gnu: graphicsmagick: Fix CVE-2016-5118.

* gnu/packages/patches/graphicsmagick-CVE-2016-5118.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/imagemagick.scm (graphicsmagick): Use it.
2016-05-29 23:36:37 -04:00 · 2016-05-29 23:36:37 -04:00 · d8862778c1
parent b3d20b8280
commit d8862778c1
3 changed files with 21 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -518,6 +518,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
  %D%/packages/patches/gobject-introspection-cc.patch		\
  %D%/packages/patches/gobject-introspection-girepository.patch	\
+  %D%/packages/patches/graphicsmagick-CVE-2016-5118.patch	\
  %D%/packages/patches/grep-timing-sensitive-test.patch		\
  %D%/packages/patches/grub-CVE-2015-8370.patch			\
  %D%/packages/patches/grub-gets-undeclared.patch		\
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@ -160,6 +160,7 @@ script.")
             (uri (string-append "ftp://ftp.graphicsmagick.org/pub/"
                                 "GraphicsMagick/" (version-major+minor version)
                                 "/GraphicsMagick-" version ".tar.xz"))
+             (patches (search-patches "graphicsmagick-CVE-2016-5118.patch"))
             (sha256
              (base32
               "03g6l2h8cmf231y1vma0z7x85070jm1ysgs9ppqcd3jj56jka9gx"))))
--- a/gnu/packages/patches/graphicsmagick-CVE-2016-5118.patch
+++ b/gnu/packages/patches/graphicsmagick-CVE-2016-5118.patch
@ -0,0 +1,19 @@
+Fix CVE-2016-5118 (popen() shell vulnerability via filename).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5118
+
+Upstream patch copied from the bug announcement:
+http://seclists.org/oss-sec/2016/q2/432
+https://marc.info/?l=oss-security&m=146455222600609&w=2
+
+diff -r 33200fc645f6 magick/blob.c
+--- a/magick/blob.c	Sat Nov 07 14:49:16 2015 -0600
+++ b/magick/blob.c	Sun May 29 14:12:57 2016 -0500
+@@ -68,6 +68,7 @@
+ */
+ #define DefaultBlobQuantum  65541
+ 
+#undef HAVE_POPEN
+ 
+ /*
+   Enum declarations.