From 1b076e630f4a7245d14634b047e1d1a91ee2659e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 16 Nov 2015 09:50:33 +0100 Subject: gnu: libpng: Use 1.5.24 as a replacement [fixes CVE-2015-8126]. Reported by Leo Famulari . * gnu/packages/image.scm (libpng-urls): New procedure. (libpng)[source]: Use it. [replacement]: New field. (libpng-1.5.24): New variable. --- gnu/packages/image.scm | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index bde327cf91..b7b8eac24b 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -46,23 +46,28 @@ #:use-module (guix build-system cmake) #:use-module (srfi srfi-1)) +(define (libpng-urls version) + "Return a list of URLs for libpng VERSION." + ;; Note: upstream removes older tarballs. + (list (string-append "mirror://sourceforge/libpng/libpng15/" + version "/libpng-" version ".tar.xz") + (string-append + "ftp://ftp.simplesystems.org/pub/libpng/png/src" + "/libpng15/libpng-" version ".tar.xz"))) + (define-public libpng (package (name "libpng") (version "1.5.21") (source (origin (method url-fetch) - - ;; Note: upstream removes older tarballs. - (uri (list (string-append "mirror://sourceforge/libpng/libpng15/" - version "/libpng-" version ".tar.xz") - (string-append - "ftp://ftp.simplesystems.org/pub/libpng/png/src" - "/libpng15/libpng-" version ".tar.xz"))) + (uri (libpng-urls version)) (sha256 (base32 "19yvzw6sf9gf7v25ha9bla8bw1nijh82wj8ag6brjj3hpij1q5dm")))) (build-system gnu-build-system) + (replacement libpng-1.5.24) ;CVE-2015-8126 + ;; libpng.la says "-lz", so propagate it. (propagated-inputs `(("zlib" ,zlib))) @@ -73,6 +78,16 @@ library. It supports almost all PNG features and is extensible.") (license license:zlib) (home-page "http://www.libpng.org/pub/png/libpng.html"))) +(define libpng-1.5.24 + (package + (inherit libpng) + (source (origin + (method url-fetch) + (uri (libpng-urls "1.5.24")) + (sha256 + (base32 + "1qhvfk1ypsaf6q6xkspyqqzmghpbahhq54ms8fa5ssqkyds38bmr")))))) + (define-public libjpeg (package (name "libjpeg") -- cgit v1.2.3