diff options
author | Ludovic Courtès <ludo@gnu.org> | 2015-11-16 09:50:33 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2015-11-16 09:51:44 +0100 |
commit | 1b076e630f4a7245d14634b047e1d1a91ee2659e (patch) | |
tree | 04ae4cc4d5d2efb1628c69fa7426014aad91e031 | |
parent | b6bbebbcab34267aaae7dba8170ae453e68c37db (diff) | |
download | guix-1b076e630f4a7245d14634b047e1d1a91ee2659e.tar.gz guix-1b076e630f4a7245d14634b047e1d1a91ee2659e.zip |
gnu: libpng: Use 1.5.24 as a replacement [fixes CVE-2015-8126].
Reported by Leo Famulari <leo@famulari.name>.
* gnu/packages/image.scm (libpng-urls): New procedure.
(libpng)[source]: Use it.
[replacement]: New field.
(libpng-1.5.24): New variable.
-rw-r--r-- | gnu/packages/image.scm | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index bde327cf91..b7b8eac24b 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -46,23 +46,28 @@ #:use-module (guix build-system cmake) #:use-module (srfi srfi-1)) +(define (libpng-urls version) + "Return a list of URLs for libpng VERSION." + ;; Note: upstream removes older tarballs. + (list (string-append "mirror://sourceforge/libpng/libpng15/" + version "/libpng-" version ".tar.xz") + (string-append + "ftp://ftp.simplesystems.org/pub/libpng/png/src" + "/libpng15/libpng-" version ".tar.xz"))) + (define-public libpng (package (name "libpng") (version "1.5.21") (source (origin (method url-fetch) - - ;; Note: upstream removes older tarballs. - (uri (list (string-append "mirror://sourceforge/libpng/libpng15/" - version "/libpng-" version ".tar.xz") - (string-append - "ftp://ftp.simplesystems.org/pub/libpng/png/src" - "/libpng15/libpng-" version ".tar.xz"))) + (uri (libpng-urls version)) (sha256 (base32 "19yvzw6sf9gf7v25ha9bla8bw1nijh82wj8ag6brjj3hpij1q5dm")))) (build-system gnu-build-system) + (replacement libpng-1.5.24) ;CVE-2015-8126 + ;; libpng.la says "-lz", so propagate it. (propagated-inputs `(("zlib" ,zlib))) @@ -73,6 +78,16 @@ library. It supports almost all PNG features and is extensible.") (license license:zlib) (home-page "http://www.libpng.org/pub/png/libpng.html"))) +(define libpng-1.5.24 + (package + (inherit libpng) + (source (origin + (method url-fetch) + (uri (libpng-urls "1.5.24")) + (sha256 + (base32 + "1qhvfk1ypsaf6q6xkspyqqzmghpbahhq54ms8fa5ssqkyds38bmr")))))) + (define-public libjpeg (package (name "libjpeg") |