giflib: 5.2.1 -> 5.2.2, apply patch for CVE-2021-40633

Fixes CVE-2023-48161, CVE-2023-39742 and CVE-2021-40633. Changes: https://sourceforge.net/p/giflib/code/ci/5.2.2/tree/NEWS
NixOS · Mar 1, 2024 · ce852b4 · ce852b4
1 parent e87b3a7
commit ce852b4
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 20 deletions.
diff --git a/pkgs/development/libraries/giflib/CVE-2021-40633.patch b/pkgs/development/libraries/giflib/CVE-2021-40633.patch
@@ -0,0 +1,26 @@
+From ccbc956432650734c91acb3fc88837f7b81267ff Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 21 Feb 2024 18:55:00 -0500
+Subject: [PATCH] Clean up memory better at end of run (CVE-2021-40633)
+
+---
+ gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index d51226d..fc2e683 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -517,6 +517,9 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag,
+ 	DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer,
+ 	               GifFile->SWidth, GifFile->SHeight);
+
++	for (i = 0; i < GifFile->SHeight; i++) {
++        	(void)free(ScreenBuffer[i]);
++	}
+ 	(void)free(ScreenBuffer);
+
+ 	{
+-- 
+2.44.0
+
diff --git a/pkgs/development/libraries/giflib/default.nix b/pkgs/development/libraries/giflib/default.nix
@@ -4,31 +4,20 @@
 , fetchpatch
 , fixDarwinDylibNames
 , pkgsStatic
+, imagemagick_light
 }:
 
 stdenv.mkDerivation rec {
   pname = "giflib";
-  version = "5.2.1";
+  version = "5.2.2";
 
   src = fetchurl {
     url = "mirror://sourceforge/giflib/giflib-${version}.tar.gz";
-    sha256 = "1gbrg03z1b6rlrvjyc6d41bc8j1bsr7rm8206gb1apscyii5bnii";
+    hash = "sha256-vn/70FfK3r4qoURUL9kMaDjGoIO16KkEi47jtmsp1fs=";
   };
 
   patches = [
-    (fetchpatch {
-      name = "CVE-2022-28506.patch";
-      url = "https://src.fedoraproject.org/rpms/giflib/raw/2e9917bf13df114354163f0c0211eccc00943596/f/CVE-2022-28506.patch";
-      sha256 = "sha256-TBemEXkuox8FdS9RvjnWcTWPaHRo4crcwSR9czrUwBY=";
-    })
-  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
-    # https://sourceforge.net/p/giflib/bugs/133/
-    (fetchpatch {
-      name = "darwin-soname.patch";
-      url = "https://sourceforge.net/p/giflib/bugs/_discuss/thread/4e811ad29b/c323/attachment/Makefile.patch";
-      sha256 = "12afkqnlkl3n1hywwgx8sqnhp3bz0c5qrwcv8j9hifw1lmfhv67r";
-      extraPrefix = "./";
-    })
+    ./CVE-2021-40633.patch
   ] ++ lib.optionals stdenv.hostPlatform.isMinGW [
     # Build dll libraries.
     (fetchurl {
@@ -40,7 +29,9 @@ stdenv.mkDerivation rec {
     ./mingw-install-exes.patch
   ];
 
-  nativeBuildInputs = lib.optionals stdenv.isDarwin [
+  nativeBuildInputs = [
+    imagemagick_light
+  ] ++ lib.optionals stdenv.isDarwin [
     fixDarwinDylibNames
   ];
 
@@ -50,10 +41,11 @@ stdenv.mkDerivation rec {
 
   postPatch = lib.optionalString stdenv.hostPlatform.isStatic ''
     # Upstream build system does not support NOT building shared libraries.
-    sed -i '/all:/ s/libgif.so//' Makefile
-    sed -i '/all:/ s/libutil.so//' Makefile
-    sed -i '/-m 755 libgif.so/ d' Makefile
-    sed -i '/ln -sf libgif.so/ d' Makefile
+    sed -i '/all:/ s/$(LIBGIFSO)//' Makefile
+    sed -i '/all:/ s/$(LIBUTILSO)//' Makefile
+    sed -i '/-m 755 $(LIBGIFSO)/ d' Makefile
+    sed -i '/ln -sf $(LIBGIFSOVER)/ d' Makefile
+    sed -i '/ln -sf $(LIBGIFSOMAJOR)/ d' Makefile
   '';
 
   passthru.tests = {