From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: [PATCH 2/2] gnu: libpng-1.2: Fix a null pointer dereference [fixes
	security issue].
Date: Thu, 29 Dec 2016 13:04:47 -0500
Message-ID: <bf79446fbc1ef7ed281428ab6068ddab329ede01.1483034687.git.leo@famulari.name>
References: <1f9d01a3e412ef0677a4487d56eaa382ed86004c.1483034687.git.leo@famulari.name>
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43648)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cMf4V-0003ZG-65
	for guix-devel@gnu.org; Thu, 29 Dec 2016 13:05:00 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cMf4R-0002oD-If
	for guix-devel@gnu.org; Thu, 29 Dec 2016 13:04:59 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:46670)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cMf4Q-0002nn-2f
	for guix-devel@gnu.org; Thu, 29 Dec 2016 13:04:55 -0500
Received: from localhost.localdomain (c-73-188-17-148.hsd1.pa.comcast.net
	[73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id 0810D7E9FB
	for <guix-devel@gnu.org>; Thu, 29 Dec 2016 13:04:53 -0500 (EST)
In-Reply-To: <1f9d01a3e412ef0677a4487d56eaa382ed86004c.1483034687.git.leo@famulari.name>
In-Reply-To: <1f9d01a3e412ef0677a4487d56eaa382ed86004c.1483034687.git.leo@famulari.name>
References: <1f9d01a3e412ef0677a4487d56eaa382ed86004c.1483034687.git.leo@famulari.name>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

* gnu/packages/patches/libpng-1.2-fix-null-ptr-dereference.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/image.scm (libpng-1.2)[replacement]: New field.
(libpng-1.2/fixed): New variable.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/image.scm                             |  9 ++++++
 .../libpng-1.2-fix-null-ptr-dereference.patch      | 36 ++++++++++++++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 gnu/packages/patches/libpng-1.2-fix-null-ptr-dereference.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 38c1b0b94..fee497b0e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -676,6 +676,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libmad-frame-length.patch		\
   %D%/packages/patches/libmad-mips-newgcc.patch			\
   %D%/packages/patches/libpng-fix-null-ptr-dereference.patch	\
+  %D%/packages/patches/libpng-1.2-fix-null-ptr-dereference.patch	\
   %D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch		\
   %D%/packages/patches/libtar-CVE-2013-4420.patch \
   %D%/packages/patches/libtheora-config-guess.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 69eeaed58..a576ae71a 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -100,6 +100,7 @@ library.  It supports almost all PNG features and is extensible.")
 (define-public libpng-1.2
   (package
     (inherit libpng)
+    (replacement libpng-1.2/fixed)
     (version "1.2.56")
     (source
      (origin
@@ -113,6 +114,14 @@ library.  It supports almost all PNG features and is extensible.")
        (sha256
         (base32 "1ghd03p353x0vi4dk83n1nlldg11w7vqdk3f99rkgfb82ic59ki4"))))))
 
+(define libpng-1.2/fixed
+  (package
+    (inherit libpng-1.2)
+    (source
+      (origin
+        (inherit (package-source libpng-1.2))
+        (patches (search-patches "libpng-1.2-fix-null-ptr-dereference.patch"))))))
+
 (define-public libjpeg
   (package
    (name "libjpeg")
diff --git a/gnu/packages/patches/libpng-1.2-fix-null-ptr-dereference.patch b/gnu/packages/patches/libpng-1.2-fix-null-ptr-dereference.patch
new file mode 100644
index 000000000..e6220eed8
--- /dev/null
+++ b/gnu/packages/patches/libpng-1.2-fix-null-ptr-dereference.patch
@@ -0,0 +1,36 @@
+Fix a null pointer dereference in png_set_text_2():
+
+http://seclists.org/oss-sec/2016/q4/777
+
+Patch adapted from upstream source repository:
+
+https://sourceforge.net/p/libpng/code/ci/794a15fad6add4d636369d0b46f603a02995b2e2/
+
+From 794a15fad6add4d636369d0b46f603a02995b2e2 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 29 Dec 2016 07:34:51 -0600
+Subject: [PATCH] [libpng12] Fixed a potential null pointer dereference in
+ png_set_text_2()
+
+(bug report and patch by Patrick Keshishian).
+---
+ ANNOUNCE | 2 ++
+ CHANGES  | 4 +++-
+ png.c    | 1 +
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/png.c b/png.c
+index 08d7e86b7..a4934d1d5 100644
+--- a/png.c
++++ b/png.c
+@@ -393,6 +393,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
+          png_free(png_ptr, info_ptr->text);
+          info_ptr->text = NULL;
+          info_ptr->num_text=0;
++         info_ptr->max_text=0;
+       }
+    }
+ #endif
+-- 
+2.11.0
+
-- 
2.11.0