diff options
author | Thomas Gerbet <thomas@gerbet.me> | 2024-03-01 22:04:28 +0100 |
---|---|---|
committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2024-03-10 13:30:38 +0000 |
commit | 3e6d8c9f59c276f6e1fa7b3c5f46263e74ac42ac (patch) | |
tree | 2b7879309f8868ba9f18682cea53eb33a53da51a /pkgs/development/libraries | |
parent | 66e026777a1c92d0d197657d10312846276f48a8 (diff) |
giflib: 5.2.1 -> 5.2.2, apply patch for CVE-2021-40633
Fixes CVE-2023-48161, CVE-2023-39742 and CVE-2021-40633. Changes: https://sourceforge.net/p/giflib/code/ci/5.2.2/tree/NEWS (cherry picked from commit ce852b43b0611897874a689cd0d534b7a6bf5594)
Diffstat (limited to 'pkgs/development/libraries')
-rw-r--r-- | pkgs/development/libraries/giflib/CVE-2021-40633.patch | 26 | ||||
-rw-r--r-- | pkgs/development/libraries/giflib/default.nix | 32 |
2 files changed, 38 insertions, 20 deletions
diff --git a/pkgs/development/libraries/giflib/CVE-2021-40633.patch b/pkgs/development/libraries/giflib/CVE-2021-40633.patch new file mode 100644 index 0000000000000..8a665bb1638bc --- /dev/null +++ b/pkgs/development/libraries/giflib/CVE-2021-40633.patch @@ -0,0 +1,26 @@ +From ccbc956432650734c91acb3fc88837f7b81267ff Mon Sep 17 00:00:00 2001 +From: "Eric S. Raymond" <esr@thyrsus.com> +Date: Wed, 21 Feb 2024 18:55:00 -0500 +Subject: [PATCH] Clean up memory better at end of run (CVE-2021-40633) + +--- + gif2rgb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/gif2rgb.c b/gif2rgb.c +index d51226d..fc2e683 100644 +--- a/gif2rgb.c ++++ b/gif2rgb.c +@@ -517,6 +517,9 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag, + DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer, + GifFile->SWidth, GifFile->SHeight); + ++ for (i = 0; i < GifFile->SHeight; i++) { ++ (void)free(ScreenBuffer[i]); ++ } + (void)free(ScreenBuffer); + + { +-- +2.44.0 + diff --git a/pkgs/development/libraries/giflib/default.nix b/pkgs/development/libraries/giflib/default.nix index 8c8a587ed5480..486aebf6703a5 100644 --- a/pkgs/development/libraries/giflib/default.nix +++ b/pkgs/development/libraries/giflib/default.nix @@ -4,31 +4,20 @@ , fetchpatch , fixDarwinDylibNames , pkgsStatic +, imagemagick_light }: stdenv.mkDerivation rec { pname = "giflib"; - version = "5.2.1"; + version = "5.2.2"; src = fetchurl { url = "mirror://sourceforge/giflib/giflib-${version}.tar.gz"; - sha256 = "1gbrg03z1b6rlrvjyc6d41bc8j1bsr7rm8206gb1apscyii5bnii"; + hash = "sha256-vn/70FfK3r4qoURUL9kMaDjGoIO16KkEi47jtmsp1fs="; }; patches = [ - (fetchpatch { - name = "CVE-2022-28506.patch"; - url = "https://src.fedoraproject.org/rpms/giflib/raw/2e9917bf13df114354163f0c0211eccc00943596/f/CVE-2022-28506.patch"; - sha256 = "sha256-TBemEXkuox8FdS9RvjnWcTWPaHRo4crcwSR9czrUwBY="; - }) - ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ - # https://sourceforge.net/p/giflib/bugs/133/ - (fetchpatch { - name = "darwin-soname.patch"; - url = "https://sourceforge.net/p/giflib/bugs/_discuss/thread/4e811ad29b/c323/attachment/Makefile.patch"; - sha256 = "12afkqnlkl3n1hywwgx8sqnhp3bz0c5qrwcv8j9hifw1lmfhv67r"; - extraPrefix = "./"; - }) + ./CVE-2021-40633.patch ] ++ lib.optionals stdenv.hostPlatform.isMinGW [ # Build dll libraries. (fetchurl { @@ -40,7 +29,9 @@ stdenv.mkDerivation rec { ./mingw-install-exes.patch ]; - nativeBuildInputs = lib.optionals stdenv.isDarwin [ + nativeBuildInputs = [ + imagemagick_light + ] ++ lib.optionals stdenv.isDarwin [ fixDarwinDylibNames ]; @@ -50,10 +41,11 @@ stdenv.mkDerivation rec { postPatch = lib.optionalString stdenv.hostPlatform.isStatic '' # Upstream build system does not support NOT building shared libraries. - sed -i '/all:/ s/libgif.so//' Makefile - sed -i '/all:/ s/libutil.so//' Makefile - sed -i '/-m 755 libgif.so/ d' Makefile - sed -i '/ln -sf libgif.so/ d' Makefile + sed -i '/all:/ s/$(LIBGIFSO)//' Makefile + sed -i '/all:/ s/$(LIBUTILSO)//' Makefile + sed -i '/-m 755 $(LIBGIFSO)/ d' Makefile + sed -i '/ln -sf $(LIBGIFSOVER)/ d' Makefile + sed -i '/ln -sf $(LIBGIFSOMAJOR)/ d' Makefile ''; passthru.tests = { |