gnu: gdk-pixbuf: Replace with 2.36.10.

Fixes CVE-2017-2862, CVE-2017-2870 and CVE-2017-6311. * gnu/packages/gtk.scm (gdk-pixbuf, gdk-pixbuf+svg)[replacement]: New field. (gdk-pixbuf-2.36.10, gdk-pixbuf+svg-2.36.10): New variables.
2017-09-18 22:22:27 +02:00 · 2017-09-18 22:22:27 +02:00 · ad472397bc
parent dc4ffa6766
commit ad472397bc
1 changed files with 22 additions and 0 deletions
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@ -427,6 +427,7 @@ (define-public gtksourceview
 (define-public gdk-pixbuf
  (package
   (name "gdk-pixbuf")
+   (replacement gdk-pixbuf-2.36.10)
   (version "2.36.6")
   (source (origin
            (method url-fetch)
@ -483,6 +484,7 @@ (define-public gdk-pixbuf
 (define-public gdk-pixbuf+svg
  (package (inherit gdk-pixbuf)
    (name "gdk-pixbuf+svg")
+    (replacement gdk-pixbuf+svg-2.36.10)
    (inputs
     `(("librsvg" ,librsvg)
       ,@(package-inputs gdk-pixbuf)))
@ -506,6 +508,26 @@ (define-public gdk-pixbuf+svg
    (synopsis
     "GNOME image loading and manipulation library, with SVG support")))

+;; Graft replacement packages to fix these vulnerabilities.
+;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2862
+;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2870
+;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6311
+(define-public gdk-pixbuf-2.36.10
+  (package (inherit gdk-pixbuf)
+           (version "2.36.A")
+           (source (origin
+                     (method url-fetch)
+                     (uri (string-append "mirror://gnome/sources/gdk-pixbuf/2.36/"
+                                         "gdk-pixbuf-2.36.10.tar.xz"))
+                     (sha256
+                      (base32
+                       "1klsjkdbashd8yb8xjsc9ff3bz32n2id5s79nrrmqiw9df4zmxpq"))))))
+
+(define-public gdk-pixbuf+svg-2.36.10
+  (package (inherit gdk-pixbuf+svg)
+           (version "2.36.A")
+           (source (origin (inherit (package-source gdk-pixbuf-2.36.10))))))
+
 (define-public at-spi2-core
  (package
   (name "at-spi2-core")