summary refs log tree commit diff
path: root/gnu/packages/image.scm
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2015-11-16 09:50:33 +0100
committerLudovic Courtès <ludo@gnu.org>2015-11-16 09:51:44 +0100
commit1b076e630f4a7245d14634b047e1d1a91ee2659e (patch)
tree04ae4cc4d5d2efb1628c69fa7426014aad91e031 /gnu/packages/image.scm
parentb6bbebbcab34267aaae7dba8170ae453e68c37db (diff)
downloadguix-1b076e630f4a7245d14634b047e1d1a91ee2659e.tar.gz
gnu: libpng: Use 1.5.24 as a replacement [fixes CVE-2015-8126].
Reported by Leo Famulari <leo@famulari.name>.

* gnu/packages/image.scm (libpng-urls): New procedure.
  (libpng)[source]: Use it.
  [replacement]: New field.
  (libpng-1.5.24): New variable.
Diffstat (limited to 'gnu/packages/image.scm')
-rw-r--r--gnu/packages/image.scm29
1 files changed, 22 insertions, 7 deletions
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index bde327cf91..b7b8eac24b 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -46,23 +46,28 @@
   #:use-module (guix build-system cmake)
   #:use-module (srfi srfi-1))
 
+(define (libpng-urls version)
+  "Return a list of URLs for libpng VERSION."
+  ;; Note: upstream removes older tarballs.
+  (list (string-append "mirror://sourceforge/libpng/libpng15/"
+                       version "/libpng-" version ".tar.xz")
+        (string-append
+         "ftp://ftp.simplesystems.org/pub/libpng/png/src"
+         "/libpng15/libpng-" version ".tar.xz")))
+
 (define-public libpng
   (package
    (name "libpng")
    (version "1.5.21")
    (source (origin
             (method url-fetch)
-
-            ;; Note: upstream removes older tarballs.
-            (uri (list (string-append "mirror://sourceforge/libpng/libpng15/"
-                                      version "/libpng-" version ".tar.xz")
-                       (string-append
-                        "ftp://ftp.simplesystems.org/pub/libpng/png/src"
-                        "/libpng15/libpng-" version ".tar.xz")))
+            (uri (libpng-urls version))
             (sha256
              (base32 "19yvzw6sf9gf7v25ha9bla8bw1nijh82wj8ag6brjj3hpij1q5dm"))))
    (build-system gnu-build-system)
 
+   (replacement libpng-1.5.24)                    ;CVE-2015-8126
+
    ;; libpng.la says "-lz", so propagate it.
    (propagated-inputs `(("zlib" ,zlib)))
 
@@ -73,6 +78,16 @@ library.  It supports almost all PNG features and is extensible.")
    (license license:zlib)
    (home-page "http://www.libpng.org/pub/png/libpng.html")))
 
+(define libpng-1.5.24
+  (package
+    (inherit libpng)
+    (source (origin
+              (method url-fetch)
+              (uri (libpng-urls "1.5.24"))
+              (sha256
+               (base32
+                "1qhvfk1ypsaf6q6xkspyqqzmghpbahhq54ms8fa5ssqkyds38bmr"))))))
+
 (define-public libjpeg
   (package
    (name "libjpeg")