From ce852b43b0611897874a689cd0d534b7a6bf5594 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Fri, 1 Mar 2024 22:04:28 +0100
Subject: giflib: 5.2.1 -> 5.2.2, apply patch for CVE-2021-40633

Fixes CVE-2023-48161, CVE-2023-39742 and CVE-2021-40633.

Changes:
https://sourceforge.net/p/giflib/code/ci/5.2.2/tree/NEWS
---
 .../libraries/giflib/CVE-2021-40633.patch          | 26 ++++++++++++++++++
 pkgs/development/libraries/giflib/default.nix      | 32 ++++++++--------------
 2 files changed, 38 insertions(+), 20 deletions(-)
 create mode 100644 pkgs/development/libraries/giflib/CVE-2021-40633.patch

(limited to 'pkgs/development')

diff --git a/pkgs/development/libraries/giflib/CVE-2021-40633.patch b/pkgs/development/libraries/giflib/CVE-2021-40633.patch
new file mode 100644
index 000000000000..8a665bb1638b
--- /dev/null
+++ b/pkgs/development/libraries/giflib/CVE-2021-40633.patch
@@ -0,0 +1,26 @@
+From ccbc956432650734c91acb3fc88837f7b81267ff Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 21 Feb 2024 18:55:00 -0500
+Subject: [PATCH] Clean up memory better at end of run (CVE-2021-40633)
+
+---
+ gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index d51226d..fc2e683 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -517,6 +517,9 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag,
+ 	DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer,
+ 	               GifFile->SWidth, GifFile->SHeight);
+ 
++	for (i = 0; i < GifFile->SHeight; i++) {
++        	(void)free(ScreenBuffer[i]);
++	}
+ 	(void)free(ScreenBuffer);
+ 
+ 	{
+-- 
+2.44.0
+
diff --git a/pkgs/development/libraries/giflib/default.nix b/pkgs/development/libraries/giflib/default.nix
index 8c8a587ed548..486aebf6703a 100644
--- a/pkgs/development/libraries/giflib/default.nix
+++ b/pkgs/development/libraries/giflib/default.nix
@@ -4,31 +4,20 @@
 , fetchpatch
 , fixDarwinDylibNames
 , pkgsStatic
+, imagemagick_light
 }:
 
 stdenv.mkDerivation rec {
   pname = "giflib";
-  version = "5.2.1";
+  version = "5.2.2";
 
   src = fetchurl {
     url = "mirror://sourceforge/giflib/giflib-${version}.tar.gz";
-    sha256 = "1gbrg03z1b6rlrvjyc6d41bc8j1bsr7rm8206gb1apscyii5bnii";
+    hash = "sha256-vn/70FfK3r4qoURUL9kMaDjGoIO16KkEi47jtmsp1fs=";
   };
 
   patches = [
-    (fetchpatch {
-      name = "CVE-2022-28506.patch";
-      url = "https://src.fedoraproject.org/rpms/giflib/raw/2e9917bf13df114354163f0c0211eccc00943596/f/CVE-2022-28506.patch";
-      sha256 = "sha256-TBemEXkuox8FdS9RvjnWcTWPaHRo4crcwSR9czrUwBY=";
-    })
-  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
-    # https://sourceforge.net/p/giflib/bugs/133/
-    (fetchpatch {
-      name = "darwin-soname.patch";
-      url = "https://sourceforge.net/p/giflib/bugs/_discuss/thread/4e811ad29b/c323/attachment/Makefile.patch";
-      sha256 = "12afkqnlkl3n1hywwgx8sqnhp3bz0c5qrwcv8j9hifw1lmfhv67r";
-      extraPrefix = "./";
-    })
+    ./CVE-2021-40633.patch
   ] ++ lib.optionals stdenv.hostPlatform.isMinGW [
     # Build dll libraries.
     (fetchurl {
@@ -40,7 +29,9 @@ stdenv.mkDerivation rec {
     ./mingw-install-exes.patch
   ];
 
-  nativeBuildInputs = lib.optionals stdenv.isDarwin [
+  nativeBuildInputs = [
+    imagemagick_light
+  ] ++ lib.optionals stdenv.isDarwin [
     fixDarwinDylibNames
   ];
 
@@ -50,10 +41,11 @@ stdenv.mkDerivation rec {
 
   postPatch = lib.optionalString stdenv.hostPlatform.isStatic ''
     # Upstream build system does not support NOT building shared libraries.
-    sed -i '/all:/ s/libgif.so//' Makefile
-    sed -i '/all:/ s/libutil.so//' Makefile
-    sed -i '/-m 755 libgif.so/ d' Makefile
-    sed -i '/ln -sf libgif.so/ d' Makefile
+    sed -i '/all:/ s/$(LIBGIFSO)//' Makefile
+    sed -i '/all:/ s/$(LIBUTILSO)//' Makefile
+    sed -i '/-m 755 $(LIBGIFSO)/ d' Makefile
+    sed -i '/ln -sf $(LIBGIFSOVER)/ d' Makefile
+    sed -i '/ln -sf $(LIBGIFSOMAJOR)/ d' Makefile
   '';
 
   passthru.tests = {
-- 
cgit 1.4.1


From fac842bb7abdb0ad0fb215f69a95c32ec9e9eea9 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Fri, 1 Mar 2024 22:04:49 +0100
Subject: giflib: drop unused 4.1.nix

---
 pkgs/development/libraries/giflib/4.1.nix | 21 ---------------------
 1 file changed, 21 deletions(-)
 delete mode 100644 pkgs/development/libraries/giflib/4.1.nix

(limited to 'pkgs/development')

diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix
deleted file mode 100644
index 8f3ebcf7d3be..000000000000
--- a/pkgs/development/libraries/giflib/4.1.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{lib, stdenv, fetchurl}:
-
-stdenv.mkDerivation rec {
-  pname = "giflib";
-  version = "4.1.6";
-
-  src = fetchurl {
-    url = "mirror://sourceforge/giflib/giflib-${version}.tar.bz2";
-    sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1";
-  };
-
-  hardeningDisable = [ "format" ];
-
-  meta = with lib; {
-    description = "A library for reading and writing gif images";
-    branch = "4.1";
-    license = licenses.mit;
-    platforms = platforms.unix;
-  };
-}
-
-- 
cgit 1.4.1