Include backports of libpng & harfbuzz updates ahead of 25.0.3

- Add JDK-8375063 libpng 1.6.54 ahead of 25.0.3 - Add JDK-8375057 harfbuzz 12.3.2 ahead of 25.0.3 - Add JDK-8377526 libpng 1.6.55 ahead of 25.0.3 - Bump libpng version to 1.6.55 following JDK-8375063 & JDK-8377526 - Bump harfbuzz version to 12.3.2 following JDK-8375057 Resolves: RHEL-146649 Resolves: RHEL-148327 Resolves: RHEL-148830
2026-03-03 01:26:31 +00:00 · 2026-03-03 01:26:31 +00:00 · b1b2f62915
commit b1b2f62915
parent b87969b5b6
4 changed files with 36499 additions and 3 deletions
--- a/java-25-openjdk.spec
+++ b/java-25-openjdk.spec
@ -1392,6 +1392,15 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
 # JDK-8372534: Update Libpng to 1.6.51
 # Integrated in 25.0.3
 Patch2001: jdk8372534-libpng-1.6.51.patch
+# JDK-8375063: Update Libpng to 1.6.54
+# Integrated in 25.0.3
+Patch2002: jdk8375063-libpng-1.6.54.patch
+# JDK-8375057: Update HarfBuzz to 12.3.2
+# Integrated in 25.0.3
+Patch2003: jdk8375057-harfbuzz-12.3.2.patch
+# JDK-8377526: Update Libpng to 1.6.55
+# Integrated in 25.0.3
+Patch2004: jdk8377526-libpng-1.6.55.patch

 #############################################
 #
@ -1483,13 +1492,13 @@ Provides: bundled(freetype) = 2.13.3
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
 Provides: bundled(giflib) = 5.2.2
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 10.4.0
+Provides: bundled(harfbuzz) = 12.3.2
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
 Provides: bundled(lcms2) = 2.17.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.51
+Provides: bundled(libpng) = 1.6.55
 # Version in src/java.base/share/native/libzip/zlib/zlib.h
 Provides: bundled(zlib) = 1.3.1
 %endif
@ -1925,8 +1934,11 @@ sh %{SOURCE12} %{top_level_dir_name}
 pushd %{top_level_dir_name}
 # Add crypto policy and FIPS support
 %patch -P1001 -p1
-# Add libpng update ahead of 25.0.3
+# Add libpng & harfbuzz updates ahead of 25.0.3
 %patch -P2001 -p1
+%patch -P2002 -p1
+%patch -P2003 -p1
+%patch -P2004 -p1
 popd # openjdk

 # Patch NSS adapter
@ -2604,7 +2616,15 @@ exit 0
 * Tue Mar 03 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-3
 - Update FIPS patch to e55ada9353e to include the fix for the too restrictive provider lockdown
 - Fix FIPS issue list to represent the new 25u version
+- Add JDK-8375063 libpng 1.6.54 ahead of 25.0.3
+- Add JDK-8375057 harfbuzz 12.3.2 ahead of 25.0.3
+- Add JDK-8377526 libpng 1.6.55 ahead of 25.0.3
+- Bump libpng version to 1.6.55 following JDK-8375063 & JDK-8377526
+- Bump harfbuzz version to 12.3.2 following JDK-8375057
 - Resolves: RHEL-155000
+- Resolves: RHEL-146649
+- Resolves: RHEL-148327
+- Resolves: RHEL-148830

 * Wed Feb 18 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-2
 - Bump rpmrelease for CentOS build
--- a/jdk8375057-harfbuzz-12.3.2.patch
+++ b/jdk8375057-harfbuzz-12.3.2.patch
--- a/jdk8375063-libpng-1.6.54.patch
+++ b/jdk8375063-libpng-1.6.54.patch
--- a/jdk8377526-libpng-1.6.55.patch
+++ b/jdk8377526-libpng-1.6.55.patch
@ -0,0 +1,248 @@
+commit b64f9e043d63b113682ea395e5bd8df2a26327ef
+Author:     Sergey Bylokhov <serb@openjdk.org>
+AuthorDate: Mon Mar 2 18:56:22 2026 +0000
+Commit:     Sergey Bylokhov <serb@openjdk.org>
+CommitDate: Mon Mar 2 18:56:22 2026 +0000
+
+    8377526: Update Libpng to 1.6.55
+    
+    Backport-of: fd74232d5dc4c6bfbcddb82e1b2621289aa2f65a
+
+diff --git a/src/java.desktop/share/legal/libpng.md b/src/java.desktop/share/legal/libpng.md
+index 80d12248ec4..a2ffcca1974 100644
+--- a/src/java.desktop/share/legal/libpng.md
+++ b/src/java.desktop/share/legal/libpng.md
+@@ -1,4 +1,4 @@
+-## libpng v1.6.54
+## libpng v1.6.55
+ 
+ ### libpng License
+ <pre>
+@@ -170,6 +170,7 @@ ### AUTHORS File Information
+  * Guy Eric Schalnat
+  * James Yu
+  * John Bowler
+ * Joshua Inscoe
+  * Kevin Bracey
+  * Lucas Chollet
+  * Magnus Holmgren
+diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES b/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES
+index 3bb1baecd23..af9fcff6eb3 100644
+--- a/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES
+@@ -5988,7 +5988,7 @@ Version 1.6.32rc01 [August 18, 2017]
+ 
+ Version 1.6.32rc02 [August 22, 2017]
+   Added contrib/oss-fuzz directory which contains files used by the oss-fuzz
+-    project (https://github.com/google/oss-fuzz/tree/master/projects/libpng).
+    project <https://github.com/google/oss-fuzz/tree/master/projects/libpng>.
+ 
+ Version 1.6.32 [August 24, 2017]
+   No changes.
+@@ -6323,15 +6323,21 @@ Version 1.6.53 [December 5, 2025]
+ 
+ Version 1.6.54 [January 12, 2026]
+   Fixed CVE-2026-22695 (medium severity):
+-    Heap buffer over-read in `png_image_read_direct_scaled.
+    Heap buffer over-read in `png_image_read_direct_scaled`.
+     (Reported and fixed by Petr Simecek.)
+   Fixed CVE-2026-22801 (medium severity):
+     Integer truncation causing heap buffer over-read in `png_image_write_*`.
+   Implemented various improvements in oss-fuzz.
+     (Contributed by Philippe Antoine.)
+ 
+Version 1.6.55 [February 9, 2026]
+  Fixed CVE-2026-25646 (high severity):
+    Heap buffer overflow in `png_set_quantize`.
+    (Reported and fixed by Joshua Inscoe.)
+  Resolved an oss-fuzz build issue involving nalloc.
+    (Contributed by Philippe Antoine.)
+ 
+ Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
+ Subscription is required; visit
+-https://lists.sourceforge.net/lists/listinfo/png-mng-implement
+<https://lists.sourceforge.net/lists/listinfo/png-mng-implement>
+ to subscribe.
+diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/README b/src/java.desktop/share/native/libsplashscreen/libpng/README
+index 63d1376edf7..6e0d1e33137 100644
+--- a/src/java.desktop/share/native/libsplashscreen/libpng/README
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/README
+@@ -1,4 +1,4 @@
+-README for libpng version 1.6.54
+README for libpng version 1.6.55
+ ================================
+ 
+ See the note about version numbers near the top of `png.h`.
+@@ -24,14 +24,14 @@ for more things than just PNG files.  You can use zlib as a drop-in
+ replacement for `fread()` and `fwrite()`, if you are so inclined.
+ 
+ zlib should be available at the same place that libpng is, or at
+-https://zlib.net .
+<https://zlib.net>.
+ 
+ You may also want a copy of the PNG specification.  It is available
+ as an RFC, a W3C Recommendation, and an ISO/IEC Standard.  You can find
+-these at http://www.libpng.org/pub/png/pngdocs.html .
+these at <http://www.libpng.org/pub/png/pngdocs.html>.
+ 
+-This code is currently being archived at https://libpng.sourceforge.io
+-in the download area, and at http://libpng.download/src .
+This code is currently being archived at <https://libpng.sourceforge.io>
+in the download area, and at <http://libpng.download/src>.
+ 
+ This release, based in a large way on Glenn's, Guy's and Andreas'
+ earlier work, was created and will be supported by myself and the PNG
+@@ -39,12 +39,12 @@ development group.
+ 
+ Send comments, corrections and commendations to `png-mng-implement`
+ at `lists.sourceforge.net`.  (Subscription is required; visit
+-https://lists.sourceforge.net/lists/listinfo/png-mng-implement
+<https://lists.sourceforge.net/lists/listinfo/png-mng-implement>
+ to subscribe.)
+ 
+ Send general questions about the PNG specification to `png-mng-misc`
+ at `lists.sourceforge.net`.  (Subscription is required; visit
+-https://lists.sourceforge.net/lists/listinfo/png-mng-misc
+<https://lists.sourceforge.net/lists/listinfo/png-mng-misc>
+ to subscribe.)
+ 
+ Historical notes
+diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/png.c b/src/java.desktop/share/native/libsplashscreen/libpng/png.c
+index 5636b4a754e..955fda8dd7e 100644
+--- a/src/java.desktop/share/native/libsplashscreen/libpng/png.c
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/png.c
+@@ -42,7 +42,7 @@
+ #include "pngpriv.h"
+ 
+ /* Generate a compiler error if there is an old png.h in the search path. */
+-typedef png_libpng_version_1_6_54 Your_png_h_is_not_version_1_6_54;
+typedef png_libpng_version_1_6_55 Your_png_h_is_not_version_1_6_55;
+ 
+ /* Sanity check the chunks definitions - PNG_KNOWN_CHUNKS from pngpriv.h and the
+  * corresponding macro definitions.  This causes a compile time failure if
+@@ -849,7 +849,7 @@ png_get_copyright(png_const_structrp png_ptr)
+    return PNG_STRING_COPYRIGHT
+ #else
+    return PNG_STRING_NEWLINE \
+-      "libpng version 1.6.54" PNG_STRING_NEWLINE \
+      "libpng version 1.6.55" PNG_STRING_NEWLINE \
+       "Copyright (c) 2018-2026 Cosmin Truta" PNG_STRING_NEWLINE \
+       "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
+       PNG_STRING_NEWLINE \
+diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/png.h b/src/java.desktop/share/native/libsplashscreen/libpng/png.h
+index ab8876a9626..e95c0444399 100644
+--- a/src/java.desktop/share/native/libsplashscreen/libpng/png.h
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/png.h
+@@ -29,7 +29,7 @@
+  * However, the following notice accompanied the original version of this
+  * file and, per its terms, should not be removed:
+  *
+- * libpng version 1.6.54
+ * libpng version 1.6.55
+  *
+  * Copyright (c) 2018-2026 Cosmin Truta
+  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
+@@ -43,7 +43,7 @@
+  *   libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
+  *   libpng versions 0.97, January 1998, through 1.6.35, July 2018:
+  *     Glenn Randers-Pehrson
+- *   libpng versions 1.6.36, December 2018, through 1.6.54, January 2026:
+ *   libpng versions 1.6.36, December 2018, through 1.6.55, February 2026:
+  *     Cosmin Truta
+  *   See also "Contributing Authors", below.
+  */
+@@ -267,7 +267,7 @@
+  *    ...
+  *    1.5.30                  15    10530  15.so.15.30[.0]
+  *    ...
+- *    1.6.54                  16    10654  16.so.16.54[.0]
+ *    1.6.55                  16    10655  16.so.16.55[.0]
+  *
+  *    Henceforth the source version will match the shared-library major and
+  *    minor numbers; the shared-library major version number will be used for
+@@ -303,7 +303,7 @@
+  */
+ 
+ /* Version information for png.h - this should match the version in png.c */
+-#define PNG_LIBPNG_VER_STRING "1.6.54"
+#define PNG_LIBPNG_VER_STRING "1.6.55"
+ #define PNG_HEADER_VERSION_STRING " libpng version " PNG_LIBPNG_VER_STRING "\n"
+ 
+ /* The versions of shared library builds should stay in sync, going forward */
+@@ -314,7 +314,7 @@
+ /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */
+ #define PNG_LIBPNG_VER_MAJOR   1
+ #define PNG_LIBPNG_VER_MINOR   6
+-#define PNG_LIBPNG_VER_RELEASE 54
+#define PNG_LIBPNG_VER_RELEASE 55
+ 
+ /* This should be zero for a public release, or non-zero for a
+  * development version.
+@@ -345,7 +345,7 @@
+  * From version 1.0.1 it is:
+  * XXYYZZ, where XX=major, YY=minor, ZZ=release
+  */
+-#define PNG_LIBPNG_VER 10654 /* 1.6.54 */
+#define PNG_LIBPNG_VER 10655 /* 1.6.55 */
+ 
+ /* Library configuration: these options cannot be changed after
+  * the library has been built.
+@@ -455,7 +455,7 @@ extern "C" {
+ /* This triggers a compiler error in png.c, if png.c and png.h
+  * do not agree upon the version number.
+  */
+-typedef char *png_libpng_version_1_6_54;
+typedef char *png_libpng_version_1_6_55;
+ 
+ /* Basic control structions.  Read libpng-manual.txt or libpng.3 for more info.
+  *
+diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h b/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h
+index 959c604edbc..b957f8b5061 100644
+--- a/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h
+@@ -29,7 +29,7 @@
+  * However, the following notice accompanied the original version of this
+  * file and, per its terms, should not be removed:
+  *
+- * libpng version 1.6.54
+ * libpng version 1.6.55
+  *
+  * Copyright (c) 2018-2026 Cosmin Truta
+  * Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson
+diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h b/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h
+index b413b510acf..ae1ab462072 100644
+--- a/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h
+@@ -31,7 +31,7 @@
+  * However, the following notice accompanied the original version of this
+  * file and, per its terms, should not be removed:
+  */
+-/* libpng version 1.6.54 */
+/* libpng version 1.6.55 */
+ 
+ /* Copyright (c) 2018-2026 Cosmin Truta */
+ /* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson */
+diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c b/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c
+index 7680fe64828..fcce80da1cb 100644
+--- a/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c
+@@ -29,7 +29,7 @@
+  * However, the following notice accompanied the original version of this
+  * file and, per its terms, should not be removed:
+  *
+- * Copyright (c) 2018-2025 Cosmin Truta
+ * Copyright (c) 2018-2026 Cosmin Truta
+  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
+  * Copyright (c) 1996-1997 Andreas Dilger
+  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
+@@ -737,8 +737,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+                          break;
+ 
+                      t->next = hash[d];
+-                     t->left = (png_byte)i;
+-                     t->right = (png_byte)j;
+                     t->left = png_ptr->palette_to_index[i];
+                     t->right = png_ptr->palette_to_index[j];
+                      hash[d] = t;
+                   }
+                }