From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56147)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ddOUL-0002yc-Qz
	for guix-patches@gnu.org; Thu, 03 Aug 2017 18:21:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ddOUI-0005lP-P2
	for guix-patches@gnu.org; Thu, 03 Aug 2017 18:21:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:37812)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1ddOUI-0005kp-Dj
	for guix-patches@gnu.org; Thu, 03 Aug 2017 18:21:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ddOUI-00031g-4Z
	for guix-patches@gnu.org; Thu, 03 Aug 2017 18:21:02 -0400
Subject: [bug#27937] Update php to 7.1.8
Resent-Message-ID: <handler.27937.B27937.150179881811575@debbugs.gnu.org>
Date: Thu, 3 Aug 2017 18:20:10 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <20170803222010.GB2421@jasmine.lan>
References: <20170803202200.730c7f63@lepiller.eu>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="f2QGlHpHGjS2mn6Y"
Content-Disposition: inline
In-Reply-To: <20170803202200.730c7f63@lepiller.eu>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Julien Lepiller <julien@lepiller.eu>
Cc: 27937@debbugs.gnu.org


--f2QGlHpHGjS2mn6Y
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Aug 03, 2017 at 08:22:00PM +0200, Julien Lepiller wrote:
> Hi,
>=20
> a new version of php has been released. Here is a patch to update it.

> From 49de4d05b1b292af598755bfa7754661519218b8 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Thu, 3 Aug 2017 20:14:56 +0200
> Subject: [PATCH] gnu: php: Update to 7.1.8.
>=20
> * gnu/packages/patches/gd-CVE-2017-7890.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it
> * gnu/packages/php.scm (php): Update to 7.1.8.

Thanks! Overall LGTM.

Could this close <https://bugs.gnu.org/27808>?

> diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/p=
atches/gd-CVE-2017-7890.patch
> new file mode 100644
> index 000000000..743fc6d3d
> --- /dev/null
> +++ b/gnu/packages/patches/gd-CVE-2017-7890.patch
> @@ -0,0 +1,30 @@
> +From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
> +From: LEPILLER Julien <julien.lepiller@irisa.fr>
> +Date: Thu, 3 Aug 2017 17:04:17 +0200
> +Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
> +
> +The stack allocated color map buffers were not zeroed before usage, and
> +so undefined palette indexes could cause information leakage.
> +
> +This is CVE-2017-7890.

Would this patch be valuable for the "regular" gd package as well, or is
it specific to gd-for-php?

> +(define gd-for-php
> +  (package
> +    (inherit gd)
> +    (source (origin
> +             (inherit (package-source gd))
> +             (patches (search-patches "gd-fix-gd2-read-test.patch"
> +                                      "gd-fix-tests-on-i686.patch"
> +                                      "gd-freetype-test-failure.patch"
> +                                      "gd-php-73968-Fix-109-XBM-reading.=
patch"
> +				      "gd-CVE-2017-7890.patch"))))))
                                      ^ =20
                                      This indentation is too far to the le=
ft.

--f2QGlHpHGjS2mn6Y
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmDoZoACgkQJkb6MLrK
fwgDSxAAy1zModh3BcyyZtFw58VRe6rIjfR8NpEX1Pp66diQNaTl9GseVjDqH62T
bh7zY/L7wANIo/Gu4XMA2nnDCj2OfTTYXxnqb8W1dhCnP8cjv9l5ac/qd4U1vZ5G
ioRvZQB6h1FKd0KZxuX2VirhRLJvyN/wqZdOZ4Ww20Tc/esjNM5GabeGNCL/HRko
1lkJ7R1M/gsIRce6a4cnRbxgSPFToCyWrm4Ndpu5hG7L30N+h/U44gjfQl8ReC7s
v6P24lo8c97iniZSJHaykhqwfjCtO4dra4wSefSXGlGEWEnfMo590P/x5XlgZK7D
vkvamzOWezmyRouX5gEiBIYJHz2c+eMNBCvPpEOuLL8p0LAYPISpTZgSZeNKhYxt
Bl/Wixcba78ksz9lAQQaSIe+hmtgiJCA2VqhEV4LbgyfspIYabFfu6Jhe0/dLwB/
h8ksSxjA9gO4qmjSAukI+A1jzthiza/UbVrerYo/5nybsPxW1wY0ZWH0Zv2vQo0d
nXv65vxBHWpbEiueohG+qAUrvC9Q4wcZBl5Gor5E854jd1yQfwAbT5m900NxhvvU
/sfR7tKyNYZtC9PqNxfQJQ/A1OtoZ/9EGMZ1dqoCf8Nx8SrYHcV2dxjXF1bQ3SEJ
ZXuWBZa2o/rQ3i/GWIN4MUiSNprZpP36tyIQDedT6HwTl4zG5Ao=
=/Noq
-----END PGP SIGNATURE-----

--f2QGlHpHGjS2mn6Y--