diff --git a/SOURCES/libpng-1.6-CVE-2026-33416_p1of5.patch b/SOURCES/libpng-1.6-CVE-2026-33416_p1of5.patch deleted file mode 100644 index f4588fd..0000000 --- a/SOURCES/libpng-1.6-CVE-2026-33416_p1of5.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff --git a/pngread.c b/pngread.c -index 01b731d8eb..0086edf6cf 100644 ---- a/pngread.c -+++ b/pngread.c -@@ -788,12 +788,11 @@ png_read_destroy(png_structrp png_ptr) - - #if defined(PNG_tRNS_SUPPORTED) || \ - defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) -- if ((png_ptr->free_me & PNG_FREE_TRNS) != 0) -- { -- png_free(png_ptr, png_ptr->trans_alpha); -- png_ptr->trans_alpha = NULL; -- } -- png_ptr->free_me &= ~PNG_FREE_TRNS; -+ /* png_ptr->trans_alpha is always independently allocated (not aliased -+ * with info_ptr->trans_alpha), so free it unconditionally. -+ */ -+ png_free(png_ptr, png_ptr->trans_alpha); -+ png_ptr->trans_alpha = NULL; - #endif - - inflateEnd(&png_ptr->zstream); -diff --git a/pngrutil.c b/pngrutil.c -index 366379b991..a19507bf1b 100644 ---- a/pngrutil.c -+++ b/pngrutil.c -@@ -1772,10 +1772,6 @@ png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) - return; - } - -- /* TODO: this is a horrible side effect in the palette case because the -- * png_struct ends up with a pointer to the tRNS buffer owned by the -- * png_info. Fix this. -- */ - png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, - &(png_ptr->trans_color)); - } -diff --git a/pngset.c b/pngset.c -index 4b78b8960c..47883684e4 100644 ---- a/pngset.c -+++ b/pngset.c -@@ -1155,25 +1155,33 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr, - - if (trans_alpha != NULL) - { -- /* It may not actually be necessary to set png_ptr->trans_alpha here; -- * we do it for backward compatibility with the way the png_handle_tRNS -- * function used to do the allocation. -- * -- * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively -- * relies on png_set_tRNS storing the information in png_struct -- * (otherwise it won't be there for the code in pngrtran.c). -- */ -- - png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); - - if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH) - { -- /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */ -+ /* Allocate info_ptr's copy of the transparency data. */ - info_ptr->trans_alpha = png_voidcast(png_bytep, - png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); - memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans); -+ -+ /* Allocate an independent copy for png_struct, so that the -+ * lifetime of png_ptr->trans_alpha is decoupled from the -+ * lifetime of info_ptr->trans_alpha. Previously these two -+ * pointers were aliased, which caused a use-after-free if -+ * png_free_data freed info_ptr->trans_alpha while -+ * png_ptr->trans_alpha was still in use by the row transform -+ * functions (e.g. png_do_expand_palette). -+ */ -+ png_free(png_ptr, png_ptr->trans_alpha); -+ png_ptr->trans_alpha = png_voidcast(png_bytep, -+ png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); -+ memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans); -+ } -+ else -+ { -+ png_free(png_ptr, png_ptr->trans_alpha); -+ png_ptr->trans_alpha = NULL; - } -- png_ptr->trans_alpha = info_ptr->trans_alpha; - } - - if (trans_color != NULL) -diff --git a/pngwrite.c b/pngwrite.c -index 5fc77d91f7..84af1e73fb 100644 ---- a/pngwrite.c -+++ b/pngwrite.c -@@ -1010,6 +1010,12 @@ png_write_destroy(png_structrp png_ptr) - png_ptr->chunk_list = NULL; - #endif - -+#if defined(PNG_tRNS_SUPPORTED) -+ /* Free the independent copy of trans_alpha owned by png_struct. */ -+ png_free(png_ptr, png_ptr->trans_alpha); -+ png_ptr->trans_alpha = NULL; -+#endif -+ - /* The error handling and memory handling information is left intact at this - * point: the jmp_buf may still have to be freed. See png_destroy_png_struct - * for how this happens. diff --git a/SOURCES/libpng-1.6-CVE-2026-33416_p2of5.patch b/SOURCES/libpng-1.6-CVE-2026-33416_p2of5.patch deleted file mode 100644 index c7fffb2..0000000 --- a/SOURCES/libpng-1.6-CVE-2026-33416_p2of5.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/pngset.c b/pngset.c -index 47883684e4..dccc6498d7 100644 ---- a/pngset.c -+++ b/pngset.c -@@ -1159,9 +1159,13 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr, - - if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH) - { -- /* Allocate info_ptr's copy of the transparency data. */ -+ /* Allocate info_ptr's copy of the transparency data. -+ * Initialize all entries to fully opaque (0xff), then overwrite -+ * the first num_trans entries with the actual values. -+ */ - info_ptr->trans_alpha = png_voidcast(png_bytep, - png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); -+ memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); - memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans); - - /* Allocate an independent copy for png_struct, so that the -@@ -1177,6 +1181,7 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr, - png_free(png_ptr, png_ptr->trans_alpha); - png_ptr->trans_alpha = png_voidcast(png_bytep, - png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); -+ memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); - memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans); - } - else diff --git a/SOURCES/libpng-1.6-CVE-2026-33416_p3of5.patch b/SOURCES/libpng-1.6-CVE-2026-33416_p3of5.patch deleted file mode 100644 index d499f67..0000000 --- a/SOURCES/libpng-1.6-CVE-2026-33416_p3of5.patch +++ /dev/null @@ -1,122 +0,0 @@ -diff -up libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngread.c ---- libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.486981492 +0200 -+++ libpng-1.6.40/pngread.c 2026-05-13 17:57:13.493075382 +0200 -@@ -959,12 +959,11 @@ png_read_destroy(png_structrp png_ptr) - png_ptr->quantize_index = NULL; - #endif - -- if ((png_ptr->free_me & PNG_FREE_PLTE) != 0) -- { -- png_zfree(png_ptr, png_ptr->palette); -- png_ptr->palette = NULL; -- } -- png_ptr->free_me &= ~PNG_FREE_PLTE; -+ /* png_ptr->palette is always independently allocated (not aliased -+ * with info_ptr->palette), so free it unconditionally. -+ */ -+ png_free(png_ptr, png_ptr->palette); -+ png_ptr->palette = NULL; - - #if defined(PNG_tRNS_SUPPORTED) || \ - defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) -diff -up libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrtran.c ---- libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.483146844 +0200 -+++ libpng-1.6.40/pngrtran.c 2026-05-13 17:57:13.493827754 +0200 -@@ -745,7 +745,13 @@ png_set_quantize(png_structrp png_ptr, p - } - if (png_ptr->palette == NULL) - { -- png_ptr->palette = palette; -+ /* Allocate an owned copy rather than aliasing the caller's pointer, -+ * so that png_read_destroy can free png_ptr->palette unconditionally. -+ */ -+ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, -+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); -+ memcpy(png_ptr->palette, palette, (unsigned int)num_palette * -+ (sizeof (png_color))); - } - png_ptr->num_palette = (png_uint_16)num_palette; - -diff -up libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrutil.c ---- libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.487752910 +0200 -+++ libpng-1.6.40/pngrutil.c 2026-05-13 18:02:45.747406991 +0200 -@@ -1048,14 +1048,6 @@ png_handle_PLTE(png_structrp png_ptr, pn - } - #endif - -- /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its -- * own copy of the palette. This has the side effect that when png_start_row -- * is called (this happens after any call to png_read_update_info) the -- * info_ptr palette gets changed. This is extremely unexpected and -- * confusing. -- * -- * Fix this by not sharing the palette in this way. -- */ - png_set_PLTE(png_ptr, info_ptr, palette, num); - - /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before -diff -up libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngset.c ---- libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.490982521 +0200 -+++ libpng-1.6.40/pngset.c 2026-05-13 17:57:13.495080620 +0200 -@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_i - png_error(png_ptr, "Invalid palette"); - } - -- /* It may not actually be necessary to set png_ptr->palette here; -- * we do it for backward compatibility with the way the png_handle_tRNS -- * function used to do the allocation. -- * -- * 1.6.0: the above statement appears to be incorrect; something has to set -- * the palette inside png_struct on read. -- */ - png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); - - /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead - * of num_palette entries, in case of an invalid PNG file or incorrect - * call to png_set_PLTE() with too-large sample values. -+ * -+ * Allocate independent buffers for info_ptr and png_ptr so that the -+ * lifetime of png_ptr->palette is decoupled from the lifetime of -+ * info_ptr->palette. Previously, these two pointers were aliased, -+ * which caused a use-after-free vulnerability if png_free_data freed -+ * info_ptr->palette while png_ptr->palette was still in use by the -+ * row transform functions (e.g. png_do_expand_palette). -+ * -+ * Both buffers are allocated with png_calloc to zero-fill, because -+ * the ARM NEON palette riffle reads all 256 entries unconditionally, -+ * regardless of num_palette. - */ -+ png_free(png_ptr, png_ptr->palette); - png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, - PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); -+ info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, -+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); -+ png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette; - - if (num_palette > 0) -+ { -+ memcpy(info_ptr->palette, palette, (unsigned int)num_palette * -+ (sizeof (png_color))); - memcpy(png_ptr->palette, palette, (unsigned int)num_palette * - (sizeof (png_color))); -+ } -- info_ptr->palette = png_ptr->palette; -- info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette; - - info_ptr->free_me |= PNG_FREE_PLTE; - - info_ptr->valid |= PNG_INFO_PLTE; -diff -up libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngwrite.c ---- libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.488545337 +0200 -+++ libpng-1.6.40/pngwrite.c 2026-05-13 17:57:13.495368957 +0200 -@@ -982,6 +982,10 @@ png_write_destroy(png_structrp png_ptr) - png_ptr->trans_alpha = NULL; - #endif - -+ /* Free the independent copy of the palette owned by png_struct. */ -+ png_free(png_ptr, png_ptr->palette); -+ png_ptr->palette = NULL; -+ - /* The error handling and memory handling information is left intact at this - * point: the jmp_buf may still have to be freed. See png_destroy_png_struct - * for how this happens. diff --git a/SOURCES/libpng-1.6-CVE-2026-33416_p4of5.patch b/SOURCES/libpng-1.6-CVE-2026-33416_p4of5.patch deleted file mode 100644 index 08bfecb..0000000 --- a/SOURCES/libpng-1.6-CVE-2026-33416_p4of5.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/pngrtran.c b/pngrtran.c -index fd736ab672..978dac5888 100644 ---- a/pngrtran.c -+++ b/pngrtran.c -@@ -2070,6 +2070,21 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr) - { - png_debug(1, "in png_read_transform_info"); - -+ if (png_ptr->transformations != 0) -+ { -+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE && -+ info_ptr->palette != NULL && png_ptr->palette != NULL) -+ { -+ /* Sync info_ptr->palette with png_ptr->palette. -+ * The function png_init_read_transformations may have modified -+ * png_ptr->palette in place (e.g. for gamma correction or for -+ * background compositing). -+ */ -+ memcpy(info_ptr->palette, png_ptr->palette, -+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))); -+ } -+ } -+ - #ifdef PNG_READ_EXPAND_SUPPORTED - if ((png_ptr->transformations & PNG_EXPAND) != 0) - { diff --git a/SOURCES/libpng-1.6-CVE-2026-33416_p5of5.patch b/SOURCES/libpng-1.6-CVE-2026-33416_p5of5.patch deleted file mode 100644 index ed75fe1..0000000 --- a/SOURCES/libpng-1.6-CVE-2026-33416_p5of5.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff --git a/pngrtran.c b/pngrtran.c -index 1b04cafa56..0ac8df749e 100644 ---- a/pngrtran.c -+++ b/pngrtran.c -@@ -2070,19 +2070,15 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr) - { - png_debug(1, "in png_read_transform_info"); - -- if (png_ptr->transformations != 0) -+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE && -+ info_ptr->palette != NULL && png_ptr->palette != NULL) - { -- if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE && -- info_ptr->palette != NULL && png_ptr->palette != NULL) -- { -- /* Sync info_ptr->palette with png_ptr->palette. -- * The function png_init_read_transformations may have modified -- * png_ptr->palette in place (e.g. for gamma correction or for -- * background compositing). -- */ -- memcpy(info_ptr->palette, png_ptr->palette, -- PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))); -- } -+ /* Sync info_ptr->palette with png_ptr->palette, which may -+ * have been modified by png_init_read_transformations -+ * (e.g. for gamma correction or background compositing). -+ */ -+ memcpy(info_ptr->palette, png_ptr->palette, -+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))); - } - - #ifdef PNG_READ_EXPAND_SUPPORTED diff --git a/SOURCES/libpng-1.6-CVE-2026-33636.patch b/SOURCES/libpng-1.6-CVE-2026-33636.patch deleted file mode 100644 index 25617bc..0000000 --- a/SOURCES/libpng-1.6-CVE-2026-33636.patch +++ /dev/null @@ -1,60 +0,0 @@ -diff --git a/arm/palette_neon_intrinsics.c b/arm/palette_neon_intrinsics.c -index 3068e9b6e6..f3355bef59 100644 ---- a/arm/palette_neon_intrinsics.c -+++ b/arm/palette_neon_intrinsics.c -@@ -79,7 +79,7 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, - */ - *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1); - -- for (i = 0; i < row_width; i += pixels_per_chunk) -+ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) - { - uint32x4_t cur; - png_bytep sp = *ssp - i, dp = *ddp - (i << 2); -@@ -89,13 +89,12 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, - cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3); - vst1q_u32((void *)dp, cur); - } -- if (i != row_width) -- { -- /* Remove the amount that wasn't processed. */ -- i -= pixels_per_chunk; -- } - -- /* Decrement output pointers. */ -+ /* Undo the pre-adjustment of *ddp before the pointer handoff, -+ * so the scalar fallback in pngrtran.c receives a dp that points -+ * to the correct position. -+ */ -+ *ddp = *ddp + (pixels_per_chunk * 4 - 1); - *ssp = *ssp - i; - *ddp = *ddp - (i << 2); - return i; -@@ -120,7 +119,7 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, - /* Seeking this back by 8 pixels x 3 bytes. */ - *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1); - -- for (i = 0; i < row_width; i += pixels_per_chunk) -+ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) - { - uint8x8x3_t cur; - png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i); -@@ -135,13 +134,11 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, - vst3_u8((void *)dp, cur); - } - -- if (i != row_width) -- { -- /* Remove the amount that wasn't processed. */ -- i -= pixels_per_chunk; -- } -- -- /* Decrement output pointers. */ -+ /* Undo the pre-adjustment of *ddp before the pointer handoff, -+ * so the scalar fallback in pngrtran.c receives a dp that points -+ * to the correct position. -+ */ -+ *ddp = *ddp + (pixels_per_chunk * 3 - 1); - *ssp = *ssp - i; - *ddp = *ddp - ((i << 1) + i); - return i; diff --git a/SPECS/libpng.spec b/SPECS/libpng.spec index eb1baee..81f8780 100644 --- a/SPECS/libpng.spec +++ b/SPECS/libpng.spec @@ -4,7 +4,7 @@ Summary: A library of functions for manipulating PNG image format files Name: libpng Epoch: 2 Version: 1.6.37 -Release: 12%{?dist}.4 +Release: 15%{?dist} License: zlib URL: http://www.libpng.org/pub/png/ @@ -12,43 +12,28 @@ Source0: https://github.com/glennrp/%{name}/archive/v%{version}/%{name}-%{ Source1: pngusr.dfa Patch0: libpng-multilib.patch Patch1: libpng-fix-arm-neon.patch -# from upstream, for <1.6.51, RHEL-131580 +# from upstream, for <1.6.51, RHEL-131594 # https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643 Patch2: libpng-1.6-CVE-2025-64720.patch -# from upstream, for <1.6.51, RHEL-131593 +# from upstream, for <1.6.51, RHEL-131603 # https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d Patch3: libpng-1.6-CVE-2025-65018_p1of2.patch # https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea Patch4: libpng-1.6-CVE-2025-65018_p2of2.patch -# from upstream, for <1.6.52, RHEL-133287 +# from upstream, for <1.6.52, RHEL-133294 # https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1 Patch5: libpng-1.6-CVE-2025-66293_p1of2.patch # https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a Patch6: libpng-1.6-CVE-2025-66293_p2of2.patch -# from upstream, for <1.6.54, RHEL-148970 +# from upstream, for <1.6.54, RHEL-147356 # https://github.com/pnggroup/libpng/commit/e4f7ad4ea2 Patch7: libpng-1.6-cve-2026-22695.patch -# from upstream, for <1.6.54, RHEL-147343 +# from upstream, for <1.6.54, RHEL-149000 # https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072 Patch8: libpng-1.6-cve-2026-22801.patch -# from upstream, for <1.6.55, RHEL-148403 +# from upstream, for <1.6.55, RHEL-148328 # https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88 Patch9: libpng-1.6-cve-2026-25646.patch -# from upstream, for <1.6.56, RHEL-161291 -# https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3 -Patch10: libpng-1.6-CVE-2026-33636.patch -# from upstream, for <1.6.56 (fix), for <1.6.58 (regression fix), RHEL-161436 -# https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb -Patch12: libpng-1.6-CVE-2026-33416_p1of5.patch -# https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 -Patch13: libpng-1.6-CVE-2026-33416_p2of5.patch -# https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667 -Patch14: libpng-1.6-CVE-2026-33416_p3of5.patch -# https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 -Patch15: libpng-1.6-CVE-2026-33416_p4of5.patch -# regression fix for 7ea9eea8 (part 3) -# https://github.com/pnggroup/libpng/commit/d4c4e49eb5c8981075ec2cd946428758c0cda6ac -Patch16: libpng-1.6-CVE-2026-33416_p5of5.patch BuildRequires: gcc BuildRequires: zlib-devel @@ -109,12 +94,6 @@ cp -p %{SOURCE1} . %patch -P 7 -p1 -b .cve-2026-22695 %patch -P 8 -p1 -b .cve-2026-22801 %patch -P 9 -p1 -b .cve-2026-25646 -%patch -P 10 -p1 -b .CVE-2026-33636 -%patch -P 12 -p1 -b .CVE-2026-33416_p1of5 -%patch -P 13 -p1 -b .CVE-2026-33416_p2of5 -%patch -P 14 -p1 -b .CVE-2026-33416_p3of5 -%patch -P 15 -p1 -b .CVE-2026-33416_p4of5 -%patch -P 16 -p1 -b .CVE-2026-33416_p5of5 %build autoreconf -vif @@ -155,21 +134,17 @@ make check %{_bindir}/pngfix %changelog -* Wed May 13 2026 Michal Hlavinka - 2:1.6.37-12.4 -- fix CVE-2026-33416: use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE (RHEL-161436) +* Tue Mar 03 2026 Michal Hlavinka - 2:1.6.37-15 +- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148411) -* Mon Apr 27 2026 Michal Hlavinka - 2:1.6.37-12.3 -- fix CVE-2026-33636: out-of-bounds R/W in the palette expansion on ARM Neon (RHEL-161291) +* Thu Feb 19 2026 Michal Hlavinka - 2:1.6.37-14 +- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-147356) +- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-149000) -* Sun Feb 22 2026 Michal Hlavinka - 2:1.6.37-12.2 -- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148970) -- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148403) -- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-147343) - -* Mon Dec 15 2025 Michal Hlavinka - 2:1.6.37-12.1 -- CVE-2025-64720: buffer overflow (RHEL-131580) -- CVE-2025-65018: heap buffer overflow (RHEL-131593) -- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133287) +* Wed Jan 21 2026 Michal Hlavinka - 2:1.6.37-13 +- CVE-2025-64720: buffer overflow (RHEL-131594) +- CVE-2025-65018: heap buffer overflow (RHEL-131603) +- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133294) * Mon Aug 09 2021 Mohan Boddu - 2:1.6.37-12 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags