From a92a94f5675ddd856eb54bf0d6498766e45d4195 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Mon, 20 Nov 2023 22:30:14 +0100 Subject: [PATCH] optipng: 0.7.7 -> 0.7.8 Fixes CVE-2023-43907. Changelog: ``` * Upgraded libpng to version 1.6.40. * Upgraded zlib to version 1.3-optipng. * Upgraded cexcept to version 2.0.2-optipng. !! Fixed a global-buffer-overflow vulnerability in the GIF reader. [Reported by Zeng Yunxiang; fixed by Thomas Hurst] ! Fixed a stack-print-after-scope defect in the error handler. ! Fixed an assertion failure in the image reduction module. ! Fixed the command-line wildargs expansion in the Windows port. * Raised the minimum required libpng version from 1.2.9 to 1.6.35. * Raised the minimum required zlib version from 1.2.1 to 1.2.8. * Refactored the structured exception handling. ``` https://optipng.sourceforge.net/history.txt --- pkgs/tools/graphics/optipng/default.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/graphics/optipng/default.nix b/pkgs/tools/graphics/optipng/default.nix index 3e9127a9a9ae..2f70dec897c0 100644 --- a/pkgs/tools/graphics/optipng/default.nix +++ b/pkgs/tools/graphics/optipng/default.nix @@ -6,22 +6,26 @@ stdenv.mkDerivation rec { pname = "optipng"; - version = "0.7.7"; + version = "0.7.8"; src = fetchurl { url = "mirror://sourceforge/optipng/optipng-${version}.tar.gz"; - sha256 = "0lj4clb851fzpaq446wgj0sfy922zs5l5misbpwv6w7qrqrz4cjg"; + hash = "sha256-JaO9aEgfIVAsyqD0wT+E3PayAzjkxOjFHyzvvYUTOYw="; }; buildInputs = [ libpng ]; - LDFLAGS = lib.optional static "-static"; # Workaround for crash in cexcept.h. See # https://github.com/NixOS/nixpkgs/issues/28106 preConfigure = '' export LD=$CC ''; + # OptiPNG does not like --static, --build or --host + dontDisableStatic = true; + dontAddStaticConfigureFlags = true; + configurePlatforms = [ ]; + configureFlags = [ "--with-system-zlib" "--with-system-libpng"