commit ce852b43b0611897874a689cd0d534b7a6bf5594 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

giflib: 5.2.1 -> 5.2.2, apply patch for CVE-2021-40633

Fixes CVE-2023-48161, CVE-2023-39742 and CVE-2021-40633.

Changes:
https://sourceforge.net/p/giflib/code/ci/5.2.2/tree/NEWS

Thomas Gerbet 2 years ago ce852b43 e87b3a7d

+38 -20

2 changed files

expand all

unified split

pkgs

development

libraries

giflib

CVE-2021-40633.patch

default.nix

+26

pkgs/development/libraries/giflib/CVE-2021-40633.patch

··· 1 + From ccbc956432650734c91acb3fc88837f7b81267ff Mon Sep 17 00:00:00 2001 2 + From: "Eric S. Raymond" <esr@thyrsus.com> 3 + Date: Wed, 21 Feb 2024 18:55:00 -0500 4 + Subject: [PATCH] Clean up memory better at end of run (CVE-2021-40633) 5 + 6 + --- 7 + gif2rgb.c | 3 +++ 8 + 1 file changed, 3 insertions(+) 9 + 10 + diff --git a/gif2rgb.c b/gif2rgb.c 11 + index d51226d..fc2e683 100644 12 + --- a/gif2rgb.c 13 + +++ b/gif2rgb.c 14 + @@ -517,6 +517,9 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag, 15 + DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer, 16 + GifFile->SWidth, GifFile->SHeight); 17 + 18 + + for (i = 0; i < GifFile->SHeight; i++) { 19 + + (void)free(ScreenBuffer[i]); 20 + + } 21 + (void)free(ScreenBuffer); 22 + 23 + { 24 + -- 25 + 2.44.0 26 +

+12 -20

pkgs/development/libraries/giflib/default.nix

··· 4 4 , fetchpatch 5 5 , fixDarwinDylibNames 6 6 , pkgsStatic 7 + , imagemagick_light 7 8 }: 8 9 9 10 stdenv.mkDerivation rec { 10 11 pname = "giflib"; 11 - version = "5.2.1"; 12 + version = "5.2.2"; 12 13 13 14 src = fetchurl { 14 15 url = "mirror://sourceforge/giflib/giflib-${version}.tar.gz"; 15 - sha256 = "1gbrg03z1b6rlrvjyc6d41bc8j1bsr7rm8206gb1apscyii5bnii"; 16 + hash = "sha256-vn/70FfK3r4qoURUL9kMaDjGoIO16KkEi47jtmsp1fs="; 16 17 }; 17 18 18 19 patches = [ 19 - (fetchpatch { 20 - name = "CVE-2022-28506.patch"; 21 - url = "https://src.fedoraproject.org/rpms/giflib/raw/2e9917bf13df114354163f0c0211eccc00943596/f/CVE-2022-28506.patch"; 22 - sha256 = "sha256-TBemEXkuox8FdS9RvjnWcTWPaHRo4crcwSR9czrUwBY="; 23 - }) 24 - ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ 25 - # https://sourceforge.net/p/giflib/bugs/133/ 26 - (fetchpatch { 27 - name = "darwin-soname.patch"; 28 - url = "https://sourceforge.net/p/giflib/bugs/_discuss/thread/4e811ad29b/c323/attachment/Makefile.patch"; 29 - sha256 = "12afkqnlkl3n1hywwgx8sqnhp3bz0c5qrwcv8j9hifw1lmfhv67r"; 30 - extraPrefix = "./"; 31 - }) 20 + ./CVE-2021-40633.patch 32 21 ] ++ lib.optionals stdenv.hostPlatform.isMinGW [ 33 22 # Build dll libraries. 34 23 (fetchurl { ··· 40 29 ./mingw-install-exes.patch 41 30 ]; 42 31 43 - nativeBuildInputs = lib.optionals stdenv.isDarwin [ 32 + nativeBuildInputs = [ 33 + imagemagick_light 34 + ] ++ lib.optionals stdenv.isDarwin [ 44 35 fixDarwinDylibNames 45 36 ]; 46 37 ··· 50 41 51 42 postPatch = lib.optionalString stdenv.hostPlatform.isStatic '' 52 43 # Upstream build system does not support NOT building shared libraries. 53 - sed -i '/all:/ s/libgif.so//' Makefile 54 - sed -i '/all:/ s/libutil.so//' Makefile 55 - sed -i '/-m 755 libgif.so/ d' Makefile 56 - sed -i '/ln -sf libgif.so/ d' Makefile 44 + sed -i '/all:/ s/$(LIBGIFSO)//' Makefile 45 + sed -i '/all:/ s/$(LIBUTILSO)//' Makefile 46 + sed -i '/-m 755 $(LIBGIFSO)/ d' Makefile 47 + sed -i '/ln -sf $(LIBGIFSOVER)/ d' Makefile 48 + sed -i '/ln -sf $(LIBGIFSOMAJOR)/ d' Makefile 57 49 ''; 58 50 59 51 passthru.tests = {