giflib: 5.1.4 -> 5.2.1

5.1.5 says: Fix SF bug #113:
  Heap Buffer Overflow-2 in function DGifDecompressLine()
  in cgif.c.  This had been assigned CVE-2018-11490.
This *probably* also fixes a minor CVE-2019-15133 #68563 (DoS only).
(I couldn't find a good reference quickly.)

The changelogs are almost only bugfixes, and ABI tracker also looks OK:
https://abi-laboratory.pro/?view=timeline&l=giflib
so I gather this is suitable for direct push to nixpkgs staging-next.
I built several reverse dependencies locally.

1 files changed, 11 insertions, 5 deletions

diff --git a/pkgs/development/libraries/giflib/5.1.nix b/pkgs/development/libraries/giflib/5.1.nix
index fee760b3ea2..d97477e3f3a 100644
--- a/pkgs/development/libraries/giflib/5.1.nix
+++ b/pkgs/development/libraries/giflib/5.1.nix
@@ -1,18 +1,24 @@
 {stdenv, fetchurl, xmlto, docbook_xml_dtd_412, docbook_xsl, libxml2 }:
 
-stdenv.mkDerivation {
-  name = "giflib-5.1.4";
+stdenv.mkDerivation rec {
+  name = "giflib-5.2.1";
   src = fetchurl {
-    url = mirror://sourceforge/giflib/giflib-5.1.4.tar.bz2;
-    sha256 = "1md83dip8rf29y40cm5r7nn19705f54iraz6545zhwa6y8zyq9yz";
+    url = "mirror://sourceforge/giflib/${name}.tar.gz";
+    sha256 = "1gbrg03z1b6rlrvjyc6d41bc8j1bsr7rm8206gb1apscyii5bnii";
   };
 
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace 'PREFIX = /usr/local' 'PREFIX = ${builtins.placeholder "out"}'
+  '';
+
   buildInputs = [ xmlto docbook_xml_dtd_412 docbook_xsl libxml2 ];
+
   meta = {
     description = "A library for reading and writing gif images";
     platforms = stdenv.lib.platforms.unix;
     license = stdenv.lib.licenses.mit;
     maintainers = with stdenv.lib.maintainers; [ fuuzetsu ];
-    branch = "5.1";
+    branch = "5.2";
   };
 }