From 0bd1097c50950d47954b4dc136654dfbde45d5b1 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 23 Nov 2016 00:14:29 -0500 Subject: gnu: libtiff: Update to 4.0.7. * gnu/packages/image.scm (libtiff): Update to 4.0.7. [source]: Update URL and remove obsolete patches. [home-page]: Update URL. [native-inputs]: Add gcc-5. (libtiff-4.0.7): Delete variable. * gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch, gnu/packages/patches/libtiff-CVE-2016-3623.patch, gnu/packages/patches/libtiff-CVE-2016-3945.patch, gnu/packages/patches/libtiff-CVE-2016-3990.patch, gnu/packages/patches/libtiff-CVE-2016-3991.patch, gnu/packages/patches/libtiff-CVE-2016-5314.patch, gnu/packages/patches/libtiff-CVE-2016-5321.patch, gnu/packages/patches/libtiff-CVE-2016-5323.patch, gnu/packages/patches/libtiff-oob-accesses-in-decode.patch, gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/packages/image.scm | 43 ++++++++++++------------------------------- 1 file changed, 12 insertions(+), 31 deletions(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 526c87cf86..611ac71572 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -36,6 +36,8 @@ #:use-module (gnu packages compression) #:use-module (gnu packages documentation) #:use-module (gnu packages fontutils) + ;; To provide gcc@5 and gcc@6, to work around . + #:use-module (gnu packages gcc) #:use-module (gnu packages gettext) #:use-module (gnu packages ghostscript) #:use-module (gnu packages gl) @@ -243,25 +245,14 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") - (replacement libtiff-4.0.7) - (version "4.0.6") + (version "4.0.7") (source (origin (method url-fetch) - (uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-" - version ".tar.gz")) - (sha256 (base32 - "136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd")) - (patches (search-patches - "libtiff-oob-accesses-in-decode.patch" - "libtiff-oob-write-in-nextdecode.patch" - "libtiff-CVE-2015-8665+CVE-2015-8683.patch" - "libtiff-CVE-2016-3623.patch" - "libtiff-CVE-2016-3945.patch" - "libtiff-CVE-2016-3990.patch" - "libtiff-CVE-2016-3991.patch" - "libtiff-CVE-2016-5314.patch" - "libtiff-CVE-2016-5321.patch" - "libtiff-CVE-2016-5323.patch")))) + (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" + version ".tar.gz")) + (sha256 + (base32 + "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz")))) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.3 MiB of HTML documentation @@ -271,6 +262,9 @@ extracting icontainer icon files.") (assoc-ref %outputs "doc") "/share/doc/" ,name "-" ,version)))) + ;; Build with a patched GCC to work around . + (native-inputs + `(("gcc@5" ,gcc-5))) (inputs `(("zlib" ,zlib) ("libjpeg" ,libjpeg))) (synopsis "Library for handling TIFF files") @@ -281,20 +275,7 @@ Included are a library, libtiff, for reading and writing TIFF and a small collection of tools for doing simple manipulations of TIFF images.") (license (license:non-copyleft "file://COPYRIGHT" "See COPYRIGHT in the distribution.")) - (home-page "http://www.remotesensing.org/libtiff/"))) - -(define libtiff-4.0.7 - (package - (inherit libtiff) - (version "4.0.7") - (source (origin - (method url-fetch) - (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" - version ".tar.gz")) - (sha256 - (base32 - "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz")))) - (home-page "http://www.simplesystems.org/libtiff/"))) + (home-page "http://www.simplesystems.org/libtiff/"))) (define-public libwmf (package -- cgit 1.4.1 From c7a70c336f11f5db2636a15372fa85a8b426fd3b Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 27 Nov 2016 20:23:20 +0200 Subject: gnu: jasper: Update to 2.0.0 [fixes security issues]. * gnu/packages/image.scm (jasper): Update to 2.0.0. [build-system]: Switch to cmake-build-system. --- gnu/packages/image.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 526c87cf86..981e1f8109 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -843,15 +843,15 @@ convert, manipulate, filter and display a wide variety of image formats.") (define-public jasper (package (name "jasper") - (version "1.900.29") + (version "2.0.0") (source (origin (method url-fetch) (uri (string-append "https://www.ece.uvic.ca/~frodo/jasper" "/software/jasper-" version ".tar.gz")) (sha256 (base32 - "1h1575wdzq1p7y2xvy1gbiypai1iils5awhy4gadr78qpb9ykrra")))) - (build-system gnu-build-system) + "1kg5yrdwgazhbczybyx4548m0ijssabcp8hl5l87w78z833vikks")))) + (build-system cmake-build-system) (inputs `(("libjpeg" ,libjpeg))) (synopsis "JPEG-2000 library") (description "The JasPer Project is an initiative to provide a reference -- cgit 1.4.1 From 37e05d64e4e0696988460d98514c7b1d5d89fd5a Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Fri, 25 Nov 2016 20:15:17 +0100 Subject: gnu: Add libjpeg-turbo. * gnu/packages/image.scm (libjpeg-turbo): New variable. --- gnu/packages/image.scm | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 981e1f8109..3f9a2b2a4f 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -31,6 +31,7 @@ (define-module (gnu packages image) #:use-module (gnu packages) #:use-module (gnu packages algebra) + #:use-module (gnu packages assembly) #:use-module (gnu packages autotools) #:use-module (gnu packages boost) #:use-module (gnu packages compression) @@ -1016,3 +1017,33 @@ also converts external formats (BMP, GIF, PNM and TIFF) to optimized PNG, and performs PNG integrity checks and corrections.") (home-page "http://optipng.sourceforge.net/") (license license:zlib))) + +(define-public libjpeg-turbo + (package + (name "libjpeg-turbo") + (version "1.5.1") + (source (origin + (method url-fetch) + (uri (string-append "mirror://sourceforge/" name "/" version "/" + name "-" version ".tar.gz")) + (sha256 + (base32 + "0v365hm6z6lddcqagjj15wflk66rqyw75m73cqzl65rh4lyrshj1")))) + (build-system gnu-build-system) + (native-inputs + `(("nasm" ,nasm))) + (arguments + `(#:test-target "test")) + (home-page "http://www.libjpeg-turbo.org/") + (synopsis "SIMD-accelerated JPEG image handling library") + (description "libjpeg-turbo is a JPEG image codec that accelerates baseline +JPEG compression and decompression using SIMD instructions: MMX on x86, SSE2 on +x86-64, NEON on ARM, and AltiVec on PowerPC processors. Even on other systems, +its highly-optimized Huffman coding routines allow it to outperform libjpeg by +a significant amount. +libjpeg-turbo implements both the traditional libjpeg API and the less powerful +but more straightforward TurboJPEG API, and provides a full-featured Java +interface. It supports color space extensions that allow it to compress from +and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).") + (license (list license:bsd-3 ; jsimd*.[ch] and most of simd/ + license:ijg)))) ; the rest -- cgit 1.4.1 From 023f0fb06ee8dd55f95ff1be542e805363535b97 Mon Sep 17 00:00:00 2001 From: Alex Kost Date: Fri, 2 Dec 2016 12:24:40 +0300 Subject: gnu: exiv2: Move to (gnu packages image). * gnu/packages/geeqie.scm (exiv2): Move to... * gnu/packages/image.scm: ... here. * gnu/packages/gnome.scm: Adjust the used modules. * gnu/packages/gnunet.scm: Likewise. * gnu/packages/gps.scm: Likewise. --- gnu/packages/geeqie.scm | 33 --------------------------------- gnu/packages/gnome.scm | 1 - gnu/packages/gnunet.scm | 1 - gnu/packages/gps.scm | 2 +- gnu/packages/image-viewers.scm | 2 +- gnu/packages/image.scm | 35 +++++++++++++++++++++++++++++++++++ 6 files changed, 37 insertions(+), 37 deletions(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/geeqie.scm b/gnu/packages/geeqie.scm index 509819e780..bc922d577a 100644 --- a/gnu/packages/geeqie.scm +++ b/gnu/packages/geeqie.scm @@ -31,39 +31,6 @@ #:use-module (gnu packages pkg-config) #:use-module (gnu packages xml)) -(define-public exiv2 ; XXX: move elsewhere? - (package - (name "exiv2") - (version "0.25") - (source (origin - (method url-fetch) - (uri (list (string-append "http://www.exiv2.org/exiv2-" - version ".tar.gz") - (string-append "https://fossies.org/linux/misc/exiv2-" - version ".tar.gz"))) - (sha256 - (base32 - "197g6vgcpyf9p2cwn5p5hb1r714xsk1v4p96f5pv1z8mi9vzq2y8")))) - (build-system gnu-build-system) - (arguments '(#:tests? #f)) ; no `check' target - (propagated-inputs - `(("expat" ,expat) - ("zlib" ,zlib))) - (native-inputs - `(("intltool" ,intltool))) - (home-page "http://www.exiv2.org/") - (synopsis "Library and command-line utility to manage image metadata") - (description - "Exiv2 is a C++ library and a command line utility to manage image -metadata. It provides fast and easy read and write access to the Exif, IPTC -and XMP metadata of images in various formats.") - - ;; Files under `xmpsdk' are a copy of Adobe's XMP SDK, licensed under the - ;; 3-clause BSD license: . - ;; The core is GPLv2+: - ;; . - (license l:gpl2+))) - (define-public geeqie (package (name "geeqie") diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 3aa0f567fd..e7798e9399 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -97,7 +97,6 @@ #:use-module (gnu packages scanner) #:use-module (gnu packages ssh) #:use-module (gnu packages xml) - #:use-module (gnu packages geeqie) #:use-module (gnu packages gl) #:use-module (gnu packages compression) #:use-module (gnu packages tex) diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm index 1eb2670743..5d1baa834e 100644 --- a/gnu/packages/gnunet.scm +++ b/gnu/packages/gnunet.scm @@ -29,7 +29,6 @@ #:use-module (gnu packages autotools) #:use-module (gnu packages compression) #:use-module (gnu packages curl) - #:use-module (gnu packages geeqie) #:use-module (gnu packages gettext) #:use-module (gnu packages glib) #:use-module (gnu packages gnome) diff --git a/gnu/packages/gps.scm b/gnu/packages/gps.scm index da5485e6ee..bc0f3ed115 100644 --- a/gnu/packages/gps.scm +++ b/gnu/packages/gps.scm @@ -27,7 +27,7 @@ #:use-module (gnu packages pkg-config) #:use-module (gnu packages compression) #:use-module (gnu packages docbook) - #:use-module (gnu packages geeqie) ;exiv2 + #:use-module (gnu packages image) #:use-module (gnu packages xml) #:use-module (gnu packages gtk) #:use-module (gnu packages qt)) diff --git a/gnu/packages/image-viewers.scm b/gnu/packages/image-viewers.scm index 4be0ebbc2d..eb25c11fd4 100644 --- a/gnu/packages/image-viewers.scm +++ b/gnu/packages/image-viewers.scm @@ -20,10 +20,10 @@ #:use-module (guix build-system gnu) #:use-module (gnu packages autotools) #:use-module (gnu packages base) - #:use-module (gnu packages geeqie) #:use-module (gnu packages glib) #:use-module (gnu packages gnome) #:use-module (gnu packages gtk) + #:use-module (gnu packages image) #:use-module (gnu packages pkg-config)) (define-public viewnior diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 3f9a2b2a4f..35abe9e911 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1,4 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2013 Ludovic Courtès ;;; Copyright © 2013, 2015, 2016 Andreas Enge ;;; Copyright © 2014, 2015, 2016 Mark H Weaver ;;; Copyright © 2014, 2015 Alex Kost @@ -40,6 +41,7 @@ #:use-module (gnu packages gettext) #:use-module (gnu packages ghostscript) #:use-module (gnu packages gl) + #:use-module (gnu packages glib) #:use-module (gnu packages graphics) #:use-module (gnu packages maths) #:use-module (gnu packages mcrypt) @@ -788,6 +790,39 @@ channels.") "Libmng is the MNG (Multiple-image Network Graphics) reference library.") (license license:bsd-3))) +(define-public exiv2 + (package + (name "exiv2") + (version "0.25") + (source (origin + (method url-fetch) + (uri (list (string-append "http://www.exiv2.org/exiv2-" + version ".tar.gz") + (string-append "https://fossies.org/linux/misc/exiv2-" + version ".tar.gz"))) + (sha256 + (base32 + "197g6vgcpyf9p2cwn5p5hb1r714xsk1v4p96f5pv1z8mi9vzq2y8")))) + (build-system gnu-build-system) + (arguments '(#:tests? #f)) ; no `check' target + (propagated-inputs + `(("expat" ,expat) + ("zlib" ,zlib))) + (native-inputs + `(("intltool" ,intltool))) + (home-page "http://www.exiv2.org/") + (synopsis "Library and command-line utility to manage image metadata") + (description + "Exiv2 is a C++ library and a command line utility to manage image +metadata. It provides fast and easy read and write access to the Exif, IPTC +and XMP metadata of images in various formats.") + + ;; Files under `xmpsdk' are a copy of Adobe's XMP SDK, licensed under the + ;; 3-clause BSD license: . + ;; The core is GPLv2+: + ;; . + (license license:gpl2+))) + (define-public devil (package (name "devil") -- cgit 1.4.1 From a6cd85742dd2254bc9ea3744fd47e4465203113c Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sat, 10 Dec 2016 20:59:19 +0200 Subject: gnu: jasper: Update to 2.0.6. * gnu/packages/image.scm (jasper): Update to 2.0.6. --- gnu/packages/image.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 35abe9e911..36c07cb9bc 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -879,14 +879,14 @@ convert, manipulate, filter and display a wide variety of image formats.") (define-public jasper (package (name "jasper") - (version "2.0.0") + (version "2.0.6") (source (origin (method url-fetch) (uri (string-append "https://www.ece.uvic.ca/~frodo/jasper" "/software/jasper-" version ".tar.gz")) (sha256 (base32 - "1kg5yrdwgazhbczybyx4548m0ijssabcp8hl5l87w78z833vikks")))) + "0g6fl8rrbspa9vpswixmpxrg71l19kqgc2b5cak7vmwxphj01wbk")))) (build-system cmake-build-system) (inputs `(("libjpeg" ,libjpeg))) (synopsis "JPEG-2000 library") -- cgit 1.4.1 From a304b6c362dcfadfaa2cfe2a67f5e948f247fd51 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sat, 10 Dec 2016 21:45:29 +0200 Subject: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}. * gnu/packages/image.scm (openjpeg)[replacement]: New field. (openjpeg/fixed): New variable, patch against CVE-2016-9850, CVE-2016-9851. * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/image.scm | 13 ++ .../openjpeg-CVE-2016-9850-CVE-2016-9851.patch | 245 +++++++++++++++++++++ 3 files changed, 259 insertions(+) create mode 100644 gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch (limited to 'gnu/packages/image.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 55dee48305..47c217bcc0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -769,6 +769,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjpeg-CVE-2015-6581.patch \ %D%/packages/patches/openjpeg-CVE-2016-5157.patch \ %D%/packages/patches/openjpeg-CVE-2016-7163.patch \ + %D%/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch \ %D%/packages/patches/openjpeg-use-after-free-fix.patch \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/openssh-memory-exhaustion.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 36c07cb9bc..b9669ce177 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -444,6 +444,7 @@ work.") (define-public openjpeg (package (name "openjpeg") + (replacement openjpeg/fixed) (version "2.1.1") (source (origin @@ -480,9 +481,21 @@ error-resilience, a Java-viewer for j2k-images, ...") (home-page "https://github.com/uclouvain/openjpeg") (license license:bsd-2))) +(define openjpeg/fixed + (package + (inherit openjpeg) + (source + (origin + (inherit (package-source openjpeg)) + (patches + (append + (origin-patches (package-source openjpeg)) + (search-patches "openjpeg-CVE-2016-9850-CVE-2016-9851.patch"))))))) + (define-public openjpeg-1 (package (inherit openjpeg) (name "openjpeg") + (replacement #f) (version "1.5.2") (source (origin diff --git a/gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch b/gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch new file mode 100644 index 0000000000..3f637fa88b --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch @@ -0,0 +1,245 @@ +From cadff5fb6e73398de26a92e96d3d7cac893af255 Mon Sep 17 00:00:00 2001 +From: szukw000 +Date: Fri, 9 Dec 2016 08:29:55 +0100 +Subject: [PATCH] These changes repair bugs of #871 and #872 + +email from http://openwall.com/lists/oss-security/2016/12/09/4 +patch is against openjpeg-2.1.2, applies cleanly to 2.1.1. + +--- + src/bin/jp2/converttif.c | 107 +++++++++++++++++++++++++++++++---------------- + 1 file changed, 70 insertions(+), 37 deletions(-) + +diff --git a/src/bin/jp2/converttif.c b/src/bin/jp2/converttif.c +index 143d3be..c690f8b 100644 +--- a/src/bin/jp2/converttif.c ++++ b/src/bin/jp2/converttif.c +@@ -553,20 +553,18 @@ static void tif_32sto16u(const OPJ_INT32* pSrc, OPJ_UINT16* pDst, OPJ_SIZE_T len + + int imagetotif(opj_image_t * image, const char *outfile) + { +- int width, height; +- int bps,adjust, sgnd; +- int tiPhoto; ++ uint32 width, height, bps, tiPhoto; ++ int adjust, sgnd; + TIFF *tif; + tdata_t buf; +- tsize_t strip_size; ++ tmsize_t strip_size, rowStride; + OPJ_UINT32 i, numcomps; +- OPJ_SIZE_T rowStride; + OPJ_INT32* buffer32s = NULL; + OPJ_INT32 const* planes[4]; + convert_32s_PXCX cvtPxToCx = NULL; + convert_32sXXx_C1R cvt32sToTif = NULL; + +- bps = (int)image->comps[0].prec; ++ bps = (uint32)image->comps[0].prec; + planes[0] = image->comps[0].data; + + numcomps = image->numcomps; +@@ -674,13 +672,13 @@ int imagetotif(opj_image_t * image, const char *outfile) + break; + } + sgnd = (int)image->comps[0].sgnd; +- adjust = sgnd ? 1 << (image->comps[0].prec - 1) : 0; +- width = (int)image->comps[0].w; +- height = (int)image->comps[0].h; ++ adjust = sgnd ? (int)(1 << (image->comps[0].prec - 1)) : 0; ++ width = (uint32)image->comps[0].w; ++ height = (uint32)image->comps[0].h; + + TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, width); + TIFFSetField(tif, TIFFTAG_IMAGELENGTH, height); +- TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, numcomps); ++ TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, (uint32)numcomps); + TIFFSetField(tif, TIFFTAG_BITSPERSAMPLE, bps); + TIFFSetField(tif, TIFFTAG_ORIENTATION, ORIENTATION_TOPLEFT); + TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); +@@ -688,8 +686,8 @@ int imagetotif(opj_image_t * image, const char *outfile) + TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, 1); + + strip_size = TIFFStripSize(tif); +- rowStride = ((OPJ_SIZE_T)width * numcomps * (OPJ_SIZE_T)bps + 7U) / 8U; +- if (rowStride != (OPJ_SIZE_T)strip_size) { ++ rowStride = (width * numcomps * bps + 7U) / 8U; ++ if (rowStride != strip_size) { + fprintf(stderr, "Invalid TIFF strip size\n"); + TIFFClose(tif); + return 1; +@@ -699,7 +697,7 @@ int imagetotif(opj_image_t * image, const char *outfile) + TIFFClose(tif); + return 1; + } +- buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)width * numcomps * sizeof(OPJ_INT32)); ++ buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(width * numcomps * sizeof(OPJ_INT32))); + if (buffer32s == NULL) { + _TIFFfree(buf); + TIFFClose(tif); +@@ -1211,20 +1209,19 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) + TIFF *tif; + tdata_t buf; + tstrip_t strip; +- tsize_t strip_size; ++ tmsize_t strip_size; + int j, currentPlane, numcomps = 0, w, h; + OPJ_COLOR_SPACE color_space = OPJ_CLRSPC_UNKNOWN; + opj_image_cmptparm_t cmptparm[4]; /* RGBA */ + opj_image_t *image = NULL; + int has_alpha = 0; +- unsigned short tiBps, tiPhoto, tiSf, tiSpp, tiPC; +- unsigned int tiWidth, tiHeight; ++ uint32 tiBps, tiPhoto, tiSf, tiSpp, tiPC, tiWidth, tiHeight; + OPJ_BOOL is_cinema = OPJ_IS_CINEMA(parameters->rsiz); + convert_XXx32s_C1R cvtTifTo32s = NULL; + convert_32s_CXPX cvtCxToPx = NULL; + OPJ_INT32* buffer32s = NULL; + OPJ_INT32* planes[4]; +- OPJ_SIZE_T rowStride; ++ tmsize_t rowStride; + + tif = TIFFOpen(filename, "r"); + +@@ -1243,22 +1240,35 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) + TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp); + TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto); + TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC); +- w= (int)tiWidth; +- h= (int)tiHeight; +- +- if(tiBps > 16U) { +- fprintf(stderr,"tiftoimage: Bits=%d, Only 1 to 16 bits implemented\n",tiBps); +- fprintf(stderr,"\tAborting\n"); ++ ++ if(tiSpp == 0 || tiSpp > 4) { /* should be 1 ... 4 */ ++ fprintf(stderr,"tiftoimage: Bad value for samples per pixel == %hu.\n" ++ "\tAborting.\n", tiSpp); ++ TIFFClose(tif); ++ return NULL; ++ } ++ if(tiBps > 16U || tiBps == 0) { ++ fprintf(stderr,"tiftoimage: Bad values for Bits == %d.\n" ++ "\tMax. 16 Bits are allowed here.\n\tAborting.\n",tiBps); + TIFFClose(tif); + return NULL; + } + if(tiPhoto != PHOTOMETRIC_MINISBLACK && tiPhoto != PHOTOMETRIC_RGB) { +- fprintf(stderr,"tiftoimage: Bad color format %d.\n\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto); ++ fprintf(stderr,"tiftoimage: Bad color format %d.\n" ++ "\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto); + fprintf(stderr,"\tAborting\n"); + TIFFClose(tif); + return NULL; + } +- ++ if(tiWidth == 0 || tiHeight == 0) { ++ fprintf(stderr,"tiftoimage: Bad values for width(%u) " ++ "and/or height(%u)\n\tAborting.\n",tiWidth,tiHeight); ++ TIFFClose(tif); ++ return NULL; ++ } ++ w= (int)tiWidth; ++ h= (int)tiHeight; ++ + switch (tiBps) { + case 1: + case 2: +@@ -1312,7 +1322,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) + + TIFFGetFieldDefaulted(tif, TIFFTAG_EXTRASAMPLES, + &extrasamples, &sampleinfo); +- ++ + if(extrasamples >= 1) + { + switch(sampleinfo[0]) +@@ -1333,7 +1343,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) + else /* extrasamples == 0 */ + if(tiSpp == 4 || tiSpp == 2) has_alpha = 1; + } +- ++ + /* initialize image components */ + memset(&cmptparm[0], 0, 4 * sizeof(opj_image_cmptparm_t)); + +@@ -1346,7 +1356,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) + } else { + is_cinema = 0U; + } +- ++ + if(tiPhoto == PHOTOMETRIC_RGB) /* RGB(A) */ + { + numcomps = 3 + has_alpha; +@@ -1384,10 +1394,24 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) + image->x0 = (OPJ_UINT32)parameters->image_offset_x0; + image->y0 = (OPJ_UINT32)parameters->image_offset_y0; + image->x1 = !image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 : +- image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1; ++ image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1; ++ if(image->x1 <= image->x0) { ++ fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. " ++ "image->x0(%d)\n\tAborting.\n",image->x1,image->x0); ++ TIFFClose(tif); ++ opj_image_destroy(image); ++ return NULL; ++ } + image->y1 = !image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 : +- image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1; +- ++ image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1; ++ if(image->y1 <= image->y0) { ++ fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. " ++ "image->y0(%d)\n\tAborting.\n",image->y1,image->y0); ++ TIFFClose(tif); ++ opj_image_destroy(image); ++ return NULL; ++ } ++ + for(j = 0; j < numcomps; j++) + { + planes[j] = image->comps[j].data; +@@ -1395,15 +1419,15 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) + image->comps[numcomps - 1].alpha = (OPJ_UINT16)(1 - (numcomps & 1)); + + strip_size = TIFFStripSize(tif); +- ++ + buf = _TIFFmalloc(strip_size); + if (buf == NULL) { + TIFFClose(tif); + opj_image_destroy(image); + return NULL; + } +- rowStride = ((OPJ_SIZE_T)w * tiSpp * tiBps + 7U) / 8U; +- buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)w * tiSpp * sizeof(OPJ_INT32)); ++ rowStride = (w * tiSpp * tiBps + 7U) / 8U; ++ buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(w * tiSpp * sizeof(OPJ_INT32))); + if (buffer32s == NULL) { + _TIFFfree(buf); + TIFFClose(tif); +@@ -1421,11 +1445,20 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) + for(; (h > 0) && (strip < TIFFNumberOfStrips(tif)); strip++) + { + const OPJ_UINT8 *dat8; +- OPJ_SIZE_T ssize; ++ tmsize_t ssize; + +- ssize = (OPJ_SIZE_T)TIFFReadEncodedStrip(tif, strip, buf, strip_size); ++ ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size); ++ if(ssize < 1 || ssize > strip_size) { ++ fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) " ++ "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size); ++ _TIFFfree(buf); ++ _TIFFfree(buffer32s); ++ TIFFClose(tif); ++ opj_image_destroy(image); ++ return NULL; ++ } + dat8 = (const OPJ_UINT8*)buf; +- ++ + while (ssize >= rowStride) { + cvtTifTo32s(dat8, buffer32s, (OPJ_SIZE_T)w * tiSpp); + cvtCxToPx(buffer32s, planes, (OPJ_SIZE_T)w); -- cgit 1.4.1 From 0e8b7b1c351a2307bfc33211b4d76dbe7dfa01ef Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 11 Dec 2016 01:29:06 -0500 Subject: gnu: openjpeg: Update replacement to 2.1.2 [fixes CVE-2016-{7445,8332}]. * gnu/packages/image.scm (openjpeg/fixed): Replace variable with ... (openjpeg-2.1.2): ... this. [patches]: Remove patches inherited from openjpeg. (openjpeg)[replacement]: Replace with openjpeg-2.1.2. --- gnu/packages/image.scm | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index b9669ce177..86afb7320b 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -444,7 +444,7 @@ work.") (define-public openjpeg (package (name "openjpeg") - (replacement openjpeg/fixed) + (replacement openjpeg-2.1.2) (version "2.1.1") (source (origin @@ -481,16 +481,20 @@ error-resilience, a Java-viewer for j2k-images, ...") (home-page "https://github.com/uclouvain/openjpeg") (license license:bsd-2))) -(define openjpeg/fixed +(define openjpeg-2.1.2 (package (inherit openjpeg) + (version "2.1.2") (source (origin - (inherit (package-source openjpeg)) + (method url-fetch) + (uri (string-append "https://github.com/uclouvain/openjpeg/archive/v" + version ".tar.gz")) + (sha256 + (base32 + "19yz4g0c45sm8y1z01j9djsrl1mkz3pmw7fykc6hkvrqymp7prsc")) (patches - (append - (origin-patches (package-source openjpeg)) - (search-patches "openjpeg-CVE-2016-9850-CVE-2016-9851.patch"))))))) + (search-patches "openjpeg-CVE-2016-9850-CVE-2016-9851.patch")))))) (define-public openjpeg-1 (package (inherit openjpeg) -- cgit 1.4.1 From 5ce09ef18ffa35fe90a5f3c674bd91151a4338fb Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 11 Dec 2016 02:22:15 -0500 Subject: gnu: openjpeg-2.1.2: Use a meaningful file-name for the source code. This is a followup to commit 0e8b7b1c351a2307bfc33211b4d76dbe7dfa01ef. * gnu/packages/image.scm (openjpeg-2.1.2)[source]: Give a meaningful file-name. --- gnu/packages/image.scm | 2 ++ 1 file changed, 2 insertions(+) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 86afb7320b..22f711606d 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -484,12 +484,14 @@ error-resilience, a Java-viewer for j2k-images, ...") (define openjpeg-2.1.2 (package (inherit openjpeg) + (name "openjpeg") (version "2.1.2") (source (origin (method url-fetch) (uri (string-append "https://github.com/uclouvain/openjpeg/archive/v" version ".tar.gz")) + (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 "19yz4g0c45sm8y1z01j9djsrl1mkz3pmw7fykc6hkvrqymp7prsc")) -- cgit 1.4.1 From e90a706e1686aaf3a1004683be8a3f3a4cbaf22e Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 13 Dec 2016 10:04:11 +0200 Subject: gnu: libjpeg-turbo: Fix build on mips. * gnu/packages/image.scm (libjpeg-turbo)[arguments]: Add substitution to set variable type before use. --- gnu/packages/image.scm | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 4967f83ed9..7429e9b649 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1068,7 +1068,17 @@ PNG, and performs PNG integrity checks and corrections.") (native-inputs `(("nasm" ,nasm))) (arguments - `(#:test-target "test")) + '(#:test-target "test" + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'set-env-on-MIPS + ;; This is borrowed from Debian's patchset for libjpeg + ;; https://sources.debian.net/data/main/libj/libjpeg-turbo/1:1.5.1-2/debian/patches/0001-Declare-env-on-MIPS-on-first-use-Courtesy-of-Aurelie.patch + (lambda _ + (substitute* "simd/jsimd_mips.c" + (("env = getenv\\(\"JSIMD_FORCEDSPR2") + "char *env = getenv\(\"JSIMD_FORCEDSPR2")) + #t))))) (home-page "http://www.libjpeg-turbo.org/") (synopsis "SIMD-accelerated JPEG image handling library") (description "libjpeg-turbo is a JPEG image codec that accelerates baseline -- cgit 1.4.1 From bee075e7068c0bc7cfe5583fc56332d2560de106 Mon Sep 17 00:00:00 2001 From: Alex Kost Date: Tue, 13 Dec 2016 19:52:13 +0300 Subject: gnu: libjpeg-turbo: Fix typo. This is a followup to commit e90a706e1686aaf3a1004683be8a3f3a4cbaf22e. * gnu/packages/image.scm (libjpeg-turbo): Remove extra "\". --- gnu/packages/image.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 7429e9b649..487635de15 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1077,7 +1077,7 @@ PNG, and performs PNG integrity checks and corrections.") (lambda _ (substitute* "simd/jsimd_mips.c" (("env = getenv\\(\"JSIMD_FORCEDSPR2") - "char *env = getenv\(\"JSIMD_FORCEDSPR2")) + "char *env = getenv(\"JSIMD_FORCEDSPR2")) #t))))) (home-page "http://www.libjpeg-turbo.org/") (synopsis "SIMD-accelerated JPEG image handling library") -- cgit 1.4.1 From d02fb7cec6d74afd3fc24d31afeb7a3731b704e7 Mon Sep 17 00:00:00 2001 From: Taylan Ulrich Bayırlı/Kammer Date: Thu, 15 Dec 2016 09:39:30 +0100 Subject: gnu: leptonica: Update to 1.74.0. * gnu/packages/image.scm (leptonica): Update to 1.74.0. Signed-off-by: Marius Bakke --- gnu/packages/image.scm | 60 +++++++++++++++++++------------------------------- 1 file changed, 23 insertions(+), 37 deletions(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 487635de15..1c500b3341 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -329,28 +329,23 @@ the W3C's XML-based Scaleable Vector Graphic (SVG) format.") (define-public leptonica (package (name "leptonica") - (version "1.72") + (version "1.74.0") (source (origin (method url-fetch) - (uri (string-append "http://www.leptonica.com/source/leptonica-" - version ".tar.gz")) + (uri (string-append + "https://github.com/DanBloomberg/leptonica/archive/" version + ".tar.gz")) + (file-name (string-append "leptonica-" version ".tar.gz")) (sha256 - (base32 "0mhzvqs0im04y1cpcc1yma70hgdac1frf33h73m9z3356bfymmbr")) - (modules '((guix build utils))) - ;; zlib and openjpg should be under Libs, not Libs.private. See: - ;; https://code.google.com/p/tesseract-ocr/issues/detail?id=1436 - (snippet - '(substitute* "lept.pc.in" - (("^(Libs\\.private: .*)@ZLIB_LIBS@(.*)" all pre post) - (string-append pre post)) - (("^(Libs\\.private: .*)@JPEG_LIBS@(.*)" all pre post) - (string-append pre post)) - (("^Libs: .*" all) - (string-append all " @ZLIB_LIBS@ @JPEG_LIBS@")))))) + (base32 "0i2a4vx9gizki0wgmv03xjz8j9d8agkvbag1a8m4kcw4asd4p87g")))) (build-system gnu-build-system) (native-inputs - `(("gnuplot" ,gnuplot))) ;needed for test suite + `(("gnuplot" ,gnuplot) ;needed for test suite + ("autoconf" ,autoconf) + ("automake" ,automake) + ("libtool" ,libtool) + ("pkg-config" ,pkg-config))) (inputs `(("giflib" ,giflib) ("libjpeg" ,libjpeg) @@ -358,31 +353,22 @@ the W3C's XML-based Scaleable Vector Graphic (SVG) format.") ("libtiff" ,libtiff) ("libwebp" ,libwebp))) (propagated-inputs + ;; Linking a program with leptonica also requires these. `(("openjpeg" ,openjpeg) ("zlib" ,zlib))) (arguments - '(#:parallel-tests? #f ; XXX: cause fpix1_reg to fail - #:phases + '(#:phases (modify-phases %standard-phases - ;; Prevent make from trying to regenerate config.h.in. - (add-after - 'unpack 'set-config-h-in-file-time - (lambda _ - (set-file-time "config/config.h.in" (stat "configure")))) - (add-after - 'unpack 'patch-reg-wrapper - (lambda _ - (substitute* "prog/reg_wrapper.sh" - ((" /bin/sh ") - (string-append " " (which "sh") " ")) - (("which gnuplot") (which "gnuplot"))))) - (add-before - 'check 'disable-failing-tests - ;; XXX: 2 of 9 tests from webpio_reg fails. - (lambda _ - (substitute* "prog/webpio_reg.c" - ((".*DoWebpTest2.* 90.*") "") - ((".*DoWebpTest2.* 100.*") ""))))))) + (add-after 'unpack 'autogen + (lambda _ + (zero? (system* "sh" "autobuild")))) + (add-after 'unpack 'patch-reg-wrapper + (lambda _ + (substitute* "prog/reg_wrapper.sh" + ((" /bin/sh ") + (string-append " " (which "sh") " ")) + (("which gnuplot") + "true"))))))) (home-page "http://www.leptonica.com/") (synopsis "Library and tools for image processing and analysis") (description -- cgit 1.4.1 From 322e724bfad9f82149c3f83416234ab19486a229 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 29 Dec 2016 13:01:55 -0500 Subject: gnu: libpng: Fix a null pointer dereference [fixes security issue]. * gnu/packages/patches/libpng-fix-null-ptr-dereference.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/image.scm (libpng)[replacement]: New field. (libpng/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/image.scm | 9 ++++++ .../patches/libpng-fix-null-ptr-dereference.patch | 36 ++++++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 gnu/packages/patches/libpng-fix-null-ptr-dereference.patch (limited to 'gnu/packages/image.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 106adb2351..38c1b0b94e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -675,6 +675,7 @@ dist_patch_DATA = \ %D%/packages/patches/libmad-armv7-thumb-pt2.patch \ %D%/packages/patches/libmad-frame-length.patch \ %D%/packages/patches/libmad-mips-newgcc.patch \ + %D%/packages/patches/libpng-fix-null-ptr-dereference.patch \ %D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtheora-config-guess.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 1c500b3341..69eeaed58d 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -64,6 +64,7 @@ (define-public libpng (package (name "libpng") + (replacement libpng/fixed) (version "1.6.25") (source (origin (method url-fetch) @@ -88,6 +89,14 @@ library. It supports almost all PNG features and is extensible.") (license license:zlib) (home-page "http://www.libpng.org/pub/png/libpng.html"))) +(define libpng/fixed + (package + (inherit libpng) + (source + (origin + (inherit (package-source libpng)) + (patches (search-patches "libpng-fix-null-ptr-dereference.patch")))))) + (define-public libpng-1.2 (package (inherit libpng) diff --git a/gnu/packages/patches/libpng-fix-null-ptr-dereference.patch b/gnu/packages/patches/libpng-fix-null-ptr-dereference.patch new file mode 100644 index 0000000000..192459162b --- /dev/null +++ b/gnu/packages/patches/libpng-fix-null-ptr-dereference.patch @@ -0,0 +1,36 @@ +Fix a null pointer dereference in png_set_text_2(): + +http://seclists.org/oss-sec/2016/q4/777 + +Patch adapted from upstream source repository: + +https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb/ + +From 812768d7a9c973452222d454634496b25ed415eb Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson +Date: Thu, 29 Dec 2016 07:51:33 -0600 +Subject: [PATCH] [libpng16] Fixed a potential null pointer dereference in + png_set_text_2() + +(bug report and patch by Patrick Keshishian). +--- + ANNOUNCE | 2 ++ + CHANGES | 2 ++ + png.c | 1 + + 3 files changed, 5 insertions(+) + +diff --git a/png.c b/png.c +index 8afc28fc2..2e05de159 100644 +--- a/png.c ++++ b/png.c +@@ -477,6 +477,7 @@ png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, + png_free(png_ptr, info_ptr->text); + info_ptr->text = NULL; + info_ptr->num_text = 0; ++ info_ptr->max_text = 0; + } + } + #endif +-- +2.11.0 + -- cgit 1.4.1 From fc604eda3da1fa5dcd895024c3830fe5d68ede9d Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 29 Dec 2016 13:39:11 -0500 Subject: gnu: libpng-1.2: Update to 1.2.57 [security update]. * gnu/packages/image.scm (libpng-1.2): Update to 1.2.57. [replacement]: New field. --- gnu/packages/image.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 69eeaed58d..687596f966 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -100,7 +100,8 @@ library. It supports almost all PNG features and is extensible.") (define-public libpng-1.2 (package (inherit libpng) - (version "1.2.56") + (replacement #f) + (version "1.2.57") (source (origin (method url-fetch) @@ -111,7 +112,7 @@ library. It supports almost all PNG features and is extensible.") "ftp://ftp.simplesystems.org/pub/libpng/png/src" "/libpng12/libpng-" version ".tar.xz"))) (sha256 - (base32 "1ghd03p353x0vi4dk83n1nlldg11w7vqdk3f99rkgfb82ic59ki4")))))) + (base32 "1n2lrzjkm5jhfg2bs10q398lkwbbx742fi27zgdgx0x23zhj0ihg")))))) (define-public libjpeg (package -- cgit 1.4.1 From 858b9afeaf1b41dc524b50c568dccb38c8ef4e73 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 30 Dec 2016 14:29:48 -0500 Subject: gnu: libpng: Mention CVE-2016-10087. * gnu/packages/patches/libpng-fix-null-ptr-dereference.patch: Rename to ... * gnu/packages/patches/libpng-CVE-2016-10087.patch: ... this. * gnu/local.mk (dist_patch_DATA): Adjust. * gnu/packages/image.scm (libpng/fixed)[source]: Use renamed patch. --- gnu/local.mk | 2 +- gnu/packages/image.scm | 2 +- gnu/packages/patches/libpng-CVE-2016-10087.patch | 37 ++++++++++++++++++++++ .../patches/libpng-fix-null-ptr-dereference.patch | 36 --------------------- 4 files changed, 39 insertions(+), 38 deletions(-) create mode 100644 gnu/packages/patches/libpng-CVE-2016-10087.patch delete mode 100644 gnu/packages/patches/libpng-fix-null-ptr-dereference.patch (limited to 'gnu/packages/image.scm') diff --git a/gnu/local.mk b/gnu/local.mk index b7c182fbf6..69633131e6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -675,7 +675,7 @@ dist_patch_DATA = \ %D%/packages/patches/libmad-armv7-thumb-pt2.patch \ %D%/packages/patches/libmad-frame-length.patch \ %D%/packages/patches/libmad-mips-newgcc.patch \ - %D%/packages/patches/libpng-fix-null-ptr-dereference.patch \ + %D%/packages/patches/libpng-CVE-2016-10087.patch \ %D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtheora-config-guess.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 687596f966..ab4d3b0e57 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -95,7 +95,7 @@ library. It supports almost all PNG features and is extensible.") (source (origin (inherit (package-source libpng)) - (patches (search-patches "libpng-fix-null-ptr-dereference.patch")))))) + (patches (search-patches "libpng-CVE-2016-10087.patch")))))) (define-public libpng-1.2 (package diff --git a/gnu/packages/patches/libpng-CVE-2016-10087.patch b/gnu/packages/patches/libpng-CVE-2016-10087.patch new file mode 100644 index 0000000000..8093b3e448 --- /dev/null +++ b/gnu/packages/patches/libpng-CVE-2016-10087.patch @@ -0,0 +1,37 @@ +Fix CVE-2016-10087, a null pointer dereference in png_set_text_2(): + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087 +http://seclists.org/oss-sec/2016/q4/777 + +Patch adapted from upstream source repository: + +https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb/ + +From 812768d7a9c973452222d454634496b25ed415eb Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson +Date: Thu, 29 Dec 2016 07:51:33 -0600 +Subject: [PATCH] [libpng16] Fixed a potential null pointer dereference in + png_set_text_2() + +(bug report and patch by Patrick Keshishian). +--- + ANNOUNCE | 2 ++ + CHANGES | 2 ++ + png.c | 1 + + 3 files changed, 5 insertions(+) + +diff --git a/png.c b/png.c +index 8afc28fc2..2e05de159 100644 +--- a/png.c ++++ b/png.c +@@ -477,6 +477,7 @@ png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, + png_free(png_ptr, info_ptr->text); + info_ptr->text = NULL; + info_ptr->num_text = 0; ++ info_ptr->max_text = 0; + } + } + #endif +-- +2.11.0 + diff --git a/gnu/packages/patches/libpng-fix-null-ptr-dereference.patch b/gnu/packages/patches/libpng-fix-null-ptr-dereference.patch deleted file mode 100644 index 192459162b..0000000000 --- a/gnu/packages/patches/libpng-fix-null-ptr-dereference.patch +++ /dev/null @@ -1,36 +0,0 @@ -Fix a null pointer dereference in png_set_text_2(): - -http://seclists.org/oss-sec/2016/q4/777 - -Patch adapted from upstream source repository: - -https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb/ - -From 812768d7a9c973452222d454634496b25ed415eb Mon Sep 17 00:00:00 2001 -From: Glenn Randers-Pehrson -Date: Thu, 29 Dec 2016 07:51:33 -0600 -Subject: [PATCH] [libpng16] Fixed a potential null pointer dereference in - png_set_text_2() - -(bug report and patch by Patrick Keshishian). ---- - ANNOUNCE | 2 ++ - CHANGES | 2 ++ - png.c | 1 + - 3 files changed, 5 insertions(+) - -diff --git a/png.c b/png.c -index 8afc28fc2..2e05de159 100644 ---- a/png.c -+++ b/png.c -@@ -477,6 +477,7 @@ png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, - png_free(png_ptr, info_ptr->text); - info_ptr->text = NULL; - info_ptr->num_text = 0; -+ info_ptr->max_text = 0; - } - } - #endif --- -2.11.0 - -- cgit 1.4.1 From 4b50daab0051852612ddfbd3077678f1bfad7b03 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 2 Jan 2017 13:33:50 +0200 Subject: gnu: jasper: Update to 2.0.10. * gnu/packages/image.scm (jasper): Update to 2.0.10. --- gnu/packages/image.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index ab4d3b0e57..3b081c12da 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -8,7 +8,7 @@ ;;; Copyright © 2015 Amirouche Boubekki ;;; Copyright © 2014 John Darrington ;;; Copyright © 2016 Leo Famulari -;;; Copyright © 2016 Efraim Flashner +;;; Copyright © 2016, 2017 Efraim Flashner ;;; Copyright © 2016 Tobias Geerinckx-Rice ;;; Copyright © 2016 Eric Bavier ;;; Copyright © 2016 Arun Isaac @@ -875,14 +875,14 @@ convert, manipulate, filter and display a wide variety of image formats.") (define-public jasper (package (name "jasper") - (version "2.0.6") + (version "2.0.10") (source (origin (method url-fetch) (uri (string-append "https://www.ece.uvic.ca/~frodo/jasper" "/software/jasper-" version ".tar.gz")) (sha256 (base32 - "0g6fl8rrbspa9vpswixmpxrg71l19kqgc2b5cak7vmwxphj01wbk")))) + "1s022mfxyw8jw60fgyj60lbm9h6bc4nk2751b0in8qsjwcl59n2l")))) (build-system cmake-build-system) (inputs `(("libjpeg" ,libjpeg))) (synopsis "JPEG-2000 library") -- cgit 1.4.1 From 3b3b60d0370f0a93be075341152b623d58632fa2 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 4 Jan 2017 01:30:46 +0100 Subject: gnu: Use HTTPS for all sourceforge.net home pages. * gnu/packages/admin.scm (mingetty, clusterssh)[home-page]: Use HTTPS. * gnu/packages/audio.scm (libbs2b, soxr)[home-page]: Likewise. * gnu/packages/bioinformatics.scm (bless)[home-page]: Likewise. * gnu/packages/display-managers.scm (slim)[home-page]: Likewise. * gnu/packages/games.scm (extremetuxracer)[home-page]: Likewise. * gnu/packages/ghostscript.scm (gs-fonts)[home-page]: Likewise. * gnu/packages/haskell.scm (ghc-regex-base, ghc-regex-posix, ghc-regex-compat)[home-page]: Likewise. * gnu/packages/image.scm (imlib2)[home-page]: Likewise. * gnu/packages/libreoffice.scm (librevenge, libcmis, libodfgen, libmwaw) [home-page]: Likewise. * gnu/packages/linux.scm (hdparm, acpid, libavc1394, rng-tools) [home-page]: Likewise. * gnu/packages/mail.scm (esmtp)[home-page]: Likewise. * gnu/packages/mp3.scm (ripperx)[home-page]: Likewise. * gnu/packages/onc-rpc.scm (libtirpc)[home-page]: Likewise. * gnu/packages/perl.scm (perl-czplib)[home-page]: Likewise. * gnu/packages/python.scm (python-pyasn1-modules)[home-page]: Likewise. * gnu/packages/xdisorg.scm (xosd)[home-page]: Likewise. --- gnu/packages/admin.scm | 4 ++-- gnu/packages/audio.scm | 4 ++-- gnu/packages/bioinformatics.scm | 2 +- gnu/packages/display-managers.scm | 2 +- gnu/packages/games.scm | 2 +- gnu/packages/ghostscript.scm | 2 +- gnu/packages/haskell.scm | 6 +++--- gnu/packages/image.scm | 2 +- gnu/packages/libreoffice.scm | 8 ++++---- gnu/packages/linux.scm | 8 ++++---- gnu/packages/mail.scm | 2 +- gnu/packages/mp3.scm | 2 +- gnu/packages/onc-rpc.scm | 2 +- gnu/packages/perl.scm | 2 +- gnu/packages/python.scm | 2 +- gnu/packages/xdisorg.scm | 2 +- 16 files changed, 26 insertions(+), 26 deletions(-) (limited to 'gnu/packages/image.scm') diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index d0cded509e..8a7dc6af89 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -362,7 +362,7 @@ login, passwd, su, groupadd, and useradd.") #:tests? #f)) ; no tests (inputs `(("shadow" ,shadow))) - (home-page "http://sourceforge.net/projects/mingetty") + (home-page "https://sourceforge.net/projects/mingetty") (synopsis "Getty for the text console") (description "Small console getty that is started on the Linux text console, @@ -717,7 +717,7 @@ by bandwidth they use.") `("PERL5LIB" ":" prefix (,x11-inc ,tk-inc))))) %standard-phases))) ;; The clusterssh.sourceforge.net address requires login to view - (home-page "http://sourceforge.net/projects/clusterssh/") + (home-page "https://sourceforge.net/projects/clusterssh/") (synopsis "Secure concurrent multi-server terminal control") (description "ClusterSSH controls a number of xterm windows via a single graphical diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm index 641d44cea7..2e43bafa13 100644 --- a/gnu/packages/audio.scm +++ b/gnu/packages/audio.scm @@ -1448,7 +1448,7 @@ connections between them.") (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) (inputs `(("libsndfile" ,libsndfile))) - (home-page "http://sourceforge.net/projects/bs2b/") + (home-page "https://sourceforge.net/projects/bs2b/") (synopsis "Bauer stereophonic-to-binaural DSP") (description "The Bauer stereophonic-to-binaural DSP (bs2b) library and plugins is @@ -2279,7 +2279,7 @@ can play and record audio files.") (base32 "1hmadwqfpg15vhwq9pa1sl5xslibrjpk6hpq2s9hfmx1s5l6ihfw")))) (build-system cmake-build-system) (arguments '(#:tests? #f)) ;no 'check' target - (home-page "http://sourceforge.net/p/soxr/wiki/Home/") + (home-page "https://sourceforge.net/p/soxr/wiki/Home/") (synopsis "One-dimensional sample-rate conversion library") (description "The SoX Resampler library (libsoxr) performs one-dimensional sample-rate diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm index 82620925a6..6b363afe0c 100644 --- a/gnu/packages/bioinformatics.scm +++ b/gnu/packages/bioinformatics.scm @@ -1097,7 +1097,7 @@ confidence to have in an alignment.") ("pigz" ,pigz) ("zlib" ,zlib))) (supported-systems '("x86_64-linux")) - (home-page "http://sourceforge.net/p/bless-ec/wiki/Home/") + (home-page "https://sourceforge.net/p/bless-ec/wiki/Home/") (synopsis "Bloom-filter-based error correction tool for NGS reads") (description "@dfn{Bloom-filter-based error correction solution for high-throughput diff --git a/gnu/packages/display-managers.scm b/gnu/packages/display-managers.scm index 0eca94550b..80b45af103 100644 --- a/gnu/packages/display-managers.scm +++ b/gnu/packages/display-managers.scm @@ -235,7 +235,7 @@ create smooth, animated user interfaces.") #:tests? #f)) ;; This used to be at . - (home-page "http://sourceforge.net/projects/slim.berlios/") + (home-page "https://sourceforge.net/projects/slim.berlios/") (synopsis "Desktop-independent graphical login manager for X11") (description "SLiM is a Desktop-independent graphical login manager for X11, derived diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm index daad696fce..c449f59549 100644 --- a/gnu/packages/games.scm +++ b/gnu/packages/games.scm @@ -968,7 +968,7 @@ Collect herrings and other goodies while sliding down the hill, but avoid fish bones. This game is based on the GPL version of the famous game TuxRacer.") - (home-page "http://sourceforge.net/projects/extremetuxracer/") + (home-page "https://sourceforge.net/projects/extremetuxracer/") (license license:gpl2+))) (define-public supertuxkart diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index b254b80782..46b8c51299 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -293,7 +293,7 @@ architecture.") "Ghostscript fonts provides fonts and font metrics customarily distributed with Ghostscript. It currently includes the 35 standard PostScript fonts.") (license license:gpl2) - (home-page "http://sourceforge.net/projects/gs-fonts/"))) + (home-page "https://sourceforge.net/projects/gs-fonts/"))) (define-public libspectre (package diff --git a/gnu/packages/haskell.scm b/gnu/packages/haskell.scm index 8e5927a00b..8dd9dd41d7 100644 --- a/gnu/packages/haskell.scm +++ b/gnu/packages/haskell.scm @@ -2200,7 +2200,7 @@ removed. Both IPv4 and IPv6 are supported.") (inputs `(("ghc-mtl" ,ghc-mtl))) (home-page - "http://sourceforge.net/projects/lazy-regex") + "https://sourceforge.net/projects/lazy-regex") (synopsis "Replaces/Enhances Text.Regex") (description "@code{Text.Regex.Base} provides the interface API for regex-posix, regex-pcre, regex-parsec, regex-tdfa, regex-dfa.") @@ -2223,7 +2223,7 @@ regex-posix, regex-pcre, regex-parsec, regex-tdfa, regex-dfa.") (build-system haskell-build-system) (inputs `(("ghc-regex-base" ,ghc-regex-base))) - (home-page "http://sourceforge.net/projects/lazy-regex") + (home-page "https://sourceforge.net/projects/lazy-regex") (synopsis "POSIX regular expressions for Haskell") (description "This library provides the POSIX regex backend used by the Haskell library @code{regex-base}.") @@ -2247,7 +2247,7 @@ Haskell library @code{regex-base}.") (inputs `(("ghc-regex-base" ,ghc-regex-base) ("ghc-regex-posix" ,ghc-regex-posix))) - (home-page "http://sourceforge.net/projects/lazy-regex") + (home-page "https://sourceforge.net/projects/lazy-regex") (synopsis "Replaces/Enhances Text.Regex") (description "This library provides one module layer over @code{regex-posix} to replace @code{Text.Regex}.") diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 3b081c12da..4e40533a21 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -580,7 +580,7 @@ compose, and analyze GIF images.") ("libtiff" ,libtiff) ("giflib" ,giflib) ("bzip2" ,bzip2))) - (home-page "http://sourceforge.net/projects/enlightenment/") + (home-page "https://sourceforge.net/projects/enlightenment/") (synopsis "Loading, saving, rendering and manipulating image files") (description diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm index 78579bbb01..79712121ea 100644 --- a/gnu/packages/libreoffice.scm +++ b/gnu/packages/libreoffice.scm @@ -144,7 +144,7 @@ CSV, CSS and XML.") `(#:configure-flags '("--disable-werror" ;; Avoid undefined library references "LDFLAGS=-lboost_system"))) - (home-page "http://sourceforge.net/p/libwpd/wiki/librevenge/") + (home-page "https://sourceforge.net/p/libwpd/wiki/librevenge/") (synopsis "Document importer for office suites") (description "Librevenge is a base library for writing document import filters. It has interfaces for text documents, vector graphics, @@ -275,7 +275,7 @@ working with graphics in the WPG (WordPerfect Graphics) format.") ;; fails without the following flag. (string-append "--with-boost=" (assoc-ref %build-inputs "boost"))))) - (home-page "http://sourceforge.net/projects/libcmis/") + (home-page "https://sourceforge.net/projects/libcmis/") (synopsis "CMIS client library") (description "LibCMIS is a C++ client library for the CMIS interface. It allows C++ applications to connect to any ECM behaving as a CMIS server such @@ -561,7 +561,7 @@ Microsoft Visio documents of all versions.") (arguments ;; avoid triggering configure errors by simple inclusion of boost headers `(#:configure-flags '("--disable-werror"))) - (home-page "http://sourceforge.net/p/libwpd/wiki/libodfgen/") + (home-page "https://sourceforge.net/p/libwpd/wiki/libodfgen/") (synopsis "ODF (Open Document Format) library") (description "Libodfgen is a library for generating documents in the Open Document Format (ODF). It provides generator implementations for all @@ -592,7 +592,7 @@ text documents, vector drawings, presentations and spreadsheets.") (arguments ;; avoid triggering configure errors by simple inclusion of boost headers `(#:configure-flags '("--disable-werror"))) - (home-page "http://sourceforge.net/p/libmwaw/wiki/Home/") + (home-page "https://sourceforge.net/p/libmwaw/wiki/Home/") (synopsis "Import library for some old Macintosh text documents") (description "Libmwaw contains some import filters for old Macintosh text documents (MacWrite, ClarisWorks, ... ) and for some graphics and diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index f0d01ece2c..0c191629ce 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -2216,7 +2216,7 @@ thanks to the use of namespaces.") "CC=gcc")) #:phases (alist-delete 'configure %standard-phases) #:tests? #f)) ; no test suite - (home-page "http://sourceforge.net/projects/hdparm/") + (home-page "https://sourceforge.net/projects/hdparm/") (synopsis "Tune hard disk parameters for high performance") (description "Get/set device parameters for Linux SATA/IDE drives. It's primary use @@ -2282,7 +2282,7 @@ about ACPI devices.") (base32 "1vl7c6vc724v4jwki17czgj6lnrknnj1a6llm8gkl32i2gnam5j3")))) (build-system gnu-build-system) - (home-page "http://sourceforge.net/projects/acpid2/") + (home-page "https://sourceforge.net/projects/acpid2/") (synopsis "Daemon for delivering ACPI events to user-space programs") (description "acpid is designed to notify user-space programs of Advanced @@ -2407,7 +2407,7 @@ protocol in question.") `(("pkg-config" ,pkg-config))) (propagated-inputs `(("libraw1394" ,libraw1394))) ; required by libavc1394.pc - (home-page "http://sourceforge.net/projects/libavc1394/") + (home-page "https://sourceforge.net/projects/libavc1394/") (synopsis "AV/C protocol library for IEEE 1394") (description "Libavc1394 is a programming interface to the AV/C specification from @@ -2888,7 +2888,7 @@ The package provides additional NTFS tools.") (description "Monitor a hardware random number generator, and supply entropy from that to the system kernel's @file{/dev/random} machinery.") - (home-page "http://sourceforge.net/projects/gkernel") + (home-page "https://sourceforge.net/projects/gkernel") ;; The source package is offered under the GPL2+, but the files ;; 'rngd_rdrand.c' and 'rdrand_asm.S' are only available under the GPL2. (license (list license:gpl2 license:gpl2+)))) diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index f198e19f29..70d9b4eee2 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -1251,7 +1251,7 @@ program's primary purpose.") ("libtool" ,libtool))) (inputs `(("libesmtp" ,libesmtp))) - (home-page "http://sourceforge.net/projects/esmtp/") + (home-page "https://sourceforge.net/projects/esmtp/") (synopsis "Relay-only mail transfer agent (MTA)") (description "Esmtp is a simple relay-only mail transfer agent built using libESMTP. It sends e-mail via a remote SMTP server using credentials from the diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm index 057c3d72df..4f799bd200 100644 --- a/gnu/packages/mp3.scm +++ b/gnu/packages/mp3.scm @@ -392,7 +392,7 @@ Ogg, MP3, or FLAC formats. Its goal is to be easy to use, requiring only a few mouse clicks to convert an entire album. It supports CDDB lookups for album and track information.") (license license:gpl2) - (home-page "http://sourceforge.net/projects/ripperx/"))) + (home-page "https://sourceforge.net/projects/ripperx/"))) (define-public libmpcdec (package diff --git a/gnu/packages/onc-rpc.scm b/gnu/packages/onc-rpc.scm index 8ef3e9f112..5353846ece 100644 --- a/gnu/packages/onc-rpc.scm +++ b/gnu/packages/onc-rpc.scm @@ -55,7 +55,7 @@ ;; 'patch-source-shebangs' file tree traversal. (delete-file "INSTALL")))))) (inputs `(("mit-krb5" ,mit-krb5))) - (home-page "http://sourceforge.net/projects/libtirpc/") + (home-page "https://sourceforge.net/projects/libtirpc/") (synopsis "Transport-independent Sun/ONC RPC implementation") (description "This package provides a library that implements the Sun/ONC RPC (remote diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm index d8c217f30f..8f103ec6d7 100644 --- a/gnu/packages/perl.scm +++ b/gnu/packages/perl.scm @@ -1322,7 +1322,7 @@ Password Generator\".") ,(package-version perl) "/czplib/")) #t))))) - (home-page "http://sourceforge.net/projects/czplib/") + (home-page "https://sourceforge.net/projects/czplib/") (synopsis "Library for genomic analysis") (description "Chaolin Zhang's Perl Library (czplib) contains assorted functions and data structures for processing and analysing genomic and diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index f0eb5e01fd..04cd3fa905 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -6555,7 +6555,7 @@ suitable for a wide range of protocols based on the ASN.1 specification.") (build-system python-build-system) (propagated-inputs `(("python-pyasn1" ,python-pyasn1))) - (home-page "http://sourceforge.net/projects/pyasn1/") + (home-page "https://sourceforge.net/projects/pyasn1/") (synopsis "ASN.1 codec implementations") (description "Pyasn1-modules is a collection of Python modules providing ASN.1 types and diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm index c7ba41bdd2..615e539e20 100644 --- a/gnu/packages/xdisorg.scm +++ b/gnu/packages/xdisorg.scm @@ -601,7 +601,7 @@ X Window System.") ("libxt" ,libxt) ("libxext" ,libxext) ("libxinerama" ,libxinerama))) - (home-page "http://sourceforge.net/projects/libxosd/") + (home-page "https://sourceforge.net/projects/libxosd/") (synopsis "X On Screen Display") (description "XOSD provides a C library and a simple utility (osd_cat) for displaying -- cgit 1.4.1