From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48923) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ddu46-0003mb-Ap for guix-patches@gnu.org; Sat, 05 Aug 2017 04:04:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ddu42-0002KG-2j for guix-patches@gnu.org; Sat, 05 Aug 2017 04:04:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:39739) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ddu41-0002K6-UO for guix-patches@gnu.org; Sat, 05 Aug 2017 04:04:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ddu41-0003fg-LV for guix-patches@gnu.org; Sat, 05 Aug 2017 04:04:01 -0400 Subject: [bug#27937] Update php to 7.1.8 Resent-Message-ID: Date: Sat, 5 Aug 2017 10:02:13 +0200 From: Julien Lepiller Message-ID: <20170805100209.49f88f07@lepiller.eu> In-Reply-To: <20170804150138.GC14950@jasmine.lan> References: <20170803202200.730c7f63@lepiller.eu> <20170803222010.GB2421@jasmine.lan> <1C708BD2-82DE-4838-8FDD-DE1B3AA71E36@lepiller.eu> <20170804150138.GC14950@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/cezam+G4.GX3+PE+YZWSMN7" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 27937@debbugs.gnu.org --MP_/cezam+G4.GX3+PE+YZWSMN7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Le Fri, 4 Aug 2017 11:01:38 -0400, Leo Famulari a =C3=A9crit : =20 >=20 > Okay, I'll look into it this weekend, unless somebody beats me to it. >=20 > Next time there are lots of Guix people gathered together, I want to > hold some kind of "security updates workshop", with the goal of > helping more people feel comfortable working in this area. >=20 > For gd in particular, if you have some specific questions, I can > answer them over email. Surely more people have questions, too. The > discussion could result in improvements to the manual's section on > this topic. >=20 Hi, I think this patch fixes gd correctly. I think I'm supposed to also make a patch for core-updates with the new gd for rebuilds to occur in that branch, right? How do I proceed? --MP_/cezam+G4.GX3+PE+YZWSMN7 Content-Type: text/x-patch Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename=0001-gnu-gd-Fix-CVE-2017-7890.patch =46rom 828b7458582cd6fae0e7dd2375315b6b52149554 Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Sat, 5 Aug 2017 09:46:13 +0200 Subject: [PATCH] gnu: gd: Fix CVE-2017-7890. * gnu/packages/gd.scm (gd)[replacement]: New field. (gd/fixed): New variable. --- gnu/packages/gd.scm | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index aac0f9664..48db1b247 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -37,6 +37,7 @@ (define-public gd (package (name "gd") + (replacement gd/fixed) =20 ;; Note: With libgd.org now pointing to github.com, genuine old ;; tarballs are no longer available. Notably, versions 2.0.x are @@ -93,6 +94,16 @@ most common applications of GD involve website developme= nt.") "See COPYING file in the distribution.")) (properties '((cpe-name . "libgd"))))) =20 +(define-public gd/fixed + (package + (inherit gd) + (source (origin + (inherit (package-source gd)) + (patches=20 + (append + (origin-patches (package-source gd)) + (search-patches "gd-CVE-2017-7890.patch"))))))) + (define-public perl-gd (package (name "perl-gd") --=20 2.13.4 --MP_/cezam+G4.GX3+PE+YZWSMN7--