gnu: lcms: Update to 2.9.

* gnu/packages/ghostscript.scm (lcms): Update to 2.9.
[source]: Remove patch.
* gnu/packages/patches/lcms-CVE-2016-10165.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
This commit is contained in:
Tobias Geerinckx-Rice 2018-02-19 19:26:44 +01:00
parent 09371ab4d0
commit c3800f0b6e
No known key found for this signature in database
GPG Key ID: 0DB0FF884F556D79
3 changed files with 3 additions and 40 deletions

View File

@ -800,7 +800,6 @@ dist_patch_DATA = \
%D%/packages/patches/kobodeluxe-midicon-segmentation-fault.patch \ %D%/packages/patches/kobodeluxe-midicon-segmentation-fault.patch \
%D%/packages/patches/kobodeluxe-graphics-window-signed-char.patch \ %D%/packages/patches/kobodeluxe-graphics-window-signed-char.patch \
%D%/packages/patches/laby-make-install.patch \ %D%/packages/patches/laby-make-install.patch \
%D%/packages/patches/lcms-CVE-2016-10165.patch \
%D%/packages/patches/ldc-disable-tests.patch \ %D%/packages/patches/ldc-disable-tests.patch \
%D%/packages/patches/ldc-1.1.0-disable-dmd-tests.patch \ %D%/packages/patches/ldc-1.1.0-disable-dmd-tests.patch \
%D%/packages/patches/ldc-1.1.0-disable-phobos-tests.patch \ %D%/packages/patches/ldc-1.1.0-disable-phobos-tests.patch \

View File

@ -6,6 +6,7 @@
;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -43,14 +44,13 @@
(define-public lcms (define-public lcms
(package (package
(name "lcms") (name "lcms")
(version "2.8") (version "2.9")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
(uri (string-append "mirror://sourceforge/lcms/lcms/" version (uri (string-append "mirror://sourceforge/lcms/lcms/" version
"/lcms2-" version ".tar.gz")) "/lcms2-" version ".tar.gz"))
(patches (search-patches "lcms-CVE-2016-10165.patch"))
(sha256 (base32 (sha256 (base32
"08pvl289g0mbznzx5l6ibhaldsgx41kwvdn2c974ga9fkli2pl36")))) "083xisy6z01zhm7p7rgk4bx9d6zlr8l20qkfv1g29ylnhgwzvij8"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(inputs `(("libjpeg-8" ,libjpeg-8) (inputs `(("libjpeg-8" ,libjpeg-8)
("libtiff" ,libtiff) ("libtiff" ,libtiff)

View File

@ -1,36 +0,0 @@
Fix CVE-2016-10165, an out-of-bounds heap read in Type_MLU_Read():
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10165
http://seclists.org/oss-sec/2016/q3/288
https://bugzilla.redhat.com/show_bug.cgi?id=1367357
https://security-tracker.debian.org/tracker/CVE-2016-10165
Patch copied from upstream source repository:
https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2
From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001
From: Marti <marti.maria@tktbrainpower.com>
Date: Mon, 15 Aug 2016 23:31:39 +0200
Subject: [PATCH] Added an extra check to MLU bounds
Thanks to Ibrahim el-sayed for spotting the bug
---
src/cmstypes.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cmstypes.c b/src/cmstypes.c
index cb61860..c7328b9 100644
--- a/src/cmstypes.c
+++ b/src/cmstypes.c
@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
// Check for overflow
if (Offset < (SizeOfHeader + 8)) goto Error;
+ if ((Offset + Len) > SizeOfTag + 8) goto Error;
// True begin of the string
BeginOfThisString = Offset - SizeOfHeader - 8;
--
2.11.0