a/gnu/packages/calendar.scm
+++ b/gnu/packages/calendar.scm
@@ -156,7 +156,7 @@ the <tz.h> library for handling time zones and leap seconds.")
     (native-inputs
      `(("docbook-xml" ,docbook-xml-4.3)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 21514d1bc4..a1e44ad81f 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -2732,7 +2732,7 @@ provides a simple way to achieve this.")
     (native-inputs
      `(("vala" ,vala)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
 
        ;; For tests.
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index a4c92f5bea..1d9c81b8a6 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -965,7 +965,7 @@ Unicode Charts.  It was developed for use with DejaVu Fonts project.")
     (arguments
      `(#:configure-flags (list "--disable-static")))
     (native-inputs
-     `(("gtk-doc" ,gtk-doc)
+     `(("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)))
     (inputs
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 4105dd7ca0..a9e96c9928 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -173,7 +173,7 @@
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
        ("gperf" ,gperf)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
        ("xsltproc" ,libxslt)))
@@ -261,7 +261,7 @@ application-centers for distributions.")
        ("docbook-xml" ,docbook-xml-4.1.2)
        ("docbook-xsl" ,docbook-xsl)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("libtool" ,libtool)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
@@ -313,7 +313,7 @@ for videoconferencing.")
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
        ("pkg-config" ,pkg-config)
-       ("gtk-doc" ,gtk-doc)))
+       ("gtk-doc" ,gtk-doc/stable)))
     (inputs
      `(("dbus" ,dbus)
        ("glib" ,glib)))
@@ -1202,7 +1202,7 @@ Analysis and Reporting Technology) functionality.")
        ("glib:bin" ,glib "bin")         ; for glib-mkenums
        ("gnome-common" ,gnome-common)   ; TODO: Why is this needed?
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("xsltproc" ,libxslt)))
@@ -1598,7 +1598,7 @@ wish to perform colour calibration.")
      `(("eudev" ,eudev)
        ("glib:bin" ,glib "bin")         ; for {glib-,}mkenums
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)             ; for 88 KiB of API documentation
+       ("gtk-doc" ,gtk-doc/stable)             ; for 88 KiB of API documentation
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glib" ,glib)
@@ -2197,7 +2197,7 @@ fallback to generic Systray support if none of those are available.")
                  #t))))))
       (native-inputs
        `(("pkg-config" ,pkg-config)
-         ("gtk-doc" ,gtk-doc)
+         ("gtk-doc" ,gtk-doc/stable)
          ("docbook-xsl" ,docbook-xsl)
          ("docbook-xml" ,docbook-xml)
          ("libxml2" ,libxml2)
diff --git a/gnu/packages/geo.scm b/gnu/packages/geo.scm
index c988d6b114..97fa83b86b 100644
--- a/gnu/packages/geo.scm
+++ b/gnu/packages/geo.scm
@@ -151,7 +151,7 @@
        ("automake" ,automake)
        ("docbook-xml" ,docbook-xml-4.3)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -1138,7 +1138,7 @@ OpenStreetMap data files.")
     (build-system gnu-build-system)
     (native-inputs
      `(("gnome-common" ,gnome-common)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("cairo" ,cairo)
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 9c3cd75624..c04bd334e9 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -1165,7 +1165,7 @@ other API remains the same.")
      `(("bison" ,bison)
        ("flex" ,flex)
        ("glib:bin" ,glib "bin") ;; For glib-mkenums
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (home-page "https://gitlab.gnome.org/GNOME/template-glib")
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 7607db27f1..ce8a5e8f02 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -263,7 +263,7 @@
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
        ("gsettings-desktop-schemas" ,gsettings-desktop-schemas)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("glib" ,glib)
@@ -366,7 +366,7 @@ features to enable users to create their discs easily and quickly.")
     (native-inputs
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (inputs
@@ -415,7 +415,7 @@ services.")
     (native-inputs
      `(("docbook-xml" ,docbook-xml-4.1.2)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("glib" ,glib)
@@ -512,7 +512,7 @@ bindings.")
        ("docbook-xml" ,docbook-xml-4.1.2)
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)))
@@ -622,7 +622,7 @@ It is written in C using GObject and libsoup.")
                        "/share/gtk-doc/html"))))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("glib" ,glib)))
@@ -692,7 +692,7 @@ of writing test cases for asynchronous interactions.")
        ("dbus-test-runner" ,dbus-test-runner)
        ("docbook-xml" ,docbook-xml-4.3)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ;; Would only be required by configure flag "--enable-extended-tests".
        ;("gtx" ,gtx)
        ("pkg-config" ,pkg-config)
@@ -768,7 +768,7 @@ of known objects without needing a central registrar.")
        ("docbook-xml" ,docbook-xml-4.3)
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)
@@ -1177,7 +1177,7 @@ Library reference documentation.")
     `(("docbook-xml" ,docbook-xml-4.3)
       ("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("pkg-config" ,pkg-config)))
    (inputs
     `(("avahi" ,avahi)
@@ -1295,7 +1295,7 @@ It has miners for Facebook, Flickr, Google, ownCloud and SkyDrive.")
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("pkg-config" ,pkg-config)
       ("vala" ,vala)))
    (inputs
@@ -1326,7 +1326,7 @@ a debugging tool, @command{gssdp-device-sniffer}.")
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("pkg-config" ,pkg-config)
       ("vala" ,vala)))
    (inputs
@@ -1357,7 +1357,7 @@ for creating UPnP devices and control points, written in C using
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("libxml" ,libxml2)
       ("pkg-config" ,pkg-config)
       ("vala" ,vala)))
@@ -1391,7 +1391,7 @@ given profile, etc.  DLNA is a subset of UPnP A/V.")
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("libxml" ,libxml2)
       ("pkg-config" ,pkg-config)))
    (inputs
@@ -1607,7 +1607,7 @@ preview files on the GNOME desktop.")
     (native-inputs
      `(("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (inputs
@@ -1669,7 +1669,7 @@ client devices can handle.")
      `(("docbook-xml" ,docbook-xml-4.3)
        ("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("gobject-introspection" ,gobject-introspection)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
@@ -2417,7 +2417,7 @@ GNOME Desktop.")
        ("automake" ,automake)
        ("glib" ,glib "bin")             ; for glib-genmarshal, etc.
        ("gnome-common" ,gnome-common)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("libtool" ,libtool)
@@ -3057,7 +3057,7 @@ configuring CUPS.")
        ("gobject-introspection" ,gobject-introspection)
 
        ;; For the documentation.
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("xsltproc" ,libxslt)
        ("docbook-xsl" ,docbook-xsl)))
     (home-page "https://developer-next.gnome.org/libnotify/")
@@ -4503,7 +4503,7 @@ editors, IDEs, etc.")
                 "0rnm5c6m3abbm81jsfdas0y80z299ny54gr4syn4bfrms3s4g19l"))))
     (build-system meson-build-system)
     (native-inputs
-     `(("gtk-doc" ,gtk-doc)
+     `(("gtk-doc" ,gtk-doc/stable)
        ,@(package-native-inputs vte)))
     (arguments
      `(#:configure-flags '("-Ddocs=true")))
@@ -4621,7 +4621,7 @@ and RDP protocols.")
        ("docbook-xml" ,docbook-xml-4.2)
        ("docbook-xsl" ,docbook-xsl)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (arguments
@@ -4689,7 +4689,7 @@ and objects.")
      `(("glib:bin"              ,glib "bin") ; for glib-mkenums, etc.
        ("gobject-introspection" ,gobject-introspection)
        ("pkg-config"            ,pkg-config)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("which" ,which)
        ("autoconf" ,autoconf)
@@ -4912,7 +4912,7 @@ libxml to ease remote use of the RESTful API.")
      `(("docbook-xml" ,docbook-xml-4.1.2)
        ("glib:bin" ,glib "bin")                   ; for glib-mkenums
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -5279,7 +5279,7 @@ keyboard shortcuts.")
      `(("glib:bin" ,glib "bin")         ; for glib-compile-resources, etc.
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (propagated-inputs
@@ -5324,7 +5324,7 @@ output devices.")
        ("gobject-introspection" ,gobject-introspection)
        ("modem-manager" ,modem-manager)
        ("libnotify" ,libnotify)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)))
     (inputs
      `(("avahi" ,avahi)
@@ -5369,7 +5369,7 @@ permission from user.")
        ("glibc-locales" ,glibc-locales) ; for tests
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("json-glib" ,json-glib)))
     (propagated-inputs
@@ -5675,7 +5675,7 @@ which are easy to play with the aid of a mouse.")
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
        ("glib:bin" ,glib "bin")         ; for glib-mkenums
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glib" ,glib)
@@ -6092,7 +6092,7 @@ as possible!")
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("vala" ,vala)))
     (inputs
      `(("cyrus-sasl" ,cyrus-sasl)
@@ -6526,7 +6526,7 @@ part of udev-extras, then udev, then systemd.  It's now a project on its own.")
     (native-inputs
      `(("glib:bin" ,glib "bin") ; for glib-genmarshal, etc.
        ("gettext" ,gettext-minimal)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("xsltproc" ,libxslt)))
     (inputs
@@ -6591,7 +6591,7 @@ DAV, and others.")
      `(("gobject-introspection" ,gobject-introspection)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)
-       ("gtk-doc" ,gtk-doc)))
+       ("gtk-doc" ,gtk-doc/stable)))
     (propagated-inputs
      ;; Both of these are required by gusb.pc.
      `(("glib" ,glib)
@@ -7795,7 +7795,7 @@ users.")
      `(("glib" ,glib)))
     (native-inputs
      `(("glib:bin" ,glib "bin")         ; for gdbus-codegen
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("gobject-introspection" ,gobject-introspection)
        ("docbook-xml" ,docbook-xml)
        ("docbook-xsl" ,docbook-xsl)
@@ -8052,7 +8052,7 @@ Cisco's AnyConnect SSL VPN.")
      `(("intltool" ,intltool)
        ("glib:bin" ,glib "bin") ; for glib-compile-resources, etc.
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      ;; libnm-gtk.pc refers to all these.
@@ -9800,7 +9800,7 @@ compiled.")
                            "--enable-introspection")))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
 
        ;; The 0.2.4 ‘release’ tarball isn't bootstrapped.
@@ -9872,7 +9872,7 @@ environment, which can notably display keyboard layouts.")
      `(("pkg-config" ,pkg-config)
        ("gobject-introspection" ,gobject-introspection)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)))
+       ("gtk-doc" ,gtk-doc/stable)))
     (propagated-inputs
      ;; Referred to in .h files and .pc.
      `(("gtk+" ,gtk+)))
@@ -10457,7 +10457,7 @@ photo-booth-like software, such as Cheese.")
        ("docbook-xml" ,docbook-xml-4.3)
        ("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("itstool" ,itstool)
        ("libxml2" ,libxml2)
        ("libxslt" ,libxslt)
@@ -10996,7 +10996,7 @@ tabs, and it supports drag and drop re-ordering of terminals.")
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection) ; for g-ir-scanner
        ("vala" ,vala)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("gettext" ,gettext-minimal)
 
@@ -11531,7 +11531,7 @@ card sheets that you’ll find at most office supply stores.")
      `(("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("itstool" ,itstool)
        ("pkg-config" ,pkg-config)
@@ -12123,7 +12123,7 @@ developed with the aim of being used with the Librem 5 phone.")
        ("glib:bin" ,glib "bin")
        ("gnome-common" ,gnome-common)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 1c7ba98a86..6a4e14167d 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -384,7 +384,7 @@ http://www.tux.org/~ricdude/overview.html")
                 "if (error) return 77;"))
              #t)))))
     (native-inputs
-     `(("gtk-doc" ,gtk-doc)))
+     `(("gtk-doc" ,gtk-doc/stable)))
     (home-page "https://gstreamer.freedesktop.org/modules/orc.html")
     (synopsis "Oil runtime compiler")
     (description
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 0cd1391fa2..fdc946ca20 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -723,7 +723,7 @@ in the GNOME project.")
    (native-inputs
     `(("gettext" ,gettext-minimal)
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("glib" ,glib "bin")
       ("pkg-config" ,pkg-config)))
    (synopsis "Assistive Technology Service Provider Interface, core components")
@@ -2241,7 +2241,7 @@ popovers.")
      `(("gettext" ,gettext-minimal)
        ("glib-bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("python" ,python)))
     (inputs
diff --git a/gnu/packages/language.scm b/gnu/packages/language.scm
index d4b9b8d4cb..5325445a24 100644
--- a/gnu/packages/language.scm
+++ b/gnu/packages/language.scm
@@ -170,7 +170,7 @@
        ("gobject-introspection" ,gobject-introspection)
        ("gtk+-2:bin" ,gtk+-2 "bin")
        ("gtk+:bin" ,gtk+ "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("libtool" ,libtool)
        ("perl" ,perl)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index ea3e3f67e7..ecc6f57f4e 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -302,7 +302,7 @@ Android, and ChromeOS.")
     (native-inputs
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("gstreamer" ,gstreamer)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index a17708c7dd..4853884d05 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -381,7 +381,7 @@ video decode, encode and filtering on Intel's Gen graphics hardware platforms.")
                #t))))))
     (native-inputs
      `(("dash" ,dash)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glew" ,glew)
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index fabac5b984..96347adf7c 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -984,7 +984,7 @@ Debian or a derivative using @command{debootstrap}.")
     (native-inputs
      `(("glib" ,glib "bin")  ; glib-mkenums, etc.
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("vala" ,vala)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index 89eee74def..d8378354bd 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -174,7 +174,7 @@ engine that uses Wayland for graphics output.")
        ("docbook-xsl" ,docbook-xsl)
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -301,7 +301,7 @@ acceleration in mind, leveraging common 3D graphics APIs for best performance.")
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
-       ("gtk-doc" ,gtk-doc) ; For documentation generation
+       ("gtk-doc" ,gtk-doc/stable) ; For documentation generation
        ("docbook-xml" ,docbook-xml) ; For documentation generation
        ("ruby" ,ruby)))
     (propagated-inputs
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index d05d326f5b..defc0323e6 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -99,7 +99,7 @@
      `(#:glib-or-gtk? #t))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("appstream-glib" ,appstream-glib)
-- 
2.31.0


[-- Attachment #7: [PATCH 6/8] gnu: imagemagick: Update to 6.9.12-4 --]
[-- Type: text/x-patch, Size: 1955 bytes --]

From 5f144be02171e93613184793e254a25c674e232e Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:48:37 -0400
Subject: [PATCH 6/8] gnu: imagemagick: Update to 6.9.12-4.

* gnu/packages/imagemagick.scm (imagemagick): Update to 6.9.12-4.
---
 gnu/packages/imagemagick.scm | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 6d4649fbac..4200ed1daf 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016, 2021 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
@@ -128,7 +128,19 @@ text, lines, polygons, ellipses and Bézier curves.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.php"))))
 
 (define-public imagemagick
-  imagemagick/stable)
+  (package
+    (inherit imagemagick/stable)
+    ;; The 7 release series has an incompatible API, while the 6 series is still
+    ;; maintained. Don't update to 7 until we've made sure that the ImageMagick
+    ;; users are ready for the 7-series API.
+    (version "6.9.12-4")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://imagemagick/ImageMagick-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))))))
 
 (define-public perl-image-magick
   (package
-- 
2.31.0


[-- Attachment #8: [PATCH 7/8] gnu: imagemagick: Fix CVE-2020-27829 --]
[-- Type: text/x-patch, Size: 3272 bytes --]

From 986fa9c54db10e597f3b7d5db859e28b1c0f9317 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 08:08:10 -0400
Subject: [PATCH 7/8] gnu: imagemagick: Fix CVE-2020-27829.

* gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/imagemagick.scm (source): Add patch.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/imagemagick.scm                  |  4 ++-
 .../patches/imagemagick-CVE-2020-27829.patch  | 27 +++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0aec66414e..18799bac7f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1221,6 +1221,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/id3lib-UTF16-writing-bug.patch			\
   %D%/packages/patches/idris-disable-test.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
+  %D%/packages/patches/imagemagick-CVE-2020-27829.patch		\
   %D%/packages/patches/inetutils-hurd.patch			\
   %D%/packages/patches/inkscape-poppler-0.76.patch		\
   %D%/packages/patches/intel-xed-fix-nondeterminism.patch	\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 4200ed1daf..44598fbb73 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -140,7 +140,9 @@ text, lines, polygons, ellipses and Bézier curves.")
                                   version ".tar.xz"))
               (sha256
                (base32
-                "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))))))
+                "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))
+              (patches
+               (search-patches "imagemagick-CVE-2020-27829.patch"))))))
 
 (define-public perl-image-magick
   (package
diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
new file mode 100644
index 0000000000..b15c1d0879
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
@@ -0,0 +1,27 @@
+We omit the ChangeLog changes below, since they do not apply cleanly.
+
+
+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 30 Nov 2020 16:26:59 +0000
+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by
+ Hardik Shah)
+
+---
+ ChangeLog     | 6 ++++++
+ coders/tiff.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e98f927ab..1eecf17ae 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         extent+=image->columns*sizeof(uint32);
+ #endif
+         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+-          sizeof(*strip_pixels));
++          2*sizeof(*strip_pixels));
+         if (strip_pixels == (unsigned char *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));
-- 
2.31.0


[-- Attachment #9: [PATCH 8/8] gnu: imagemagick: Add more upstream fixes --]
[-- Type: text/x-patch, Size: 6822 bytes --]

From 66713ce145d4594f317d05ab1c89fcb051e9eb72 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:01:10 -0400
Subject: [PATCH 8/8] gnu: imagemagick: Add more upstream fixes.

* gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch,
gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch,
gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/imagemagick.scm (source): Add patches.
---
 gnu/local.mk                                  |  3 ++
 gnu/packages/imagemagick.scm                  |  5 ++-
 .../imagemagick-ReadDCMImage-fix.patch        | 26 ++++++++++++++
 .../imagemagick-ReadDCMPixels-fix.patch       | 35 +++++++++++++++++++
 .../imagemagick-WriteTHUMBNAILImage-fix.patch | 25 +++++++++++++
 5 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
 create mode 100644 gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
 create mode 100644 gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 18799bac7f..bea6b8a569 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1222,6 +1222,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/idris-disable-test.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
   %D%/packages/patches/imagemagick-CVE-2020-27829.patch		\
+  %D%/packages/patches/imagemagick-ReadDCMImage-fix.patch	\
+  %D%/packages/patches/imagemagick-ReadDCMPixels-fix.patch	\
+  %D%/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch	\
   %D%/packages/patches/inetutils-hurd.patch			\
   %D%/packages/patches/inkscape-poppler-0.76.patch		\
   %D%/packages/patches/intel-xed-fix-nondeterminism.patch	\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 44598fbb73..f4cc488c43 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -142,7 +142,10 @@ text, lines, polygons, ellipses and Bézier curves.")
                (base32
                 "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))
               (patches
-               (search-patches "imagemagick-CVE-2020-27829.patch"))))))
+               (search-patches "imagemagick-ReadDCMImage-fix.patch"
+                               "imagemagick-ReadDCMPixels-fix.patch"
+                               "imagemagick-WriteTHUMBNAILImage-fix.patch"
+                               "imagemagick-CVE-2020-27829.patch"))))))
 
 (define-public perl-image-magick
   (package
diff --git a/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch b/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
new file mode 100644
index 0000000000..42ece43682
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
@@ -0,0 +1,26 @@
+From 512668dfd92b20d0d08b91d62b422d8262573281 Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Wed, 24 Mar 2021 20:37:15 +0100
+Subject: [PATCH] Throw exception when no exception was raised but status was
+ false (#3432).
+
+---
+ coders/dcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 7a68ed6e8..ed17c9567 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3989,6 +3989,8 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+         if (redmap != (int *) NULL)
+           redmap=(int *) RelinquishMagickMemory(redmap);
+         image=DestroyImageList(image);
++        if ((status == MagickFalse) && (exception->severity < ErrorException))
++          ThrowReaderException(CorruptImageError,"CorruptImage");
+         return(GetFirstImageInList(images));
+       }
+     if (info.depth != (1UL*MAGICKCORE_QUANTUM_DEPTH))
+-- 
+2.31.0
+
diff --git a/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch b/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
new file mode 100644
index 0000000000..a91999186b
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
@@ -0,0 +1,35 @@
+From c8f25953ad1dd38a8b2d92738f0f742ad7e0bce7 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Sun, 21 Mar 2021 21:21:15 -0400
+Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32322
+
+---
+ coders/dcm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 29eed9618..7a68ed6e8 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -2984,12 +2984,12 @@ static MagickBooleanType ReadDCMPixels(Image *image,DCMInfo *info,
+         }
+       else
+         {
+-          SetPixelRed(q,(Quantum) (((ssize_t) pixel.red) |
+-            (((ssize_t) GetPixelRed(q)) << 8)));
+-          SetPixelGreen(q,(Quantum) (((ssize_t) pixel.green) |
+-            (((ssize_t) GetPixelGreen(q)) << 8)));
+-          SetPixelBlue(q,(Quantum) (((ssize_t) pixel.blue) |
+-            (((ssize_t) GetPixelBlue(q)) << 8)));
++          SetPixelRed(q,(Quantum) (((size_t) pixel.red) |
++            (((size_t) GetPixelRed(q)) << 8)));
++          SetPixelGreen(q,(Quantum) (((size_t) pixel.green) |
++            (((size_t) GetPixelGreen(q)) << 8)));
++          SetPixelBlue(q,(Quantum) (((size_t) pixel.blue) |
++            (((size_t) GetPixelBlue(q)) << 8)));
+         }
+       q++;
+     }
+-- 
+2.31.0
+
diff --git a/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch b/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch
new file mode 100644
index 0000000000..f38a45b800
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch
@@ -0,0 +1,25 @@
+From 6a5d3575487487f2703383338bd17c8c25068f19 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Mar 2021 08:58:18 -0400
+Subject: [PATCH] eliminate compiler warning
+
+---
+ coders/thumbnail.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/thumbnail.c b/coders/thumbnail.c
+index 3833341b0..1e2bfe8c2 100644
+--- a/coders/thumbnail.c
++++ b/coders/thumbnail.c
+@@ -199,7 +199,7 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
+     q++;
+   }
+   if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
+-      (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
++      ((ssize_t) length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
+     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
+   thumbnail_image=BlobToImage(image_info,q,length,&image->exception);
+   if (thumbnail_image == (Image *) NULL)
+-- 
+2.31.0
+
-- 
2.31.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2021-04-05  9:55 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-27 13:09 [PATCHES] ImageMagick security updates without grafting Mark H Weaver
2021-03-27 14:36 ` Maxime Devos
2021-03-28  0:01   ` Mark H Weaver
2021-03-28  9:59     ` Maxime Devos
2021-03-28 21:37       ` Mark H Weaver
2021-03-28 22:05         ` Maxime Devos
2021-03-29 21:28           ` Mark H Weaver
2021-03-30 22:23             ` Mark H Weaver
2021-03-28 22:33         ` Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) Mark H Weaver
2021-03-29  6:54           ` Maxime Devos
2021-04-04 20:14             ` Mark H Weaver
2021-04-05  9:53               ` Maxime Devos
2021-03-29 12:43           ` Ricardo Wurmus
2021-03-30 10:39           ` Needed: tooling to detect references to buggy */stable packages Ludovic Courtès
2021-04-04 19:54             ` Mark H Weaver

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).