diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 0d1e76373c..d7c18f90e1 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -427,6 +427,7 @@ highlighting and other features typical of a source code editor.") (define-public gdk-pixbuf (package (name "gdk-pixbuf") + (replacement gdk-pixbuf-2.36.10) (version "2.36.6") (source (origin (method url-fetch) @@ -483,6 +484,7 @@ in the GNOME project.") (define-public gdk-pixbuf+svg (package (inherit gdk-pixbuf) (name "gdk-pixbuf+svg") + (replacement gdk-pixbuf+svg-2.36.10) (inputs `(("librsvg" ,librsvg) ,@(package-inputs gdk-pixbuf))) @@ -506,6 +508,26 @@ in the GNOME project.") (synopsis "GNOME image loading and manipulation library, with SVG support"))) +;; Graft replacement packages to fix these vulnerabilities. +;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2862 +;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2870 +;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6311 +(define-public gdk-pixbuf-2.36.10 + (package (inherit gdk-pixbuf) + (version "2.36.A") + (source (origin + (method url-fetch) + (uri (string-append "mirror://gnome/sources/gdk-pixbuf/2.36/" + "gdk-pixbuf-2.36.10.tar.xz")) + (sha256 + (base32 + "1klsjkdbashd8yb8xjsc9ff3bz32n2id5s79nrrmqiw9df4zmxpq")))))) + +(define-public gdk-pixbuf+svg-2.36.10 + (package (inherit gdk-pixbuf+svg) + (version "2.36.A") + (source (origin (inherit (package-source gdk-pixbuf-2.36.10)))))) + (define-public at-spi2-core (package (name "at-spi2-core")