[bug#27937] Update php to 7.1.8

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#27937] Update php to 7.1.8

From:	Julien Lepiller
Subject:	[bug#27937] Update php to 7.1.8
Date:	Fri, 04 Aug 2017 08:30:08 +0200
User-agent:	K-9 Mail for Android


Le 4 août 2017 00:20:10 GMT+02:00, Leo Famulari <address@hidden> a écrit :
>On Thu, Aug 03, 2017 at 08:22:00PM +0200, Julien Lepiller wrote:
>> Hi,
>> 
>> a new version of php has been released. Here is a patch to update it.
>
>> From 49de4d05b1b292af598755bfa7754661519218b8 Mon Sep 17 00:00:00
>2001
>> From: Julien Lepiller <address@hidden>
>> Date: Thu, 3 Aug 2017 20:14:56 +0200
>> Subject: [PATCH] gnu: php: Update to 7.1.8.
>> 
>> * gnu/packages/patches/gd-CVE-2017-7890.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it
>> * gnu/packages/php.scm (php): Update to 7.1.8.
>
>Thanks! Overall LGTM.
>
>Could this close <https://bugs.gnu.org/27808>?
>

I think it does

>> diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch
>b/gnu/packages/patches/gd-CVE-2017-7890.patch
>> new file mode 100644
>> index 000000000..743fc6d3d
>> --- /dev/null
>> +++ b/gnu/packages/patches/gd-CVE-2017-7890.patch
>> @@ -0,0 +1,30 @@
>> +From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00
>2001
>> +From: LEPILLER Julien <address@hidden>
>> +Date: Thu, 3 Aug 2017 17:04:17 +0200
>> +Subject: [PATCH] Fix #399: Buffer over-read into uninitialized
>memory.
>> +
>> +The stack allocated color map buffers were not zeroed before usage,
>and
>> +so undefined palette indexes could cause information leakage.
>> +
>> +This is CVE-2017-7890.
>
>Would this patch be valuable for the "regular" gd package as well, or
>is
>it specific to gd-for-php?

It could be used for gd, but I think it would trigger a lot of rebuilds. I'm 
not confident with how the graft mechanism works, so I would need some help.

>
>> +(define gd-for-php
>> +  (package
>> +    (inherit gd)
>> +    (source (origin
>> +             (inherit (package-source gd))
>> +             (patches (search-patches "gd-fix-gd2-read-test.patch"
>> +                                      "gd-fix-tests-on-i686.patch"
>> +                                     
>"gd-freetype-test-failure.patch"
>> +                                     
>"gd-php-73968-Fix-109-XBM-reading.patch"
>> +                                  "gd-CVE-2017-7890.patch"))))))
>                                      ^  
>                               This indentation is too far to the left.

Arg... those are tabs I guess. Thanks for the review! I will push it this 
evening if everything is ok.

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#27937] Update php to 7.1.8, Julien Lepiller, 2017/08/03
- [bug#27937] Update php to 7.1.8, Leo Famulari, 2017/08/03
  - [bug#27937] Update php to 7.1.8, Julien Lepiller <=
    - [bug#27937] Update php to 7.1.8, Leo Famulari, 2017/08/04
    - [bug#27937] Update php to 7.1.8, Julien Lepiller, 2017/08/05

Prev by Date: bug#27938: [PATCH] gnu: git: Enable tests.
Next by Date: [bug#27944] perl-net-psyc: Update to 1.2
Previous by thread: [bug#27937] Update php to 7.1.8
Next by thread: [bug#27937] Update php to 7.1.8
Index(es):
- Date
- Thread