From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33706) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ddW8Y-00028f-EK for guix-patches@gnu.org; Fri, 04 Aug 2017 02:31:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ddW8U-00087M-O2 for guix-patches@gnu.org; Fri, 04 Aug 2017 02:31:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:38045) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ddW8U-00086s-Ht for guix-patches@gnu.org; Fri, 04 Aug 2017 02:31:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ddW8U-0005tz-6p for guix-patches@gnu.org; Fri, 04 Aug 2017 02:31:02 -0400 Subject: [bug#27937] Update php to 7.1.8 Resent-Message-ID: Date: Fri, 04 Aug 2017 08:30:08 +0200 In-Reply-To: <20170803222010.GB2421@jasmine.lan> References: <20170803202200.730c7f63@lepiller.eu> <20170803222010.GB2421@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Julien Lepiller Message-ID: <1C708BD2-82DE-4838-8FDD-DE1B3AA71E36@lepiller.eu> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" Cc: 27937@debbugs.gnu.org Le 4 ao=C3=BBt 2017 00:20:10 GMT+02:00, Leo Famulari = a =C3=A9crit : >On Thu, Aug 03, 2017 at 08:22:00PM +0200, Julien Lepiller wrote: >> Hi, >>=20 >> a new version of php has been released=2E Here is a patch to update it= =2E > >> From 49de4d05b1b292af598755bfa7754661519218b8 Mon Sep 17 00:00:00 >2001 >> From: Julien Lepiller >> Date: Thu, 3 Aug 2017 20:14:56 +0200 >> Subject: [PATCH] gnu: php: Update to 7=2E1=2E8=2E >>=20 >> * gnu/packages/patches/gd-CVE-2017-7890=2Epatch: New file=2E >> * gnu/local=2Emk (dist_patch_DATA): Add it >> * gnu/packages/php=2Escm (php): Update to 7=2E1=2E8=2E > >Thanks! Overall LGTM=2E > >Could this close ? > I think it does >> diff --git a/gnu/packages/patches/gd-CVE-2017-7890=2Epatch >b/gnu/packages/patches/gd-CVE-2017-7890=2Epatch >> new file mode 100644 >> index 000000000=2E=2E743fc6d3d >> --- /dev/null >> +++ b/gnu/packages/patches/gd-CVE-2017-7890=2Epatch >> @@ -0,0 +1,30 @@ >> +From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 >2001 >> +From: LEPILLER Julien >> +Date: Thu, 3 Aug 2017 17:04:17 +0200 >> +Subject: [PATCH] Fix #399: Buffer over-read into uninitialized >memory=2E >> + >> +The stack allocated color map buffers were not zeroed before usage, >and >> +so undefined palette indexes could cause information leakage=2E >> + >> +This is CVE-2017-7890=2E > >Would this patch be valuable for the "regular" gd package as well, or >is >it specific to gd-for-php? It could be used for gd, but I think it would trigger a lot of rebuilds=2E= I'm not confident with how the graft mechanism works, so I would need some= help=2E > >> +(define gd-for-php >> + (package >> + (inherit gd) >> + (source (origin >> + (inherit (package-source gd)) >> + (patches (search-patches "gd-fix-gd2-read-test=2Epatch" >> + "gd-fix-tests-on-i686=2Epatch" >> + =20 >"gd-freetype-test-failure=2Epatch" >> + =20 >"gd-php-73968-Fix-109-XBM-reading=2Epatch" >> + "gd-CVE-2017-7890=2Epatch")))))) > ^ =20 > This indentation is too far to the left=2E Arg=2E=2E=2E those are tabs I guess=2E Thanks for the review! I will push = it this evening if everything is ok=2E