[bug#31322] GIMP 2.10.0 update

[bug#31322] GIMP 2.10.0 update

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 213 bytes --]

The following patch series updates GIMP to the new release, 2.10.0.

I tested on x86_64-linux (foreign distro) by doing some very basic
operations, like opening and editing some images, and exporting the
results.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#31322] [PATCH 1/6] gnu: Add libmypaint.

[Leo Famulari]

* gnu/packages/gimp.scm (libmypaint): New variable.
---
 gnu/packages/gimp.scm | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index 2483885c9..ea2d3da7d 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -39,6 +39,7 @@
   #:use-module (gnu packages pdf)
   #:use-module (gnu packages photo)
   #:use-module (gnu packages python)
+  #:use-module (gnu packages web)
   #:use-module (gnu packages xorg))
 
 (define-public babl
@@ -243,3 +244,31 @@ an image, allowing you to work with the transformed image inside GIMP.  You
 can draw or apply filters in fourier space and get the modified image with an
 inverse fourier transform.")
     (license license:gpl3+)))
+
+(define-public libmypaint
+  (package
+    (name "libmypaint")
+    (version "1.3.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/mypaint/libmypaint/"
+                                  "releases/download/v" version "/libmypaint-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "0wd6jk69vmhsq1mdw96v0fh7b28n3glkr5ca466zcq7agzaxj1va"))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(("intltool" ,intltool)
+       ("pkg-config" ,pkg-config)))
+    ;; As needed by 'libmypaint.pc'.
+    (propagated-inputs
+     `(("json-c" ,json-c)
+       ("gobject-introspection" ,gobject-introspection)))
+    (inputs
+     `(("glib" ,glib)))
+    (synopsis "Artistic brushes library")
+    (description "Libmypaint, also called \"brushlib\", is a library for making
+brushstrokes which is used by MyPaint and other projects.")
+    (home-page "http://mypaint.org")
+    (license license:isc)))
-- 
2.17.0

[bug#31322] [PATCH 2/6] gnu: Add mypaint-brushes.

[Leo Famulari]

* gnu/packages/gimp.scm (mypaint-brushes): New variable.
---
 gnu/packages/gimp.scm | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index ea2d3da7d..9b63d56e0 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -28,6 +28,7 @@
   #:use-module (guix build-system glib-or-gtk)
   #:use-module (gnu packages)
   #:use-module (gnu packages algebra)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages glib)
   #:use-module (gnu packages gtk)
@@ -272,3 +273,29 @@ inverse fourier transform.")
 brushstrokes which is used by MyPaint and other projects.")
     (home-page "http://mypaint.org")
     (license license:isc)))
+
+(define-public mypaint-brushes
+  (package
+    (name "mypaint-brushes")
+    (version "1.3.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/Jehan/mypaint-brushes/"
+                                  "archive/v" version ".tar.gz"))
+              (sha256
+               (base32
+                "055j2rgkav2024zl6y5hxb2ra0vbx58607d6sz7ml2351r1bcjvh"))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'bootstrap
+           (lambda _ (invoke "sh" "./autogen.sh"))))))
+    (inputs
+     `(("autoconf" ,autoconf)
+       ("automake" ,automake)))
+    (synopsis "Default brushes for MyPaint")
+    (description "This package provides the default set of brushes for
+MyPaint.")
+    (home-page "https://github.com/Jehan/mypaint-brushes")
+    (license license:cc0)))
-- 
2.17.0

[bug#31322] [PATCH 3/6] gnu: Add poppler-data.

[Leo Famulari]

* gnu/packages/pdf.scm (poppler-data): New variable.
---
 gnu/packages/pdf.scm | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 7762b06ff..806ea72e0 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -10,7 +10,7 @@
 ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>
 ;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
-;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017, 2018 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -124,6 +124,36 @@
    (license license:gpl2+)
    (home-page "https://poppler.freedesktop.org/")))
 
+(define-public poppler-data
+  (package
+    (name "poppler-data")
+    (version "0.4.9")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://poppler.freedesktop.org/poppler-data"
+                                  "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "04i0wgdkn5lhda8cyxd1ll4a2p41pwqrwd47n9mdpl7cx5ypx70z"))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:tests? #f ; no test suite
+       #:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out")))
+       #:phases
+       (modify-phases %standard-phases
+         ;; The package only provides some data files, so there is nothing to
+         ;; build.
+         (delete 'configure)
+         (delete 'build))))
+    (synopsis "Poppler encoding files for rendering of CJK and Cyrillic text")
+    (description "This package provides optional encoding files for Poppler.
+When present, Poppler is able to correctly render CJK and Cyrillic text.")
+    (home-page "")
+    ;; See COPYING in the source distribution for more information about
+    ;; the licensing.
+    (license (list license:non-copyleft
+                   license:gpl2))))
+
 (define-public poppler-qt4
   (package (inherit poppler)
    (name "poppler-qt4")
-- 
2.17.0

[bug#31322] [PATCH 4/6] gnu: gegl: Update to 0.4.

[Leo Famulari]

* gnu/packages/gimp.scm (gegl): Update to 0.4.
[inputs]: Move babl and glib to propagated-inputs.
[propagated-inputs]: Add json-glib.
[arguments]: Re-enable the tests and remove the obsolete 'pre-build'
phase.
[source]: Use HTTPS URL.
* gnu/packages/patches/gegl-CVE-2012-4433.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
 gnu/local.mk                                  |   1 -
 gnu/packages/gimp.scm                         |  36 ++----
 gnu/packages/patches/gegl-CVE-2012-4433.patch | 117 ------------------
 3 files changed, 9 insertions(+), 145 deletions(-)
 delete mode 100644 gnu/packages/patches/gegl-CVE-2012-4433.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ec11b2663..78358d983 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -696,7 +696,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/gd-CVE-2018-5711.patch			\
   %D%/packages/patches/gd-fix-tests-on-i686.patch		\
   %D%/packages/patches/gd-freetype-test-failure.patch		\
-  %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/gemma-intel-compat.patch			\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index 9b63d56e0..8bd7bd845 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -77,43 +77,25 @@ provided, as well as a framework to add new color models and data types.")
 (define-public gegl
   (package
     (name "gegl")
-    (version "0.2.0")
+    (version "0.4.0")
     (source (origin
               (method url-fetch)
-              (uri (list (string-append "http://download.gimp.org/pub/gegl/"
+              (uri (list (string-append "https://download.gimp.org/pub/gegl/"
                                         (string-take version 3)
                                         "/" name "-" version ".tar.bz2")))
               (sha256
                (base32
-                "09nlv06li9nrn74ifpm7223mxpg0s7cii702z72cpbwrjh6nlbnz"))
-              (patches (search-patches "gegl-CVE-2012-4433.patch"))))
+                "1ighk4z8nlqrzyj8w97s140hzj59564l3xv6fpzbr97m1zx2nkfh"))))
     (build-system gnu-build-system)
     (arguments
-     '(;; More than just the one test disabled below now fails; disable them
-       ;; all according to the rationale given below.
-       #:tests? #f
-       #:configure-flags '("LDFLAGS=-lm")
-       #:phases
-       (modify-phases %standard-phases
-         (add-before 'build 'pre-build
-           (lambda _
-             ;; This test program seems to crash on exit. Specifically, whilst
-             ;; g_object_unreffing bufferA and bufferB - This seems to be a bug
-             ;; in the destructor.  This is just a test program so will not have
-             ;; any wider effect, although might be hiding another problem.
-             ;; According to advice received on irc.gimp.org#gegl although 0.2.0
-             ;; is the latest released version, any bug reports against it will
-             ;; be ignored.  So we are on our own.
-             (substitute* "tools/img_cmp.c"
-               (("g_object_unref \\(buffer.\\);") ""))
-
-             (substitute* "tests/compositions/Makefile"
-               (("/bin/sh") (which "sh")))
-             #t)))))
-    (inputs
+     '(#:configure-flags '("LDFLAGS=-lm")))
+    ;; These are propagated to satisfy 'gegl-0.4.pc'.
+    (propagated-inputs
      `(("babl" ,babl)
        ("glib" ,glib)
-       ("cairo" ,cairo)
+       ("json-glib" ,json-glib)))
+    (inputs
+     `(("cairo" ,cairo)
        ("pango" ,pango)
        ("libpng" ,libpng)
        ("libjpeg" ,libjpeg-8)))
diff --git a/gnu/packages/patches/gegl-CVE-2012-4433.patch b/gnu/packages/patches/gegl-CVE-2012-4433.patch
deleted file mode 100644
index 7352b78db..000000000
--- a/gnu/packages/patches/gegl-CVE-2012-4433.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From: Michael Gilbert <mgilbert@debian.org>
-Date: Mon, 9 Sep 2013 17:34:32 +0200
-Subject: Fix_CVE-2012-4433
-
-Multiple buffer overflow issues.
-
-Closes: #692435
----
- operations/external/ppm-load.c | 62 ++++++++++++++++++++++++++++++++++++------
- 1 file changed, 53 insertions(+), 9 deletions(-)
-
-diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c
-index efe6d56..465096d 100644
---- a/operations/external/ppm-load.c
-+++ b/operations/external/ppm-load.c
-@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load."))
- #include "gegl-chant.h"
- #include <stdio.h>
- #include <stdlib.h>
-+#include <errno.h>
- 
- typedef enum {
-   PIXMAP_ASCII  = 51,
-@@ -44,8 +45,8 @@ typedef enum {
- 
- typedef struct {
- 	map_type   type;
--	gint       width;
--	gint       height;
-+	glong      width;
-+	glong      height;
-         gsize      numsamples; /* width * height * channels */
-         gsize      bpc;        /* bytes per channel */
- 	guchar    *data;
-@@ -82,12 +83,33 @@ ppm_load_read_header(FILE       *fp,
-       }
- 
-     /* Get Width and Height */
--    img->width  = strtol (header,&ptr,0);
--    img->height = atoi (ptr);
--    img->numsamples = img->width * img->height * CHANNEL_COUNT;
-+    errno = 0;
-+    img->width  = strtol (header,&ptr,10);
-+    if (errno)
-+      {
-+        g_warning ("Error reading width: %s", strerror(errno));
-+        return FALSE;
-+      }
-+    else if (img->width < 0)
-+      {
-+        g_warning ("Error: width is negative");
-+        return FALSE;
-+      }
-+
-+    img->height = strtol (ptr,&ptr,10);
-+    if (errno)
-+      {
-+        g_warning ("Error reading height: %s", strerror(errno));
-+        return FALSE;
-+      }
-+    else if (img->width < 0)
-+      {
-+        g_warning ("Error: height is negative");
-+        return FALSE;
-+      }
- 
-     fgets (header,MAX_CHARS_IN_ROW,fp);
--    maxval = strtol (header,&ptr,0);
-+    maxval = strtol (header,&ptr,10);
- 
-     if ((maxval != 255) && (maxval != 65535))
-       {
-@@ -109,6 +131,16 @@ ppm_load_read_header(FILE       *fp,
-       g_warning ("%s: Programmer stupidity error", G_STRLOC);
-     }
- 
-+    /* Later on, img->numsamples is multiplied with img->bpc to allocate
-+     * memory. Ensure it doesn't overflow. */
-+    if (!img->width || !img->height ||
-+        G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
-+      {
-+        g_warning ("Illegal width/height: %ld/%ld", img->width, img->height);
-+        return FALSE;
-+      }
-+    img->numsamples = img->width * img->height * CHANNEL_COUNT;
-+
-     return TRUE;
- }
- 
-@@ -229,12 +261,24 @@ process (GeglOperation       *operation,
-   if (!ppm_load_read_header (fp, &img))
-     goto out;
- 
--  rect.height = img.height;
--  rect.width = img.width;
--
-   /* Allocating Array Size */
-+
-+  /* Should use g_try_malloc(), but this causes crashes elsewhere because the
-+   * error signalled by returning FALSE isn't properly acted upon. Therefore
-+   * g_malloc() is used here which aborts if the requested memory size can't be
-+   * allocated causing a controlled crash. */
-   img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
- 
-+  /* No-op without g_try_malloc(), see above. */
-+  if (! img.data)
-+    {
-+      g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc));
-+      goto out;
-+    }
-+
-+  rect.height = img.height;
-+  rect.width = img.width;
-+
-   switch (img.bpc)
-     {
-     case 1:
-- 
2.17.0

[bug#31322] [PATCH 5/6] gnu: babl: Update to 0.1.46.

[Leo Famulari]

* gnu/packages/gimp.scm (babl): Update to 0.1.46.
---
 gnu/packages/gimp.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index 8bd7bd845..b9cf204a7 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -46,7 +46,7 @@
 (define-public babl
   (package
     (name "babl")
-    (version "0.1.40")
+    (version "0.1.46")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://download.gimp.org/pub/babl/"
@@ -60,7 +60,7 @@
                                         "/babl-" version ".tar.bz2")))
               (sha256
                (base32
-                "08cdl6rcfvkhqsnhb214xzr0wbrv0956xzlrzqxcb1k1madgjanh"))))
+                "0nwyhvfca6m35wjcccvwca7fcihzgdfyc012qi703y5d3cxl1hmv"))))
     (build-system gnu-build-system)
     (home-page "http://gegl.org/babl/")
     (synopsis "Image pixel format conversion library")
-- 
2.17.0

[bug#31322] [PATCH 6/6] gnu: gimp: Update to 2.10.0.

[Leo Famulari]

* gnu/packages/gimp.scm (gimp): Update to 2.10.0.
[inputs]: Add glib-networking, gexiv2, libmypaint, mypaint-brushes and
poppler-data.
[native-inputs]: Add glib:bin.
[source]: Remove obsolete patches and use HTTPS URL.
[home-page]: Use HTTPS URL.
* gnu/packages/patches/gimp-CVE-2017-17784.patch,
gnu/packages/patches/gimp-CVE-2017-17785.patch,
gnu/packages/patches/gimp-CVE-2017-17786.patch,
gnu/packages/patches/gimp-CVE-2017-17787.patch,
gnu/packages/patches/gimp-CVE-2017-17789.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                  |   5 -
 gnu/packages/gimp.scm                         |  24 +--
 .../patches/gimp-CVE-2017-17784.patch         |  41 -----
 .../patches/gimp-CVE-2017-17785.patch         | 171 ------------------
 .../patches/gimp-CVE-2017-17786.patch         |  94 ----------
 .../patches/gimp-CVE-2017-17787.patch         |  42 -----
 .../patches/gimp-CVE-2017-17789.patch         |  48 -----
 7 files changed, 13 insertions(+), 412 deletions(-)
 delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17784.patch
 delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17785.patch
 delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17786.patch
 delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17787.patch
 delete mode 100644 gnu/packages/patches/gimp-CVE-2017-17789.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 78358d983..4580cc559 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -705,11 +705,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/ghostscript-no-header-creationdate.patch \
   %D%/packages/patches/ghostscript-runpath.patch		\
   %D%/packages/patches/giflib-make-reallocarray-private.patch	\
-  %D%/packages/patches/gimp-CVE-2017-17784.patch		\
-  %D%/packages/patches/gimp-CVE-2017-17785.patch		\
-  %D%/packages/patches/gimp-CVE-2017-17786.patch		\
-  %D%/packages/patches/gimp-CVE-2017-17787.patch		\
-  %D%/packages/patches/gimp-CVE-2017-17789.patch		\
   %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
   %D%/packages/patches/glib-respect-datadir.patch		\
   %D%/packages/patches/glib-tests-timer.patch			\
diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index b9cf204a7..b8df074d1 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -115,23 +116,18 @@ buffers.")
 (define-public gimp
   (package
     (name "gimp")
-    (version "2.8.22")
+    (version "2.10.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://download.gimp.org/pub/gimp/v"
+              (uri (string-append "https://download.gimp.org/pub/gimp/v"
                                   (version-major+minor version)
                                   "/gimp-" version ".tar.bz2"))
-              (patches (search-patches "gimp-CVE-2017-17784.patch"
-                                       "gimp-CVE-2017-17785.patch"
-                                       "gimp-CVE-2017-17786.patch"
-                                       "gimp-CVE-2017-17787.patch"
-                                       "gimp-CVE-2017-17789.patch"))
               (sha256
                (base32
-                "12k3lp938qdc9cqj29scg55f3bb8iav2fysd29w0s49bqmfa71wi"))))
+                "1qkxaigbfkx26xym5nzrgfrmn97cbnhn63v1saaha2nbi3xrdk3z"))))
     (build-system gnu-build-system)
     (outputs '("out"
-               "doc"))                            ;5 MiB of gtk-doc HTML
+               "doc"))                            ;9 MiB of gtk-doc HTML
     (arguments
      '(#:configure-flags (list (string-append "--with-html-dir="
                                               (assoc-ref %outputs "doc")
@@ -155,21 +151,27 @@ buffers.")
     (inputs
      `(("babl" ,babl)
        ("glib" ,glib)
+       ("glib-networking" ,glib-networking)
        ("libtiff" ,libtiff)
        ("libjpeg" ,libjpeg-8)
        ("atk" ,atk)
+       ("gexiv2" ,gexiv2)
        ("gtk+" ,gtk+-2)
+       ("libmypaint" ,libmypaint)
+       ("mypaint-brushes" ,mypaint-brushes)
        ("exif" ,libexif)                ; optional, EXIF + XMP support
        ("lcms" ,lcms)                   ; optional, color management
        ("librsvg" ,librsvg)             ; optional, SVG support
        ("poppler" ,poppler)             ; optional, PDF support
+       ("poppler-data" ,poppler-data)
        ("python" ,python-2)             ; optional, Python support
        ("python2-pygtk" ,python2-pygtk) ; optional, Python support
        ("gegl" ,gegl)))
     (native-inputs
-     `(("pkg-config" ,pkg-config)
+     `(("glib:bin" ,glib "bin") ; for glib-compile-resources and gdbus-codegen
+       ("pkg-config" ,pkg-config)
        ("intltool" ,intltool)))
-    (home-page "http://gimp.org")
+    (home-page "https://gimp.org")
     (synopsis "GNU Image Manipulation Program")
     (description
      "GIMP is an application for image manipulation tasks such as photo
diff --git a/gnu/packages/patches/gimp-CVE-2017-17784.patch b/gnu/packages/patches/gimp-CVE-2017-17784.patch
deleted file mode 100644
index c791772fb..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17784.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fix CVE-2017-17784:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784
-https://bugzilla.gnome.org/show_bug.cgi?id=790784
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270
-
-From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Thu, 21 Dec 2017 12:25:32 +0100
-Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
- load_image.
-
-We were assuming the input name was well formed, hence was
-nul-terminated. As any data coming from external input, this has to be
-thorougly checked.
-Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
-to older gimp-2-8 code.
----
- plug-ins/common/file-gbr.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
-index b028100bef..d3f01d9c56 100644
---- a/plug-ins/common/file-gbr.c
-+++ b/plug-ins/common/file-gbr.c
-@@ -443,7 +443,8 @@ load_image (const gchar  *filename,
-     {
-       gchar *temp = g_new (gchar, bn_size);
- 
--      if ((read (fd, temp, bn_size)) < bn_size)
-+      if ((read (fd, temp, bn_size)) < bn_size ||
-+          temp[bn_size - 1] != '\0')
-         {
-           g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
-                        _("Error in GIMP brush file '%s'"),
--- 
-2.15.1
-
diff --git a/gnu/packages/patches/gimp-CVE-2017-17785.patch b/gnu/packages/patches/gimp-CVE-2017-17785.patch
deleted file mode 100644
index 939b01f21..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17785.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-Fix CVE-2017-17785:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17785
-https://bugzilla.gnome.org/show_bug.cgi?id=739133
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54
-
-From 1882bac996a20ab5c15c42b0c5e8f49033a1af54 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 29 Oct 2017 15:19:41 +0100
-Subject: [PATCH] Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI
- files.
-
-It is possible to trigger a heap overflow while parsing FLI files. The
-RLE decoder is vulnerable to out of boundary writes due to lack of
-boundary checks.
-
-The variable "framebuf" points to a memory area which was allocated
-with fli_header->width * fli_header->height bytes. The RLE decoder
-therefore must never write beyond that limit.
-
-If an illegal frame is detected, the parser won't stop, which means
-that the next valid sequence is properly parsed again. This should
-allow GIMP to parse FLI files as good as possible even if they are
-broken by an attacker or by accident.
-
-While at it, I changed the variable xc to be of type size_t, because
-the multiplication of width and height could overflow a 16 bit type.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b)
----
- plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++---------------
- 1 file changed, 35 insertions(+), 15 deletions(-)
-
-diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c
-index 313efeb977..ffb651e2af 100644
---- a/plug-ins/file-fli/fli.c
-+++ b/plug-ins/file-fli/fli.c
-@@ -25,6 +25,8 @@
- 
- #include "config.h"
- 
-+#include <glib/gstdio.h>
-+
- #include <string.h>
- #include <stdio.h>
- 
-@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf)
- 	unsigned short yc;
- 	unsigned char *pos;
- 	for (yc=0; yc < fli_header->height; yc++) {
--		unsigned short xc, pc, pcnt;
-+		unsigned short pc, pcnt;
-+		size_t n, xc;
- 		pc=fli_read_char(f);
- 		xc=0;
- 		pos=framebuf+(fli_header->width * yc);
-+		n=(size_t)fli_header->width * (fli_header->height-yc);
- 		for (pcnt=pc; pcnt>0; pcnt--) {
- 			unsigned short ps;
- 			ps=fli_read_char(f);
- 			if (ps & 0x80) {
- 				unsigned short len;
--				for (len=-(signed char)ps; len>0; len--) {
-+				for (len=-(signed char)ps; len>0 && xc<n; len--) {
- 					pos[xc++]=fli_read_char(f);
- 				}
- 			} else {
- 				unsigned char val;
-+				size_t len;
-+				len=MIN(n-xc,ps);
- 				val=fli_read_char(f);
--				memset(&(pos[xc]), val, ps);
--				xc+=ps;
-+				memset(&(pos[xc]), val, len);
-+				xc+=len;
- 			}
- 		}
- 	}
-@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *fli_header, unsigned char *old_framebuf,
- 	memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height);
- 	firstline = fli_read_short(f);
- 	numline = fli_read_short(f);
-+	if (numline > fli_header->height || fli_header->height-numline < firstline)
-+		return;
-+
- 	for (yc=0; yc < numline; yc++) {
--		unsigned short xc, pc, pcnt;
-+		unsigned short pc, pcnt;
-+		size_t n, xc;
- 		pc=fli_read_char(f);
- 		xc=0;
- 		pos=framebuf+(fli_header->width * (firstline+yc));
-+		n=(size_t)fli_header->width * (fli_header->height-firstline-yc);
- 		for (pcnt=pc; pcnt>0; pcnt--) {
- 			unsigned short ps,skip;
- 			skip=fli_read_char(f);
- 			ps=fli_read_char(f);
--			xc+=skip;
-+			xc+=MIN(n-xc,skip);
- 			if (ps & 0x80) {
- 				unsigned char val;
-+				size_t len;
- 				ps=-(signed char)ps;
- 				val=fli_read_char(f);
--				memset(&(pos[xc]), val, ps);
--				xc+=ps;
-+				len=MIN(n-xc,ps);
-+				memset(&(pos[xc]), val, len);
-+				xc+=len;
- 			} else {
--				fread(&(pos[xc]), ps, 1, f);
--				xc+=ps;
-+				size_t len;
-+				len=MIN(n-xc,ps);
-+				fread(&(pos[xc]), len, 1, f);
-+				xc+=len;
- 			}
- 		}
- 	}
-@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
- 	yc=0;
- 	numline = fli_read_short(f);
- 	for (lc=0; lc < numline; lc++) {
--		unsigned short xc, pc, pcnt, lpf, lpn;
-+		unsigned short pc, pcnt, lpf, lpn;
-+		size_t n, xc;
- 		pc=fli_read_short(f);
- 		lpf=0; lpn=0;
- 		while (pc & 0x8000) {
-@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
- 			}
- 			pc=fli_read_short(f);
- 		}
-+		yc=MIN(yc, fli_header->height);
- 		xc=0;
- 		pos=framebuf+(fli_header->width * yc);
-+		n=(size_t)fli_header->width * (fli_header->height-yc);
- 		for (pcnt=pc; pcnt>0; pcnt--) {
- 			unsigned short ps,skip;
- 			skip=fli_read_char(f);
- 			ps=fli_read_char(f);
--			xc+=skip;
-+			xc+=MIN(n-xc,skip);
- 			if (ps & 0x80) {
- 				unsigned char v1,v2;
- 				ps=-(signed char)ps;
- 				v1=fli_read_char(f);
- 				v2=fli_read_char(f);
--				while (ps>0) {
-+				while (ps>0 && xc+1<n) {
- 					pos[xc++]=v1;
- 					pos[xc++]=v2;
- 					ps--;
- 				}
- 			} else {
--				fread(&(pos[xc]), ps, 2, f);
--				xc+=ps << 1;
-+				size_t len;
-+				len=MIN((n-xc)/2,ps);
-+				fread(&(pos[xc]), len, 2, f);
-+				xc+=len << 1;
- 			}
- 		}
- 		if (lpf) pos[xc]=lpn;
--- 
-2.15.1
-
diff --git a/gnu/packages/patches/gimp-CVE-2017-17786.patch b/gnu/packages/patches/gimp-CVE-2017-17786.patch
deleted file mode 100644
index 851227ac1..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17786.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-Fix CVE-2017-17786:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17786
-https://bugzilla.gnome.org/show_bug.cgi?id=739134
-
-Both patches copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12
-https://git.gnome.org/browse/gimp/commit/?id=22e2571c25425f225abdb11a566cc281fca6f366
-
-From ef9c821fff8b637a2178eab1c78cae6764c50e12 Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Wed, 20 Dec 2017 13:02:38 +0100
-Subject: [PATCH] Bug 739134 - (CVE-2017-17786) Out of bounds read / heap
- overflow in...
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-... TGA importer.
-
-Be more thorough on valid TGA RGB and RGBA images.
-In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
-channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
-RGB as 15 and 24 bits.
-Maybe there exist more variants, but if they do exist, we simply don't
-support them yet.
-
-Thanks to Hanno Böck for the report and a first patch attempt.
-
-(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b)
----
- plug-ins/common/file-tga.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
-index aef98702d4..426acc2925 100644
---- a/plug-ins/common/file-tga.c
-+++ b/plug-ins/common/file-tga.c
-@@ -564,12 +564,16 @@ load_image (const gchar  *filename,
-           }
-         break;
-       case TGA_TYPE_COLOR:
--        if (info.bpp != 15 && info.bpp != 16 &&
--            info.bpp != 24 && info.bpp != 32)
-+        if ((info.bpp != 15 && info.bpp != 16 &&
-+             info.bpp != 24 && info.bpp != 32)      ||
-+            ((info.bpp == 15 || info.bpp == 24) &&
-+             info.alphaBits != 0)                   ||
-+            (info.bpp == 16 && info.alphaBits != 1) ||
-+            (info.bpp == 32 && info.alphaBits != 8))
-           {
--            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
-+            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
-                        gimp_filename_to_utf8 (filename),
--                       info.imageType, info.bpp);
-+                       info.imageType, info.bpp, info.alphaBits);
-             return -1;
-           }
-         break;
--- 
-2.15.1
-
-From 22e2571c25425f225abdb11a566cc281fca6f366 Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Wed, 20 Dec 2017 13:26:26 +0100
-Subject: [PATCH] plug-ins: TGA 16-bit RGB (without alpha bit) is also valid.
-
-According to some spec on the web, 16-bit RGB is also valid. In this
-case, the last bit is simply ignored (at least that's how it is
-implemented right now).
-
-(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077)
----
- plug-ins/common/file-tga.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
-index 426acc2925..eb14a1dadc 100644
---- a/plug-ins/common/file-tga.c
-+++ b/plug-ins/common/file-tga.c
-@@ -568,7 +568,8 @@ load_image (const gchar  *filename,
-              info.bpp != 24 && info.bpp != 32)      ||
-             ((info.bpp == 15 || info.bpp == 24) &&
-              info.alphaBits != 0)                   ||
--            (info.bpp == 16 && info.alphaBits != 1) ||
-+            (info.bpp == 16 && info.alphaBits != 1 &&
-+             info.alphaBits != 0)                   ||
-             (info.bpp == 32 && info.alphaBits != 8))
-           {
-             g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
--- 
-2.15.1
-
diff --git a/gnu/packages/patches/gimp-CVE-2017-17787.patch b/gnu/packages/patches/gimp-CVE-2017-17787.patch
deleted file mode 100644
index b5310d33d..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17787.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Fix CVE-2017-17787:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17787
-https://bugzilla.gnome.org/show_bug.cgi?id=790853
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d
-
-From 87ba505fff85989af795f4ab6a047713f4d9381d Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Thu, 21 Dec 2017 12:49:41 +0100
-Subject: [PATCH] Bug 790853 - (CVE-2017-17787) heap overread in psp importer.
-
-As any external data, we have to check that strings being read at fixed
-length are properly nul-terminated.
-
-(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d)
----
- plug-ins/common/file-psp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
-index 4cbafe37b1..e350e4d88d 100644
---- a/plug-ins/common/file-psp.c
-+++ b/plug-ins/common/file-psp.c
-@@ -890,6 +890,12 @@ read_creator_block (FILE     *f,
-               g_free (string);
-               return -1;
-             }
-+          if (string[length - 1] != '\0')
-+            {
-+              g_message ("Creator keyword data not nul-terminated");
-+              g_free (string);
-+              return -1;
-+            }
-           switch (keyword)
-             {
-             case PSP_CRTR_FLD_TITLE:
--- 
-2.15.1
-
diff --git a/gnu/packages/patches/gimp-CVE-2017-17789.patch b/gnu/packages/patches/gimp-CVE-2017-17789.patch
deleted file mode 100644
index 6dfa435fd..000000000
--- a/gnu/packages/patches/gimp-CVE-2017-17789.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Fix CVE-2017-17789:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
-https://bugzilla.gnome.org/show_bug.cgi?id=790849
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
-
-From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
-From: Jehan <jehan@girinstud.io>
-Date: Wed, 20 Dec 2017 16:44:20 +0100
-Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer
- overflow...
-
-... in PSP importer.
-Check if declared block length is valid (i.e. within the actual file)
-before going further.
-Consider the file as broken otherwise and fail loading it.
-
-(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
----
- plug-ins/common/file-psp.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
-index ac0fff78f0..4cbafe37b1 100644
---- a/plug-ins/common/file-psp.c
-+++ b/plug-ins/common/file-psp.c
-@@ -1771,6 +1771,15 @@ load_image (const gchar  *filename,
-     {
-       block_start = ftell (f);
- 
-+      if (block_start + block_total_len > st.st_size)
-+        {
-+          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
-+                       _("Could not open '%s' for reading: %s"),
-+                       gimp_filename_to_utf8 (filename),
-+                       _("invalid block size"));
-+          goto error;
-+        }
-+
-       if (id == PSP_IMAGE_BLOCK)
-         {
-           if (block_number != 0)
--- 
-2.15.1
-
-- 
2.17.0

[bug#31322] GIMP 2.10.0 update

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 415 bytes --]

On Mon, Apr 30, 2018 at 04:37:37PM -0400, Leo Famulari wrote:
> The following patch series updates GIMP to the new release, 2.10.0.
> 
> I tested on x86_64-linux (foreign distro) by doing some very basic
> operations, like opening and editing some images, and exporting the
> results.

By the way, I found some minor issues in these patches with `guix lint`.
All these issues will be fixed before pushing.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#31322] [PATCH 1/6] gnu: Add libmypaint.

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 323 bytes --]

Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/gimp.scm (libmypaint): New variable.

[...]

> +    (description "Libmypaint, also called \"brushlib\", is a library for making
> +brushstrokes which is used by MyPaint and other projects.")

Maybe also advertise GIMP since we don't appear to have MyPaint yet :-)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

[bug#31322] [PATCH 2/6] gnu: Add mypaint-brushes.

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 208 bytes --]

Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/gimp.scm (mypaint-brushes): New variable.

[...]

> +    (inputs
> +     `(("autoconf" ,autoconf)
> +       ("automake" ,automake)))

native-inputs?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

[bug#31322] [PATCH 3/6] gnu: Add poppler-data.

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1016 bytes --]

Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/pdf.scm (poppler-data): New variable.

[...]

> +    (home-page "")

(package-home-page poppler)

> +    ;; See COPYING in the source distribution for more information about
> +    ;; the licensing.
> +    (license (list license:non-copyleft
> +                   license:gpl2))))

Note: non-copyleft is a procedure that takes a URI and a comment.

Maybe something along these lines?

(license:non-copyleft "file://COPYING.adobe" "cMap data files are under
a three-clause BSD-like license.")

Or maybe just BSD-3, it only differs from the template in this text:

...IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE...

instead of the template (from Wikipedia):

...IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE...

I don't know how widespread this difference is, or if the added wording
has any consequences (sounds like it might).  Could we go with BSD-3?

Also, since it is never specified that it's GPL2 only, maybe we should
use GPL2+?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

[bug#31322] GIMP 2.10.0 update

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

Leo Famulari <leo@famulari.name> writes:

> The following patch series updates GIMP to the new release, 2.10.0.
>
> I tested on x86_64-linux (foreign distro) by doing some very basic
> operations, like opening and editing some images, and exporting the
> results.

Excellent.  The patches LGTM apart from minor nitpicks sent separately.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

[bug#31322] [PATCH 3/6] gnu: Add poppler-data.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]

On Tue, May 01, 2018 at 12:40:24AM +0200, Marius Bakke wrote:
> (package-home-page poppler)

Thanks

> Or maybe just BSD-3, it only differs from the template in this text

Yeah, the linter got me to look again and I changed it to bsd-3.

> Also, since it is never specified that it's GPL2 only, maybe we should
> use GPL2+?

COPYING says this:

"The cidToUnicode, nameToUnicode and unicodeMap data files
installed by the poppler-data package are Copyright Glyph & Cog, LLC
and are under the COPYING.gpl2 license"

And from COPYING.gpl2:

"If the Program specifies a version number of this License which applies to it
and "any later version", you have the option of following the terms and
conditions either of that version or of any later version published by the Free
Software Foundation.  If the Program does not specify a version number of this
License, you may choose any version ever published by the Free Software
Foundation."

I interpret the reference to COPYING.gpl2 in the COPYING file to specify
version 2, although it's likely they didn't give much thought to this
issue, since the files in question are not software, but just some data.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#31322: GIMP 2.10.0 update

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 489 bytes --]

On Tue, May 01, 2018 at 12:44:15AM +0200, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > The following patch series updates GIMP to the new release, 2.10.0.
> >
> > I tested on x86_64-linux (foreign distro) by doing some very basic
> > operations, like opening and editing some images, and exporting the
> > results.
> 
> Excellent.  The patches LGTM apart from minor nitpicks sent separately.

Thanks, pushed as 9eecf9bc13bd3746ce5a073c59920110c6cf3dd7

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]