This applies from a patch from imlib2's source code repository. The change fixes an integer overflow on 32-bit machines. The upstream says:
Security implications: *) for 32-bit machines: insufficient heap allocation and heap overwrite in many image loaders, with escalation potential to remote code execution; *) for 64-bit machines: it seems, no impact. In the patch file, there are references to imlib2's source repo and the CVE page on Mitre. I tested that feh and scrot still work with this change. Leo Famulari (2): gnu: imlib2: Update to 1.4.8. gnu: imlib2: Fix CVE-2016-4024. gnu-system.am | 1 + gnu/packages/image.scm | 5 ++- gnu/packages/patches/imlib2-CVE-2016-4024.patch | 52 +++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/imlib2-CVE-2016-4024.patch -- 2.7.4
