gnu: optipng: Update to 0.7.7 [security fixes].

This release claims to fix 2 vulnerabilities:
- ‘an integer overflow vulnerability in the TIFF decoder’
  (CVE-2017-1000229, previously patched in Guix), and
- ‘a buffer overflow vulnerability in the GIF decoder’.

* gnu/packages/image.scm (optipng): Update to 0.7.7.
[source]: Remove patch.
[arguments]: Substitute INVOKE for SYSTEM* and end phase with #t.
* gnu/packages/patches/optipng-CVE-2017-1000229.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
This commit is contained in:
Tobias Geerinckx-Rice 2018-02-23 14:24:42 +01:00
parent 5a82c90400
commit bbf8832f16
No known key found for this signature in database
GPG Key ID: 0DB0FF884F556D79
3 changed files with 8 additions and 32 deletions

View File

@ -950,7 +950,6 @@ dist_patch_DATA = \
%D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-runpath.patch \
%D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \
%D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \
%D%/packages/patches/optipng-CVE-2017-1000229.patch \
%D%/packages/patches/orpheus-cast-errors-and-includes.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \
%D%/packages/patches/osip-CVE-2017-7853.patch \ %D%/packages/patches/osip-CVE-2017-7853.patch \
%D%/packages/patches/ots-no-include-missing-file.patch \ %D%/packages/patches/ots-no-include-missing-file.patch \

View File

@ -10,7 +10,7 @@
;;; Copyright © 2016 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org> ;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2016, 2017 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright © 2016, 2017 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2016, 2017 Kei Kebreau <kkebreau@posteo.net> ;;; Copyright © 2016, 2017 Kei Kebreau <kkebreau@posteo.net>
@ -1091,29 +1091,28 @@ installed as @code{stb_image}.")
(define-public optipng (define-public optipng
(package (package
(name "optipng") (name "optipng")
(version "0.7.6") (version "0.7.7")
(source (source
(origin (origin
(method url-fetch) (method url-fetch)
(uri (string-append "http://prdownloads.sourceforge.net/optipng/optipng-" (uri (string-append "http://prdownloads.sourceforge.net/optipng/optipng-"
version ".tar.gz")) version ".tar.gz"))
(patches (search-patches "optipng-CVE-2017-1000229.patch"))
(sha256 (sha256
(base32 (base32
"105yk5qykvhiahzag67gm36s2kplxf6qn5hay02md0nkrcgn6w28")))) "0lj4clb851fzpaq446wgj0sfy922zs5l5misbpwv6w7qrqrz4cjg"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(inputs (inputs
`(("zlib" ,zlib))) `(("zlib" ,zlib)))
(arguments (arguments
'(#:phases '(#:phases
(modify-phases %standard-phases (modify-phases %standard-phases
;; configure script does not accept arguments CONFIG_SHELL and SHELL
(replace 'configure (replace 'configure
(lambda* (#:key outputs #:allow-other-keys) (lambda* (#:key outputs #:allow-other-keys)
(zero? (system* "sh" "configure" ;; configure script doesn't accept arguments CONFIG_SHELL and SHELL
(string-append "--prefix=" (assoc-ref outputs "out"))))))))) (invoke "sh" "configure"
(synopsis "Optimizer that recompresses PNG image files to a (string-append "--prefix=" (assoc-ref outputs "out")))
smaller size") #t)))))
(synopsis "Optimizer that recompresses PNG image files to a smaller size")
(description "OptiPNG is a PNG optimizer that recompresses image (description "OptiPNG is a PNG optimizer that recompresses image
files to a smaller size, without losing any information. This program files to a smaller size, without losing any information. This program
also converts external formats (BMP, GIF, PNM and TIFF) to optimized also converts external formats (BMP, GIF, PNM and TIFF) to optimized

View File

@ -1,22 +0,0 @@
Fix CVE-2017-1000229:
https://security-tracker.debian.org/tracker/CVE-2017-1000229
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000229.html
https://nvd.nist.gov/vuln/detail/CVE-2017-1000229
Patch copied from upstream bug tracker:
https://sourceforge.net/p/optipng/bugs/65/
diff --git a/src/minitiff/tiffread.c b/src/minitiff/tiffread.c
index b4910ec..5f9b376 100644
--- a/src/minitiff/tiffread.c
+++ b/src/minitiff/tiffread.c
@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FILE *fp)
count = tiff_ptr->strip_offsets_count;
if (count == 0 || count > tiff_ptr->height)
goto err_invalid;
+ if (count > (size_t)-1 / sizeof(long))
+ goto err_memory;
tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long));
if (tiff_ptr->strip_offsets == NULL)
goto err_memory;