From ad472397bc5472b463d322e0246d59c8754291c8 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Mon, 18 Sep 2017 22:22:27 +0200 Subject: [PATCH] gnu: gdk-pixbuf: Replace with 2.36.10. Fixes CVE-2017-2862, CVE-2017-2870 and CVE-2017-6311. * gnu/packages/gtk.scm (gdk-pixbuf, gdk-pixbuf+svg)[replacement]: New field. (gdk-pixbuf-2.36.10, gdk-pixbuf+svg-2.36.10): New variables. --- gnu/packages/gtk.scm | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 0d1e76373c..d7c18f90e1 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -427,6 +427,7 @@ highlighting and other features typical of a source code editor.") (define-public gdk-pixbuf (package (name "gdk-pixbuf") + (replacement gdk-pixbuf-2.36.10) (version "2.36.6") (source (origin (method url-fetch) @@ -483,6 +484,7 @@ in the GNOME project.") (define-public gdk-pixbuf+svg (package (inherit gdk-pixbuf) (name "gdk-pixbuf+svg") + (replacement gdk-pixbuf+svg-2.36.10) (inputs `(("librsvg" ,librsvg) ,@(package-inputs gdk-pixbuf))) @@ -506,6 +508,26 @@ in the GNOME project.") (synopsis "GNOME image loading and manipulation library, with SVG support"))) +;; Graft replacement packages to fix these vulnerabilities. +;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2862 +;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2870 +;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6311 +(define-public gdk-pixbuf-2.36.10 + (package (inherit gdk-pixbuf) + (version "2.36.A") + (source (origin + (method url-fetch) + (uri (string-append "mirror://gnome/sources/gdk-pixbuf/2.36/" + "gdk-pixbuf-2.36.10.tar.xz")) + (sha256 + (base32 + "1klsjkdbashd8yb8xjsc9ff3bz32n2id5s79nrrmqiw9df4zmxpq")))))) + +(define-public gdk-pixbuf+svg-2.36.10 + (package (inherit gdk-pixbuf+svg) + (version "2.36.A") + (source (origin (inherit (package-source gdk-pixbuf-2.36.10)))))) + (define-public at-spi2-core (package (name "at-spi2-core")