gnu: libpng: Use 1.5.24 as a replacement [fixes CVE-2015-8126].

Reported by Leo Famulari <leo@famulari.name>.

* gnu/packages/image.scm (libpng-urls): New procedure.
  (libpng)[source]: Use it.
  [replacement]: New field.
  (libpng-1.5.24): New variable.
This commit is contained in:
Ludovic Courtès 2015-11-16 09:50:33 +01:00
parent b6bbebbcab
commit 1b076e630f
1 changed files with 22 additions and 7 deletions

View File

@ -46,23 +46,28 @@
#:use-module (guix build-system cmake)
#:use-module (srfi srfi-1))
(define (libpng-urls version)
"Return a list of URLs for libpng VERSION."
;; Note: upstream removes older tarballs.
(list (string-append "mirror://sourceforge/libpng/libpng15/"
version "/libpng-" version ".tar.xz")
(string-append
"ftp://ftp.simplesystems.org/pub/libpng/png/src"
"/libpng15/libpng-" version ".tar.xz")))
(define-public libpng
(package
(name "libpng")
(version "1.5.21")
(source (origin
(method url-fetch)
;; Note: upstream removes older tarballs.
(uri (list (string-append "mirror://sourceforge/libpng/libpng15/"
version "/libpng-" version ".tar.xz")
(string-append
"ftp://ftp.simplesystems.org/pub/libpng/png/src"
"/libpng15/libpng-" version ".tar.xz")))
(uri (libpng-urls version))
(sha256
(base32 "19yvzw6sf9gf7v25ha9bla8bw1nijh82wj8ag6brjj3hpij1q5dm"))))
(build-system gnu-build-system)
(replacement libpng-1.5.24) ;CVE-2015-8126
;; libpng.la says "-lz", so propagate it.
(propagated-inputs `(("zlib" ,zlib)))
@ -73,6 +78,16 @@ library. It supports almost all PNG features and is extensible.")
(license license:zlib)
(home-page "http://www.libpng.org/pub/png/libpng.html")))
(define libpng-1.5.24
(package
(inherit libpng)
(source (origin
(method url-fetch)
(uri (libpng-urls "1.5.24"))
(sha256
(base32
"1qhvfk1ypsaf6q6xkspyqqzmghpbahhq54ms8fa5ssqkyds38bmr"))))))
(define-public libjpeg
(package
(name "libjpeg")