From 3ceadb632d463a89b16cb15e9446dbb18ca1736b Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Thu, 7 May 2026 16:33:05 -0400 Subject: [PATCH] import Oracle_OSS libpng-1.6.40-8.el10_1.3 --- libpng-1.6-CVE-2026-33636.patch | 60 +++++++++++++++++++++++++++++++++ libpng.spec | 9 ++++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 libpng-1.6-CVE-2026-33636.patch diff --git a/libpng-1.6-CVE-2026-33636.patch b/libpng-1.6-CVE-2026-33636.patch new file mode 100644 index 0000000..25617bc --- /dev/null +++ b/libpng-1.6-CVE-2026-33636.patch @@ -0,0 +1,60 @@ +diff --git a/arm/palette_neon_intrinsics.c b/arm/palette_neon_intrinsics.c +index 3068e9b6e6..f3355bef59 100644 +--- a/arm/palette_neon_intrinsics.c ++++ b/arm/palette_neon_intrinsics.c +@@ -79,7 +79,7 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, + */ + *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1); + +- for (i = 0; i < row_width; i += pixels_per_chunk) ++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) + { + uint32x4_t cur; + png_bytep sp = *ssp - i, dp = *ddp - (i << 2); +@@ -89,13 +89,12 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, + cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3); + vst1q_u32((void *)dp, cur); + } +- if (i != row_width) +- { +- /* Remove the amount that wasn't processed. */ +- i -= pixels_per_chunk; +- } + +- /* Decrement output pointers. */ ++ /* Undo the pre-adjustment of *ddp before the pointer handoff, ++ * so the scalar fallback in pngrtran.c receives a dp that points ++ * to the correct position. ++ */ ++ *ddp = *ddp + (pixels_per_chunk * 4 - 1); + *ssp = *ssp - i; + *ddp = *ddp - (i << 2); + return i; +@@ -120,7 +119,7 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, + /* Seeking this back by 8 pixels x 3 bytes. */ + *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1); + +- for (i = 0; i < row_width; i += pixels_per_chunk) ++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) + { + uint8x8x3_t cur; + png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i); +@@ -135,13 +134,11 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, + vst3_u8((void *)dp, cur); + } + +- if (i != row_width) +- { +- /* Remove the amount that wasn't processed. */ +- i -= pixels_per_chunk; +- } +- +- /* Decrement output pointers. */ ++ /* Undo the pre-adjustment of *ddp before the pointer handoff, ++ * so the scalar fallback in pngrtran.c receives a dp that points ++ * to the correct position. ++ */ ++ *ddp = *ddp + (pixels_per_chunk * 3 - 1); + *ssp = *ssp - i; + *ddp = *ddp - ((i << 1) + i); + return i; diff --git a/libpng.spec b/libpng.spec index 5321f9a..1323df7 100644 --- a/libpng.spec +++ b/libpng.spec @@ -4,7 +4,7 @@ Summary: A library of functions for manipulating PNG image format files Name: libpng Epoch: 2 Version: 1.6.40 -Release: 8%{?dist}.2 +Release: 8%{?dist}.3 License: zlib URL: http://www.libpng.org/pub/png/ @@ -39,6 +39,9 @@ Patch9: libpng-1.6-cve-2026-22801.patch # from upstream, for <1.6.55, RHEL-148325 # https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88 Patch10: libpng-1.6-cve-2026-25646.patch +# from upstream, for <1.6.56, RHEL-161208 +# https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3 +Patch11: libpng-1.6-CVE-2026-33636.patch BuildRequires: gcc BuildRequires: zlib-devel @@ -100,6 +103,7 @@ cp -p %{SOURCE1} . %patch -P 8 -p1 -b .cve-2026-22695 %patch -P 9 -p1 -b .cve-2026-22801 %patch -P 10 -p1 -b .cve-2026-25646 +%patch -P 11 -p1 -b .CVE-2026-33636 %build autoreconf -vif @@ -140,6 +144,9 @@ make check %{_bindir}/pngfix %changelog +* Mon Apr 27 2026 Michal Hlavinka - 2:1.6.40-8.3 +- fix CVE-2026-33636: out-of-bounds R/W in the palette expansion on ARM Neon (RHEL-161208) + * Sat Feb 21 2026 Michal Hlavinka - 2:1.6.40-8.2 - fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148323) - fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148818)