From 0296142087ce22a17ed1cad4ad28661ea02d08fa Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 16 Feb 2019 19:55:10 +0100
Subject: [PATCH] gnu: libjpeg-turbo: Replace with 2.0.2 [security fixes].

This fixes CVE-2018-20330 and CVE-2018-19664.

* gnu/packages/image.scm (libjpeg-turbo)[replacement]: New field.
(libjpeg-turbo-2.0.2): New public variable.
---
 gnu/packages/image.scm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index a4418d43b1..545fe334d5 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1299,6 +1299,7 @@ PNG, and performs PNG integrity checks and corrections.")
   (package
     (name "libjpeg-turbo")
     (version "2.0.1")
+    (replacement libjpeg-turbo-2.0.2)
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
@@ -1328,6 +1329,18 @@ and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).")
                    license:ijg          ;the libjpeg library and associated tools
                    license:zlib))))     ;the libjpeg-turbo SIMD extensions
 
+(define-public libjpeg-turbo-2.0.2
+  (package
+    (inherit libjpeg-turbo)
+    (version "2.0.2")
+    (source (origin
+              (inherit (package-source libjpeg-turbo))
+              (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
+                                  version "/libjpeg-turbo-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1v9gx1gdzgxf51nd55ncq7rghmj4x9x91rby50ag36irwngmkf5c"))))))
+
 (define-public niftilib
   (package
     (name "niftilib")