giflib: 5.2.1 -> 5.2.2, apply patch for CVE-2021-40633

Fixes CVE-2023-48161, CVE-2023-39742 and CVE-2021-40633. Changes: https://sourceforge.net/p/giflib/code/ci/5.2.2/tree/NEWS
2024-03-01 22:04:28 +01:00 · 2024-03-01 22:04:28 +01:00 · ce852b43b0
commit ce852b43b0
parent e87b3a7d6e
2 changed files with 38 additions and 20 deletions
--- a/pkgs/development/libraries/giflib/CVE-2021-40633.patch
+++ b/pkgs/development/libraries/giflib/CVE-2021-40633.patch
@ -0,0 +1,26 @@
+From ccbc956432650734c91acb3fc88837f7b81267ff Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 21 Feb 2024 18:55:00 -0500
+Subject: [PATCH] Clean up memory better at end of run (CVE-2021-40633)
+
+---
+ gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index d51226d..fc2e683 100644
+--- a/gif2rgb.c
+++ b/gif2rgb.c
+@@ -517,6 +517,9 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag,
+ 	DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer,
+ 	               GifFile->SWidth, GifFile->SHeight);
+ 
+	for (i = 0; i < GifFile->SHeight; i++) {
+        	(void)free(ScreenBuffer[i]);
+	}
+ 	(void)free(ScreenBuffer);
+ 
+ 	{
+-- 
+2.44.0
+
--- a/pkgs/development/libraries/giflib/default.nix
+++ b/pkgs/development/libraries/giflib/default.nix
@ -4,31 +4,20 @@
 , fetchpatch
 , fixDarwinDylibNames
 , pkgsStatic
+, imagemagick_light
 }:

 stdenv.mkDerivation rec {
  pname = "giflib";
-  version = "5.2.1";
+  version = "5.2.2";

  src = fetchurl {
    url = "mirror://sourceforge/giflib/giflib-${version}.tar.gz";
-    sha256 = "1gbrg03z1b6rlrvjyc6d41bc8j1bsr7rm8206gb1apscyii5bnii";
+    hash = "sha256-vn/70FfK3r4qoURUL9kMaDjGoIO16KkEi47jtmsp1fs=";
  };

  patches = [
-    (fetchpatch {
-      name = "CVE-2022-28506.patch";
-      url = "https://src.fedoraproject.org/rpms/giflib/raw/2e9917bf13df114354163f0c0211eccc00943596/f/CVE-2022-28506.patch";
-      sha256 = "sha256-TBemEXkuox8FdS9RvjnWcTWPaHRo4crcwSR9czrUwBY=";
-    })
-  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
-    # https://sourceforge.net/p/giflib/bugs/133/
-    (fetchpatch {
-      name = "darwin-soname.patch";
-      url = "https://sourceforge.net/p/giflib/bugs/_discuss/thread/4e811ad29b/c323/attachment/Makefile.patch";
-      sha256 = "12afkqnlkl3n1hywwgx8sqnhp3bz0c5qrwcv8j9hifw1lmfhv67r";
-      extraPrefix = "./";
-    })
+    ./CVE-2021-40633.patch
  ] ++ lib.optionals stdenv.hostPlatform.isMinGW [
    # Build dll libraries.
    (fetchurl {
@ -40,7 +29,9 @@ stdenv.mkDerivation rec {
    ./mingw-install-exes.patch
  ];

-  nativeBuildInputs = lib.optionals stdenv.isDarwin [
+  nativeBuildInputs = [
+    imagemagick_light
+  ] ++ lib.optionals stdenv.isDarwin [
    fixDarwinDylibNames
  ];

@ -50,10 +41,11 @@ stdenv.mkDerivation rec {

  postPatch = lib.optionalString stdenv.hostPlatform.isStatic ''
    # Upstream build system does not support NOT building shared libraries.
-    sed -i '/all:/ s/libgif.so//' Makefile
-    sed -i '/all:/ s/libutil.so//' Makefile
-    sed -i '/-m 755 libgif.so/ d' Makefile
-    sed -i '/ln -sf libgif.so/ d' Makefile
+    sed -i '/all:/ s/$(LIBGIFSO)//' Makefile
+    sed -i '/all:/ s/$(LIBUTILSO)//' Makefile
+    sed -i '/-m 755 $(LIBGIFSO)/ d' Makefile
+    sed -i '/ln -sf $(LIBGIFSOVER)/ d' Makefile
+    sed -i '/ln -sf $(LIBGIFSOMAJOR)/ d' Makefile
  '';

  passthru.tests = {