giflib: 5.1.4 -> 5.2.1

5.1.5 says: Fix SF bug #113: Heap Buffer Overflow-2 in function DGifDecompressLine() in cgif.c. This had been assigned CVE-2018-11490. This *probably* also fixes a minor CVE-2019-15133 #68563 (DoS only). (I couldn't find a good reference quickly.) The changelogs are almost only bugfixes, and ABI tracker also looks OK: https://abi-laboratory.pro/?view=timeline&l=giflib so I gather this is suitable for direct push to nixpkgs staging-next. I built several reverse dependencies locally.
2019-09-14 19:08:38 +02:00 · 2019-09-14 19:08:38 +02:00 · 3605f12855
commit 3605f12855
parent 7d39ecdf58
1 changed files with 11 additions and 5 deletions
--- a/pkgs/development/libraries/giflib/5.1.nix
+++ b/pkgs/development/libraries/giflib/5.1.nix
@ -1,18 +1,24 @@
 {stdenv, fetchurl, xmlto, docbook_xml_dtd_412, docbook_xsl, libxml2 }:

-stdenv.mkDerivation {
-  name = "giflib-5.1.4";
+stdenv.mkDerivation rec {
+  name = "giflib-5.2.1";
  src = fetchurl {
-    url = mirror://sourceforge/giflib/giflib-5.1.4.tar.bz2;
-    sha256 = "1md83dip8rf29y40cm5r7nn19705f54iraz6545zhwa6y8zyq9yz";
+    url = "mirror://sourceforge/giflib/${name}.tar.gz";
+    sha256 = "1gbrg03z1b6rlrvjyc6d41bc8j1bsr7rm8206gb1apscyii5bnii";
  };

+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace 'PREFIX = /usr/local' 'PREFIX = ${builtins.placeholder "out"}'
+  '';
+
  buildInputs = [ xmlto docbook_xml_dtd_412 docbook_xsl libxml2 ];
+
  meta = {
    description = "A library for reading and writing gif images";
    platforms = stdenv.lib.platforms.unix;
    license = stdenv.lib.licenses.mit;
    maintainers = with stdenv.lib.maintainers; [ fuuzetsu ];
-    branch = "5.1";
+    branch = "5.2";
  };
 }