From bab9a8ba0f285a811b7b36291bdc3db33b6c2b60 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 20 Apr 2017 15:10:54 -0400
Subject: gnu: graphite2: Add fixes for CVE-2017-5436 and other bugs.

* gnu/packages/fontutils.scm (graphite2)[replacement]: New field.
(graphite2/fixed): New variable.
* gnu/packages/patches/graphite2-CVE-2017-5436.patch,
gnu/packages/patches/graphite2-check-code-point-limit.patch,
gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch,
gnu/packages/patches/graphite2-non-linear-classes-even-number.patch:
New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
 gnu/packages/fontutils.scm | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'gnu/packages/fontutils.scm')

diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 7e7234960d..cc6d1df597 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -376,6 +376,7 @@ applications should be.")
   (package
    (name "graphite2")
    (version "1.3.9")
+   (replacement graphite2/fixed)
    (source
      (origin
        (method url-fetch)
@@ -400,6 +401,27 @@ and returns a sequence of positioned glyphids from the font.")
    (license license:lgpl2.1+)
    (home-page "https://github.com/silnrsi/graphite")))
 
+(define graphite2/fixed
+  (package
+    (inherit graphite2)
+    (name "graphite2")
+    (version "1.3.9")
+    (replacement #f)
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/silnrsi/graphite/releases/"
+                           "download/" version "/" name "-" version ".tgz"))
+       (patches (search-patches
+                 "graphite2-ffloat-store.patch"
+                 "graphite2-check-code-point-limit.patch"
+                 "graphite2-CVE-2017-5436.patch"
+                 "graphite2-fix-32-bit-wrap-arounds.patch"
+                 "graphite2-non-linear-classes-even-number.patch"))
+       (sha256
+        (base32
+         "0rs5h7m340z75kygx8d72cps0q6yvvqa9i788vym7585cfv8a0gc"))))))
+
 (define-public potrace
   (package
     (name "potrace")
-- 
cgit v1.2.3