From c12b23469576fb1c3920120ef06b696daa30b855 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 15 Feb 2019 12:22:10 -0500
Subject: gnu: libgd: Fix CVE-2019-{6977,6978}.

* gnu/packages/gd.scm (gd)[replacement]: New field.
(gd/fixed): New variable.
* gnu/packages/patches/gd-CVE-2019-6977.patch,
gnu/packages/patches/gd-CVE-2019-6978.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
 gnu/packages/gd.scm | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'gnu/packages/gd.scm')

diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index a53a4f2c2f..c08c1f6758 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -39,6 +39,7 @@
 (define-public gd
   (package
     (name "gd")
+    (replacement gd/fixed)
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
@@ -94,6 +95,16 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
+(define-public gd/fixed
+  (hidden-package
+    (package
+      (inherit gd)
+      (source (origin
+                (inherit (package-source gd))
+                (patches (append (origin-patches (package-source gd))
+                                 (search-patches "gd-CVE-2019-6977.patch"
+                                                 "gd-CVE-2019-6978.patch"))))))))
+
 (define-public perl-gd
   (package
     (name "perl-gd")
-- 
cgit v1.2.3