Commit a92a94f5 authored by Thomas Gerbet's avatar Thomas Gerbet
Browse files

optipng: 0.7.7 -> 0.7.8 

Fixes CVE-2023-43907.

Changelog:
```
 * Upgraded libpng to version 1.6.40.
 * Upgraded zlib to version 1.3-optipng.
 * Upgraded cexcept to version 2.0.2-optipng.
!! Fixed a global-buffer-overflow vulnerability in the GIF reader.
   [Reported by Zeng Yunxiang; fixed by Thomas Hurst]
 ! Fixed a stack-print-after-scope defect in the error handler.
 ! Fixed an assertion failure in the image reduction module.
 ! Fixed the command-line wildargs expansion in the Windows port.
 * Raised the minimum required libpng version from 1.2.9 to 1.6.35.
 * Raised the minimum required zlib version from 1.2.1 to 1.2.8.
 * Refactored the structured exception handling.
```

https://optipng.sourceforge.net/history.txt
parent ddb2b536

pkgs/tools/graphics/optipng/default.nix

+7 −3
Original line number Diff line number Diff line
@@ -6,22 +6,26 @@ 


stdenv.mkDerivation rec {

  pname = "optipng";

  version = "0.7.7";

  version = "0.7.8";



  src = fetchurl {

    url = "mirror://sourceforge/optipng/optipng-${version}.tar.gz";

    sha256 = "0lj4clb851fzpaq446wgj0sfy922zs5l5misbpwv6w7qrqrz4cjg";

    hash = "sha256-JaO9aEgfIVAsyqD0wT+E3PayAzjkxOjFHyzvvYUTOYw=";

  };



  buildInputs = [ libpng ];



  LDFLAGS = lib.optional static "-static";

  # Workaround for crash in cexcept.h. See

  # https://github.com/NixOS/nixpkgs/issues/28106

  preConfigure = ''

    export LD=$CC

  '';



  # OptiPNG does not like --static, --build or --host

  dontDisableStatic = true;

  dontAddStaticConfigureFlags = true;

  configurePlatforms = [ ];



  configureFlags = [

    "--with-system-zlib"

    "--with-system-libpng"