01/01: gnu: graphicsmagick: Fix CVE-2016-5118.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: graphicsmagick: Fix CVE-2016-5118.

From:	Leo Famulari
Subject:	01/01: gnu: graphicsmagick: Fix CVE-2016-5118.
Date:	Mon, 30 May 2016 03:46:39 +0000 (UTC)

lfam pushed a commit to branch master
in repository guix.

commit d8862778c1b334cefafb92cc88e158b2cdf82a76
Author: Leo Famulari <address@hidden>
Date:   Sun May 29 23:36:37 2016 -0400

    gnu: graphicsmagick: Fix CVE-2016-5118.
    
    * gnu/packages/patches/graphicsmagick-CVE-2016-5118.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
    * gnu/packages/imagemagick.scm (graphicsmagick): Use it.
---
 gnu/local.mk                                        |    1 +
 gnu/packages/imagemagick.scm                        |    1 +
 .../patches/graphicsmagick-CVE-2016-5118.patch      |   19 +++++++++++++++++++
 3 files changed, 21 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index 00acfbc..8844d1d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -518,6 +518,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   %D%/packages/patches/gobject-introspection-cc.patch          \
   %D%/packages/patches/gobject-introspection-girepository.patch        \
+  %D%/packages/patches/graphicsmagick-CVE-2016-5118.patch      \
   %D%/packages/patches/grep-timing-sensitive-test.patch                \
   %D%/packages/patches/grub-CVE-2015-8370.patch                        \
   %D%/packages/patches/grub-gets-undeclared.patch              \
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index a7bbe0c..c356a47 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -160,6 +160,7 @@ script.")
              (uri (string-append "ftp://ftp.graphicsmagick.org/pub/";
                                  "GraphicsMagick/" (version-major+minor 
version)
                                  "/GraphicsMagick-" version ".tar.xz"))
+             (patches (search-patches "graphicsmagick-CVE-2016-5118.patch"))
              (sha256
               (base32
                "03g6l2h8cmf231y1vma0z7x85070jm1ysgs9ppqcd3jj56jka9gx"))))
diff --git a/gnu/packages/patches/graphicsmagick-CVE-2016-5118.patch 
b/gnu/packages/patches/graphicsmagick-CVE-2016-5118.patch
new file mode 100644
index 0000000..ddd1ce9
--- /dev/null
+++ b/gnu/packages/patches/graphicsmagick-CVE-2016-5118.patch
@@ -0,0 +1,19 @@
+Fix CVE-2016-5118 (popen() shell vulnerability via filename).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5118
+
+Upstream patch copied from the bug announcement:
+http://seclists.org/oss-sec/2016/q2/432
+https://marc.info/?l=oss-security&m=146455222600609&w=2
+
+diff -r 33200fc645f6 magick/blob.c
+--- a/magick/blob.c    Sat Nov 07 14:49:16 2015 -0600
++++ b/magick/blob.c    Sun May 29 14:12:57 2016 -0500
+@@ -68,6 +68,7 @@
+ */
+ #define DefaultBlobQuantum  65541
+ 
++#undef HAVE_POPEN
+ 
+ /*
+   Enum declarations.

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (b3d20b8 -> d886277), Leo Famulari, 2016/05/29
- 01/01: gnu: graphicsmagick: Fix CVE-2016-5118., Leo Famulari <=

Prev by Date: branch master updated (b3d20b8 -> d886277)
Next by Date: branch master updated (d886277 -> 0d567b5)
Previous by thread: branch master updated (b3d20b8 -> d886277)
Next by thread: branch master updated (d886277 -> 0d567b5)
Index(es):
- Date
- Thread