From ced98c7e89a22c551dd23acd7a1b4f861958d876 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sun, 9 Sep 2018 17:48:24 -0400
Subject: gnu: libgd: Fix CVE-2018-{5711,1000222}.

* gnu/packages/patches/gd-CVE-2018-1000222.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gd.scm (gd/fixed): New variable.
* gnu/packages/php.scm (gd-for-php)[source]: Use 'gd-CVE-2018-1000222.patch'.
---
 gnu/packages/gd.scm | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'gnu/packages/gd.scm')

diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index c374695524..327a1f1545 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -39,6 +39,7 @@
 (define-public gd
   (package
     (name "gd")
+    (replacement gd/fixed)
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
@@ -91,6 +92,16 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
+(define-public gd/fixed
+  (hidden-package
+    (package
+      (inherit gd)
+      (source (origin
+                (inherit (package-source gd))
+                (patches (append (origin-patches (package-source gd))
+                                 (search-patches "gd-CVE-2018-5711.patch"
+                                                 "gd-CVE-2018-1000222.patch"))))))))
+
 (define-public perl-gd
   (package
     (name "perl-gd")
-- 
cgit v1.2.3