From 66cfff00a438170fb613a2d8951aa033c4200b37 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 7 Jan 2026 14:32:40 +0000 Subject: [PATCH] import UBI libpng-1.6.37-12.el9_7.1 --- SOURCES/libpng-1.6-CVE-2025-64720.patch | 69 ++++++++++ SOURCES/libpng-1.6-CVE-2025-65018_p1of2.patch | 25 ++++ SOURCES/libpng-1.6-CVE-2025-65018_p2of2.patch | 130 ++++++++++++++++++ SOURCES/libpng-1.6-CVE-2025-66293_p1of2.patch | 21 +++ SOURCES/libpng-1.6-CVE-2025-66293_p2of2.patch | 88 ++++++++++++ SPECS/libpng.spec | 29 +++- 6 files changed, 359 insertions(+), 3 deletions(-) create mode 100644 SOURCES/libpng-1.6-CVE-2025-64720.patch create mode 100644 SOURCES/libpng-1.6-CVE-2025-65018_p1of2.patch create mode 100644 SOURCES/libpng-1.6-CVE-2025-65018_p2of2.patch create mode 100644 SOURCES/libpng-1.6-CVE-2025-66293_p1of2.patch create mode 100644 SOURCES/libpng-1.6-CVE-2025-66293_p2of2.patch diff --git a/SOURCES/libpng-1.6-CVE-2025-64720.patch b/SOURCES/libpng-1.6-CVE-2025-64720.patch new file mode 100644 index 0000000..0f29d7e --- /dev/null +++ b/SOURCES/libpng-1.6-CVE-2025-64720.patch @@ -0,0 +1,69 @@ +diff --git a/pngrtran.c b/pngrtran.c +index 548780030a..2f52022551 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -1781,19 +1781,51 @@ png_init_read_transformations(png_structrp png_ptr) + } + else /* if (png_ptr->trans_alpha[i] != 0xff) */ + { +- png_byte v, w; +- +- v = png_ptr->gamma_to_1[palette[i].red]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red); +- palette[i].red = png_ptr->gamma_from_1[w]; +- +- v = png_ptr->gamma_to_1[palette[i].green]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green); +- palette[i].green = png_ptr->gamma_from_1[w]; +- +- v = png_ptr->gamma_to_1[palette[i].blue]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue); +- palette[i].blue = png_ptr->gamma_from_1[w]; ++ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0) ++ { ++ /* Premultiply only: ++ * component = round((component * alpha) / 255) ++ */ ++ png_uint_32 component; ++ ++ component = png_ptr->gamma_to_1[palette[i].red]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].red = png_ptr->gamma_from_1[component]; ++ ++ component = png_ptr->gamma_to_1[palette[i].green]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].green = png_ptr->gamma_from_1[component]; ++ ++ component = png_ptr->gamma_to_1[palette[i].blue]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].blue = png_ptr->gamma_from_1[component]; ++ } ++ else ++ { ++ /* Composite with background color: ++ * component = ++ * alpha * component + (1 - alpha) * background ++ */ ++ png_byte v, w; ++ ++ v = png_ptr->gamma_to_1[palette[i].red]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.red); ++ palette[i].red = png_ptr->gamma_from_1[w]; ++ ++ v = png_ptr->gamma_to_1[palette[i].green]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.green); ++ palette[i].green = png_ptr->gamma_from_1[w]; ++ ++ v = png_ptr->gamma_to_1[palette[i].blue]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.blue); ++ palette[i].blue = png_ptr->gamma_from_1[w]; ++ } + } + } + else diff --git a/SOURCES/libpng-1.6-CVE-2025-65018_p1of2.patch b/SOURCES/libpng-1.6-CVE-2025-65018_p1of2.patch new file mode 100644 index 0000000..5543eb7 --- /dev/null +++ b/SOURCES/libpng-1.6-CVE-2025-65018_p1of2.patch @@ -0,0 +1,25 @@ +diff --git a/pngread.c b/pngread.c +index 212afb7d21..92571ec335 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -4040,6 +4040,20 @@ png_image_finish_read(png_imagep image, png_const_colorp background, + int result; + png_image_read_control display; + ++ /* Reject bit depth mismatches to avoid buffer overflows. */ ++ png_uint_32 ihdr_bit_depth = ++ image->opaque->png_ptr->bit_depth; ++ int requested_linear = ++ (image->format & PNG_FORMAT_FLAG_LINEAR) != 0; ++ if (ihdr_bit_depth == 16 && !requested_linear) ++ return png_image_error(image, ++ "png_image_finish_read: " ++ "16-bit PNG must use 16-bit output format"); ++ if (ihdr_bit_depth < 16 && requested_linear) ++ return png_image_error(image, ++ "png_image_finish_read: " ++ "8-bit PNG must not use 16-bit output format"); ++ + memset(&display, 0, (sizeof display)); + display.image = image; + display.buffer = buffer; diff --git a/SOURCES/libpng-1.6-CVE-2025-65018_p2of2.patch b/SOURCES/libpng-1.6-CVE-2025-65018_p2of2.patch new file mode 100644 index 0000000..e048345 --- /dev/null +++ b/SOURCES/libpng-1.6-CVE-2025-65018_p2of2.patch @@ -0,0 +1,130 @@ +diff --git a/pngread.c b/pngread.c +index 92571ec335..79917daaaf 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -3129,6 +3129,54 @@ png_image_read_colormapped(png_voidp argument) + } + } + ++/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */ ++static int ++png_image_read_direct_scaled(png_voidp argument) ++{ ++ png_image_read_control *display = png_voidcast(png_image_read_control*, ++ argument); ++ png_imagep image = display->image; ++ png_structrp png_ptr = image->opaque->png_ptr; ++ png_bytep local_row = png_voidcast(png_bytep, display->local_row); ++ png_bytep first_row = png_voidcast(png_bytep, display->first_row); ++ ptrdiff_t row_bytes = display->row_bytes; ++ int passes; ++ ++ /* Handle interlacing. */ ++ switch (png_ptr->interlaced) ++ { ++ case PNG_INTERLACE_NONE: ++ passes = 1; ++ break; ++ ++ case PNG_INTERLACE_ADAM7: ++ passes = PNG_INTERLACE_ADAM7_PASSES; ++ break; ++ ++ default: ++ png_error(png_ptr, "unknown interlace type"); ++ } ++ ++ /* Read each pass using local_row as intermediate buffer. */ ++ while (--passes >= 0) ++ { ++ png_uint_32 y = image->height; ++ png_bytep output_row = first_row; ++ ++ for (; y > 0; --y) ++ { ++ /* Read into local_row (gets transformed 8-bit data). */ ++ png_read_row(png_ptr, local_row, NULL); ++ ++ /* Copy from local_row to user buffer. */ ++ memcpy(output_row, local_row, (size_t)row_bytes); ++ output_row += row_bytes; ++ } ++ } ++ ++ return 1; ++} ++ + /* Just the row reading part of png_image_read. */ + static int + png_image_read_composite(png_voidp argument) +@@ -3547,6 +3595,7 @@ png_image_read_direct(png_voidp argument) + int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0; + int do_local_compose = 0; + int do_local_background = 0; /* to avoid double gamma correction bug */ ++ int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */ + int passes = 0; + + /* Add transforms to ensure the correct output format is produced then check +@@ -3680,8 +3729,16 @@ png_image_read_direct(png_voidp argument) + png_set_expand_16(png_ptr); + + else /* 8-bit output */ ++ { + png_set_scale_16(png_ptr); + ++ /* For interlaced images, use local_row buffer to avoid overflow ++ * in png_combine_row() which writes using IHDR bit-depth. ++ */ ++ if (png_ptr->interlaced != 0) ++ do_local_scale = 1; ++ } ++ + change &= ~PNG_FORMAT_FLAG_LINEAR; + } + +@@ -3957,6 +4014,24 @@ png_image_read_direct(png_voidp argument) + return result; + } + ++ else if (do_local_scale != 0) ++ { ++ /* For interlaced 16-to-8 conversion, use an intermediate row buffer ++ * to avoid buffer overflows in png_combine_row. The local_row is sized ++ * for the transformed (8-bit) output, preventing the overflow that would ++ * occur if png_combine_row wrote 16-bit data directly to the user buffer. ++ */ ++ int result; ++ png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr)); ++ ++ display->local_row = row; ++ result = png_safe_execute(image, png_image_read_direct_scaled, display); ++ display->local_row = NULL; ++ png_free(png_ptr, row); ++ ++ return result; ++ } ++ + else + { + png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes; +@@ -4040,20 +4115,6 @@ png_image_finish_read(png_imagep image, png_const_colorp background, + int result; + png_image_read_control display; + +- /* Reject bit depth mismatches to avoid buffer overflows. */ +- png_uint_32 ihdr_bit_depth = +- image->opaque->png_ptr->bit_depth; +- int requested_linear = +- (image->format & PNG_FORMAT_FLAG_LINEAR) != 0; +- if (ihdr_bit_depth == 16 && !requested_linear) +- return png_image_error(image, +- "png_image_finish_read: " +- "16-bit PNG must use 16-bit output format"); +- if (ihdr_bit_depth < 16 && requested_linear) +- return png_image_error(image, +- "png_image_finish_read: " +- "8-bit PNG must not use 16-bit output format"); +- + memset(&display, 0, (sizeof display)); + display.image = image; + display.buffer = buffer; diff --git a/SOURCES/libpng-1.6-CVE-2025-66293_p1of2.patch b/SOURCES/libpng-1.6-CVE-2025-66293_p1of2.patch new file mode 100644 index 0000000..fa24ae6 --- /dev/null +++ b/SOURCES/libpng-1.6-CVE-2025-66293_p1of2.patch @@ -0,0 +1,21 @@ +diff --git a/pngread.c b/pngread.c +index 79917daaaf..ab62edd9d8 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -3273,9 +3273,14 @@ png_image_read_composite(png_voidp argument) + component += (255-alpha)*png_sRGB_table[outrow[c]]; + + /* So 'component' is scaled by 255*65535 and is +- * therefore appropriate for the sRGB to linear +- * conversion table. ++ * therefore appropriate for the sRGB-to-linear ++ * conversion table. Clamp to the valid range ++ * as a defensive measure against an internal ++ * libpng bug where the data is sRGB rather than ++ * linear premultiplied. + */ ++ if (component > 255*65535) ++ component = 255*65535; + component = PNG_sRGB_FROM_LINEAR(component); + } + diff --git a/SOURCES/libpng-1.6-CVE-2025-66293_p2of2.patch b/SOURCES/libpng-1.6-CVE-2025-66293_p2of2.patch new file mode 100644 index 0000000..4ce005b --- /dev/null +++ b/SOURCES/libpng-1.6-CVE-2025-66293_p2of2.patch @@ -0,0 +1,88 @@ +diff --git a/pngread.c b/pngread.c +index ab62edd9d8..f8ca2b7e31 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -3207,6 +3207,7 @@ png_image_read_composite(png_voidp argument) + ptrdiff_t step_row = display->row_bytes; + unsigned int channels = + (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1; ++ int optimize_alpha = (png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0; + int pass; + + for (pass = 0; pass < passes; ++pass) +@@ -3263,25 +3264,44 @@ png_image_read_composite(png_voidp argument) + + if (alpha < 255) /* else just use component */ + { +- /* This is PNG_OPTIMIZED_ALPHA, the component value +- * is a linear 8-bit value. Combine this with the +- * current outrow[c] value which is sRGB encoded. +- * Arithmetic here is 16-bits to preserve the output +- * values correctly. +- */ +- component *= 257*255; /* =65535 */ +- component += (255-alpha)*png_sRGB_table[outrow[c]]; +- +- /* So 'component' is scaled by 255*65535 and is +- * therefore appropriate for the sRGB-to-linear +- * conversion table. Clamp to the valid range +- * as a defensive measure against an internal +- * libpng bug where the data is sRGB rather than +- * linear premultiplied. +- */ +- if (component > 255*65535) +- component = 255*65535; +- component = PNG_sRGB_FROM_LINEAR(component); ++ if (optimize_alpha != 0) ++ { ++ /* This is PNG_OPTIMIZED_ALPHA, the component value ++ * is a linear 8-bit value. Combine this with the ++ * current outrow[c] value which is sRGB encoded. ++ * Arithmetic here is 16-bits to preserve the output ++ * values correctly. ++ */ ++ component *= 257*255; /* =65535 */ ++ component += (255-alpha)*png_sRGB_table[outrow[c]]; ++ ++ /* Clamp to the valid range to defend against ++ * unforeseen cases where the data might be sRGB ++ * instead of linear premultiplied. ++ * (Belt-and-suspenders for GitHub Issue #764.) ++ */ ++ if (component > 255*65535) ++ component = 255*65535; ++ ++ /* So 'component' is scaled by 255*65535 and is ++ * therefore appropriate for the sRGB-to-linear ++ * conversion table. ++ */ ++ component = PNG_sRGB_FROM_LINEAR(component); ++ } ++ else ++ { ++ /* Compositing was already done on the palette ++ * entries. The data is sRGB premultiplied on black. ++ * Composite with the background in sRGB space. ++ * This is not gamma-correct, but matches what was ++ * done to the palette. ++ */ ++ png_uint_32 background = outrow[c]; ++ component += ((255-alpha) * background + 127) / 255; ++ if (component > 255) ++ component = 255; ++ } + } + + outrow[c] = (png_byte)component; +diff --git a/pngrtran.c b/pngrtran.c +index 2f52022551..507d11381e 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -1843,6 +1843,7 @@ png_init_read_transformations(png_structrp png_ptr) + * transformations elsewhere. + */ + png_ptr->transformations &= ~(PNG_COMPOSE | PNG_GAMMA); ++ png_ptr->flags &= ~PNG_FLAG_OPTIMIZE_ALPHA; + } /* color_type == PNG_COLOR_TYPE_PALETTE */ + + /* if (png_ptr->background_gamma_type!=PNG_BACKGROUND_GAMMA_UNKNOWN) */ diff --git a/SPECS/libpng.spec b/SPECS/libpng.spec index 0d5a9bc..9da4db7 100644 --- a/SPECS/libpng.spec +++ b/SPECS/libpng.spec @@ -4,7 +4,7 @@ Summary: A library of functions for manipulating PNG image format files Name: libpng Epoch: 2 Version: 1.6.37 -Release: 12%{?dist} +Release: 12%{?dist}.1 License: zlib URL: http://www.libpng.org/pub/png/ @@ -12,6 +12,19 @@ Source0: https://github.com/glennrp/%{name}/archive/v%{version}/%{name}-%{ Source1: pngusr.dfa Patch0: libpng-multilib.patch Patch1: libpng-fix-arm-neon.patch +# from upstream, for <1.6.51, RHEL-131580 +# https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643 +Patch2: libpng-1.6-CVE-2025-64720.patch +# from upstream, for <1.6.51, RHEL-131593 +# https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d +Patch3: libpng-1.6-CVE-2025-65018_p1of2.patch +# https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea +Patch4: libpng-1.6-CVE-2025-65018_p2of2.patch +# from upstream, for <1.6.52, RHEL-133287 +# https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1 +Patch5: libpng-1.6-CVE-2025-66293_p1of2.patch +# https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a +Patch6: libpng-1.6-CVE-2025-66293_p2of2.patch BuildRequires: gcc BuildRequires: zlib-devel @@ -62,8 +75,13 @@ The libpng-tools package contains tools used by the authors of libpng. # Provide pngusr.dfa for build. cp -p %{SOURCE1} . -%patch0 -p1 -%patch1 -p1 -b .arm +%patch -P 0 -p1 +%patch -P 1 -p1 -b .arm +%patch -P 2 -p1 -b .CVE-2025-64720 +%patch -P 3 -p1 -b .CVE-2025-65018_p1of2 +%patch -P 4 -p1 -b .CVE-2025-65018_p2of2 +%patch -P 5 -p1 -b .CVE-2025-66293_p1of2 +%patch -P 6 -p1 -b .CVE-2025-66293_p2of2 %build autoreconf -vif @@ -104,6 +122,11 @@ make check %{_bindir}/pngfix %changelog +* Mon Dec 15 2025 Michal Hlavinka - 2:1.6.37-12.1 +- CVE-2025-64720: buffer overflow (RHEL-131580) +- CVE-2025-65018: heap buffer overflow (RHEL-131593) +- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133287) + * Mon Aug 09 2021 Mohan Boddu - 2:1.6.37-12 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688