From 23f33de151368f52832fd96048b342bd1a6e8c74 Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Tue, 3 Mar 2020 09:21:17 +0200
Subject: gnu: librsvg: Fix CVE-2019-20446.

* gnu/packages/gnome.scm (librsvg)[replacement]: New field.
(librsvg/fixed): New private variable.
---
 gnu/packages/gnome.scm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'gnu/packages/gnome.scm')

diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index ff262d1fa8..7cfe35d3f0 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -2074,6 +2074,7 @@ dealing with different structured file formats.")
 
 (define-public librsvg
   (package
+    (replacement "librsvg/fixed")
     (name "librsvg")
     (version "2.40.20")
     (source (origin
@@ -2138,6 +2139,20 @@ dealing with different structured file formats.")
 library.")
     (license license:lgpl2.0+)))
 
+(define librsvg/fixed
+  (package
+    (inherit librsvg)
+    (name "librsvg")
+    (version "2.40.21")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnome/sources/" name "/"
+                                  (version-major+minor version)  "/"
+                                  name "-" version ".tar.xz"))
+              (sha256
+               (base32
+                "1fljkag2gr7c4k5mn798lgf9903xslz8h51bgvl89nnay42qjqpp"))))))
+
 (define* (computed-origin-method gexp-promise hash-algo hash
                                  #:optional (name "source")
                                  #:key (system (%current-system))
-- 
cgit v1.2.3