diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-13 17:12:07 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-14 07:15:41 +0200 |
commit | 220836d06650076cbb4d879e5bb8efddd3ce1bcd (patch) | |
tree | b489455c5243599d749328a7b14179e7f2b78247 /pkgs/development/libraries/gd | |
parent | f8bdd7969d1af9b1f4ab5f968fae336190c1ae1c (diff) | |
download | nixpkgs-220836d06650076cbb4d879e5bb8efddd3ce1bcd.tar nixpkgs-220836d06650076cbb4d879e5bb8efddd3ce1bcd.tar.gz nixpkgs-220836d06650076cbb4d879e5bb8efddd3ce1bcd.tar.bz2 nixpkgs-220836d06650076cbb4d879e5bb8efddd3ce1bcd.tar.lz nixpkgs-220836d06650076cbb4d879e5bb8efddd3ce1bcd.tar.xz nixpkgs-220836d06650076cbb4d879e5bb8efddd3ce1bcd.tar.zst nixpkgs-220836d06650076cbb4d879e5bb8efddd3ce1bcd.zip |
gd: apply patch for CVE-2016-3074 from upstream
Source: https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19.patch The original patch contains binary data, however, which is not supported by `patch`; we could use `git apply` here, of course, but it was simpler to just copy-paste only the fix into a separate file and include it in the repo.
Diffstat (limited to 'pkgs/development/libraries/gd')
-rw-r--r-- | pkgs/development/libraries/gd/CVE-2016-3074.patch | 13 | ||||
-rw-r--r-- | pkgs/development/libraries/gd/default.nix | 6 |
2 files changed, 18 insertions, 1 deletions
diff --git a/pkgs/development/libraries/gd/CVE-2016-3074.patch b/pkgs/development/libraries/gd/CVE-2016-3074.patch new file mode 100644 index 00000000000..76994697729 --- /dev/null +++ b/pkgs/development/libraries/gd/CVE-2016-3074.patch @@ -0,0 +1,13 @@ +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index 6f28461..a50b33d 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + if (gdGetInt (&cidx[i].size, in) != 1) { + goto fail2; + }; ++ if (cidx[i].offset < 0 || cidx[i].size < 0) ++ goto fail2; + }; + *chunkIdx = cidx; + }; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index c58bd11bc64..bf3b63db399 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -12,12 +12,16 @@ stdenv.mkDerivation rec { name = "gd-${version}"; version = "2.1.1"; - + src = fetchurl { url = "https://github.com/libgd/libgd/releases/download/${name}/libgd-${version}.tar.xz"; sha256 = "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls"; }; + patches = [ + ./CVE-2016-3074.patch + ]; + nativeBuildInputs = [ pkgconfig ]; buildInputs = [ zlib fontconfig freetype libjpeg libpng libtiff libXpm ]; |