On Thu, Aug 03, 2017 at 08:22:00PM +0200, Julien Lepiller wrote:
> Hi,
> 
> a new version of php has been released. Here is a patch to update it.

> From 49de4d05b1b292af598755bfa7754661519218b8 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Thu, 3 Aug 2017 20:14:56 +0200
> Subject: [PATCH] gnu: php: Update to 7.1.8.
> 
> * gnu/packages/patches/gd-CVE-2017-7890.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it
> * gnu/packages/php.scm (php): Update to 7.1.8.

Thanks! Overall LGTM.

Could this close <https://bugs.gnu.org/27808>?

> diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch
> new file mode 100644
> index 000000000..743fc6d3d
> --- /dev/null
> +++ b/gnu/packages/patches/gd-CVE-2017-7890.patch
> @@ -0,0 +1,30 @@
> +From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
> +From: LEPILLER Julien <julien.lepiller@irisa.fr>
> +Date: Thu, 3 Aug 2017 17:04:17 +0200
> +Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
> +
> +The stack allocated color map buffers were not zeroed before usage, and
> +so undefined palette indexes could cause information leakage.
> +
> +This is CVE-2017-7890.

Would this patch be valuable for the "regular" gd package as well, or is
it specific to gd-for-php?

> +(define gd-for-php
> +  (package
> +    (inherit gd)
> +    (source (origin
> +             (inherit (package-source gd))
> +             (patches (search-patches "gd-fix-gd2-read-test.patch"
> +                                      "gd-fix-tests-on-i686.patch"
> +                                      "gd-freetype-test-failure.patch"
> +                                      "gd-php-73968-Fix-109-XBM-reading.patch"
> +				      "gd-CVE-2017-7890.patch"))))))
                                      ^  
                                      This indentation is too far to the left.