From 20df2ee697bb5057a476a926a363d71cc8944c84 Mon Sep 17 00:00:00 2001
From: John Kehayias <john.kehayias@protonmail.com>
Date: Wed, 4 Oct 2023 18:21:45 -0400
Subject: [PATCH] gnu: libxpm: Graft with 3.5.17 [security fixes].

Fixes CVE-2023-43788 and CVE-2023-43789.  See the X.Org security advisory
<https://lists.x.org/archives/xorg/2023-October/061506.html> for more
information.

* gnu/packages/xorg.scm (libxpm)[replacement]: New field, set to ...
(libxpm/fixed): ... this new variable.
---
 gnu/packages/xorg.scm | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 519b2ae37b..4b3c96794d 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -36,6 +36,7 @@
 ;;; Copyright © 2021 Lu Hui <luhux76@gmail.com>
 ;;; Copyright © 2023 Zheng Junjie <873216071@qq.com>
 ;;; Copyright © 2023 Janneke Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -1432,6 +1433,7 @@ treat it as part of their software base when porting.")
   (package
     (name "libxpm")
     (version "3.5.13")
+    (replacement libxpm/fixed)
     (source
       (origin
         (method url-fetch)
@@ -1455,6 +1457,21 @@ treat it as part of their software base when porting.")
     (description "XPM (X Pixmap) image file format library.")
     (license license:x11)))
 
+(define-public libxpm/fixed
+  (package
+    (inherit libxpm)
+    (version "3.5.17")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append
+               "mirror://xorg/individual/lib/libXpm-"
+               version
+               ".tar.xz"))
+        (sha256
+          (base32
+            "0hvf49qy55gwldpwpw7ihcmn5i2iinpjh2rbha63hzcy060izcv4"))))))
+
 (define-public libxres
   (package
     (name "libxres")