Compare commits
No commits in common. "c8" and "c9-beta" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/libpng-1.6.34.tar.xz
|
||||
SOURCES/libpng-1.6.37.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
45de4ec996ffcc3e18037e7c128abe95f4d0292a SOURCES/libpng-1.6.34.tar.xz
|
||||
1aac0e12aa5b583f736fb6692f47dff7a3efa78b SOURCES/libpng-1.6.37.tar.gz
|
||||
|
||||
@ -1,103 +0,0 @@
|
||||
diff --git a/pngread.c b/pngread.c
|
||||
index 01b731d8eb..0086edf6cf 100644
|
||||
--- a/pngread.c
|
||||
+++ b/pngread.c
|
||||
@@ -788,12 +788,11 @@ png_read_destroy(png_structrp png_ptr)
|
||||
|
||||
#if defined(PNG_tRNS_SUPPORTED) || \
|
||||
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
|
||||
- if ((png_ptr->free_me & PNG_FREE_TRNS) != 0)
|
||||
- {
|
||||
- png_free(png_ptr, png_ptr->trans_alpha);
|
||||
- png_ptr->trans_alpha = NULL;
|
||||
- }
|
||||
- png_ptr->free_me &= ~PNG_FREE_TRNS;
|
||||
+ /* png_ptr->trans_alpha is always independently allocated (not aliased
|
||||
+ * with info_ptr->trans_alpha), so free it unconditionally.
|
||||
+ */
|
||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
||||
+ png_ptr->trans_alpha = NULL;
|
||||
#endif
|
||||
|
||||
inflateEnd(&png_ptr->zstream);
|
||||
diff --git a/pngrutil.c b/pngrutil.c
|
||||
index 366379b991..a19507bf1b 100644
|
||||
--- a/pngrutil.c
|
||||
+++ b/pngrutil.c
|
||||
@@ -1772,10 +1772,6 @@ png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
||||
return;
|
||||
}
|
||||
|
||||
- /* TODO: this is a horrible side effect in the palette case because the
|
||||
- * png_struct ends up with a pointer to the tRNS buffer owned by the
|
||||
- * png_info. Fix this.
|
||||
- */
|
||||
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
|
||||
&(png_ptr->trans_color));
|
||||
}
|
||||
diff --git a/pngset.c b/pngset.c
|
||||
index 4b78b8960c..47883684e4 100644
|
||||
--- a/pngset.c
|
||||
+++ b/pngset.c
|
||||
@@ -1002,25 +1002,33 @@
|
||||
|
||||
if (trans_alpha != NULL)
|
||||
{
|
||||
- /* It may not actually be necessary to set png_ptr->trans_alpha here;
|
||||
- * we do it for backward compatibility with the way the png_handle_tRNS
|
||||
- * function used to do the allocation.
|
||||
- *
|
||||
- * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
|
||||
- * relies on png_set_tRNS storing the information in png_struct
|
||||
- * (otherwise it won't be there for the code in pngrtran.c).
|
||||
- */
|
||||
-
|
||||
png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
|
||||
|
||||
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
|
||||
{
|
||||
- /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
|
||||
+ /* Allocate info_ptr's copy of the transparency data. */
|
||||
info_ptr->trans_alpha = png_voidcast(png_bytep,
|
||||
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
||||
memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
|
||||
+
|
||||
+ /* Allocate an independent copy for png_struct, so that the
|
||||
+ * lifetime of png_ptr->trans_alpha is decoupled from the
|
||||
+ * lifetime of info_ptr->trans_alpha. Previously these two
|
||||
+ * pointers were aliased, which caused a use-after-free if
|
||||
+ * png_free_data freed info_ptr->trans_alpha while
|
||||
+ * png_ptr->trans_alpha was still in use by the row transform
|
||||
+ * functions (e.g. png_do_expand_palette).
|
||||
+ */
|
||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
||||
+ png_ptr->trans_alpha = png_voidcast(png_bytep,
|
||||
+ png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
||||
+ memcpy(png_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
||||
+ png_ptr->trans_alpha = NULL;
|
||||
}
|
||||
- png_ptr->trans_alpha = info_ptr->trans_alpha;
|
||||
}
|
||||
|
||||
if (trans_color != NULL)
|
||||
diff --git a/pngwrite.c b/pngwrite.c
|
||||
index 5fc77d91f7..84af1e73fb 100644
|
||||
--- a/pngwrite.c
|
||||
+++ b/pngwrite.c
|
||||
@@ -1010,6 +1010,12 @@ png_write_destroy(png_structrp png_ptr)
|
||||
png_ptr->chunk_list = NULL;
|
||||
#endif
|
||||
|
||||
+#if defined(PNG_tRNS_SUPPORTED)
|
||||
+ /* Free the independent copy of trans_alpha owned by png_struct. */
|
||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
||||
+ png_ptr->trans_alpha = NULL;
|
||||
+#endif
|
||||
+
|
||||
/* The error handling and memory handling information is left intact at this
|
||||
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
|
||||
* for how this happens.
|
||||
@ -1,27 +0,0 @@
|
||||
diff --git a/pngset.c b/pngset.c
|
||||
index 47883684e4..dccc6498d7 100644
|
||||
--- a/pngset.c
|
||||
+++ b/pngset.c
|
||||
@@ -1006,9 +1006,13 @@
|
||||
|
||||
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
|
||||
{
|
||||
- /* Allocate info_ptr's copy of the transparency data. */
|
||||
+ /* Allocate info_ptr's copy of the transparency data.
|
||||
+ * Initialize all entries to fully opaque (0xff), then overwrite
|
||||
+ * the first num_trans entries with the actual values.
|
||||
+ */
|
||||
info_ptr->trans_alpha = png_voidcast(png_bytep,
|
||||
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
||||
+ memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
|
||||
memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
|
||||
|
||||
/* Allocate an independent copy for png_struct, so that the
|
||||
@@ -1024,6 +1028,7 @@
|
||||
png_free(png_ptr, png_ptr->trans_alpha);
|
||||
png_ptr->trans_alpha = png_voidcast(png_bytep,
|
||||
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
||||
+ memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
|
||||
memcpy(png_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
|
||||
}
|
||||
else
|
||||
@ -1,122 +0,0 @@
|
||||
diff -up libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngread.c
|
||||
--- libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.486981492 +0200
|
||||
+++ libpng-1.6.40/pngread.c 2026-05-13 17:57:13.493075382 +0200
|
||||
@@ -959,12 +959,11 @@ png_read_destroy(png_structrp png_ptr)
|
||||
png_ptr->quantize_index = NULL;
|
||||
#endif
|
||||
|
||||
- if ((png_ptr->free_me & PNG_FREE_PLTE) != 0)
|
||||
- {
|
||||
- png_zfree(png_ptr, png_ptr->palette);
|
||||
- png_ptr->palette = NULL;
|
||||
- }
|
||||
- png_ptr->free_me &= ~PNG_FREE_PLTE;
|
||||
+ /* png_ptr->palette is always independently allocated (not aliased
|
||||
+ * with info_ptr->palette), so free it unconditionally.
|
||||
+ */
|
||||
+ png_free(png_ptr, png_ptr->palette);
|
||||
+ png_ptr->palette = NULL;
|
||||
|
||||
#if defined(PNG_tRNS_SUPPORTED) || \
|
||||
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
|
||||
diff -up libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrtran.c
|
||||
--- libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.483146844 +0200
|
||||
+++ libpng-1.6.40/pngrtran.c 2026-05-13 17:57:13.493827754 +0200
|
||||
@@ -745,7 +745,13 @@ png_set_quantize(png_structrp png_ptr, p
|
||||
}
|
||||
if (png_ptr->palette == NULL)
|
||||
{
|
||||
- png_ptr->palette = palette;
|
||||
+ /* Allocate an owned copy rather than aliasing the caller's pointer,
|
||||
+ * so that png_read_destroy can free png_ptr->palette unconditionally.
|
||||
+ */
|
||||
+ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
||||
+ memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
|
||||
+ (sizeof (png_color)));
|
||||
}
|
||||
png_ptr->num_palette = (png_uint_16)num_palette;
|
||||
|
||||
diff -up libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrutil.c
|
||||
--- libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.487752910 +0200
|
||||
+++ libpng-1.6.40/pngrutil.c 2026-05-13 18:02:45.747406991 +0200
|
||||
@@ -1048,14 +1048,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
|
||||
}
|
||||
#endif
|
||||
|
||||
- /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
|
||||
- * own copy of the palette. This has the side effect that when png_start_row
|
||||
- * is called (this happens after any call to png_read_update_info) the
|
||||
- * info_ptr palette gets changed. This is extremely unexpected and
|
||||
- * confusing.
|
||||
- *
|
||||
- * Fix this by not sharing the palette in this way.
|
||||
- */
|
||||
png_set_PLTE(png_ptr, info_ptr, palette, num);
|
||||
|
||||
/* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
|
||||
diff -up libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngset.c
|
||||
--- libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.490982521 +0200
|
||||
+++ libpng-1.6.40/pngset.c 2026-05-13 17:57:13.495080620 +0200
|
||||
@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_i
|
||||
png_error(png_ptr, "Invalid palette");
|
||||
}
|
||||
|
||||
- /* It may not actually be necessary to set png_ptr->palette here;
|
||||
- * we do it for backward compatibility with the way the png_handle_tRNS
|
||||
- * function used to do the allocation.
|
||||
- *
|
||||
- * 1.6.0: the above statement appears to be incorrect; something has to set
|
||||
- * the palette inside png_struct on read.
|
||||
- */
|
||||
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
|
||||
|
||||
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
|
||||
* of num_palette entries, in case of an invalid PNG file or incorrect
|
||||
* call to png_set_PLTE() with too-large sample values.
|
||||
+ *
|
||||
+ * Allocate independent buffers for info_ptr and png_ptr so that the
|
||||
+ * lifetime of png_ptr->palette is decoupled from the lifetime of
|
||||
+ * info_ptr->palette. Previously, these two pointers were aliased,
|
||||
+ * which caused a use-after-free vulnerability if png_free_data freed
|
||||
+ * info_ptr->palette while png_ptr->palette was still in use by the
|
||||
+ * row transform functions (e.g. png_do_expand_palette).
|
||||
+ *
|
||||
+ * Both buffers are allocated with png_calloc to zero-fill, because
|
||||
+ * the ARM NEON palette riffle reads all 256 entries unconditionally,
|
||||
+ * regardless of num_palette.
|
||||
*/
|
||||
+ png_free(png_ptr, png_ptr->palette);
|
||||
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
||||
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
||||
+ info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
||||
+ png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette;
|
||||
|
||||
if (num_palette > 0)
|
||||
+ {
|
||||
+ memcpy(info_ptr->palette, palette, (unsigned int)num_palette *
|
||||
+ (sizeof (png_color)));
|
||||
memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
|
||||
(sizeof (png_color)));
|
||||
+ }
|
||||
- info_ptr->palette = png_ptr->palette;
|
||||
- info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
|
||||
|
||||
info_ptr->free_me |= PNG_FREE_PLTE;
|
||||
|
||||
info_ptr->valid |= PNG_INFO_PLTE;
|
||||
diff -up libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngwrite.c
|
||||
--- libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.488545337 +0200
|
||||
+++ libpng-1.6.40/pngwrite.c 2026-05-13 17:57:13.495368957 +0200
|
||||
@@ -982,6 +982,10 @@ png_write_destroy(png_structrp png_ptr)
|
||||
png_ptr->trans_alpha = NULL;
|
||||
#endif
|
||||
|
||||
+ /* Free the independent copy of the palette owned by png_struct. */
|
||||
+ png_free(png_ptr, png_ptr->palette);
|
||||
+ png_ptr->palette = NULL;
|
||||
+
|
||||
/* The error handling and memory handling information is left intact at this
|
||||
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
|
||||
* for how this happens.
|
||||
@ -1,26 +0,0 @@
|
||||
diff --git a/pngrtran.c b/pngrtran.c
|
||||
index fd736ab672..978dac5888 100644
|
||||
--- a/pngrtran.c
|
||||
+++ b/pngrtran.c
|
||||
@@ -2070,6 +2070,21 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
|
||||
{
|
||||
png_debug(1, "in png_read_transform_info");
|
||||
|
||||
+ if (png_ptr->transformations != 0)
|
||||
+ {
|
||||
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
|
||||
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
|
||||
+ {
|
||||
+ /* Sync info_ptr->palette with png_ptr->palette.
|
||||
+ * The function png_init_read_transformations may have modified
|
||||
+ * png_ptr->palette in place (e.g. for gamma correction or for
|
||||
+ * background compositing).
|
||||
+ */
|
||||
+ memcpy(info_ptr->palette, png_ptr->palette,
|
||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
#ifdef PNG_READ_EXPAND_SUPPORTED
|
||||
if ((png_ptr->transformations & PNG_EXPAND) != 0)
|
||||
{
|
||||
@ -1,32 +0,0 @@
|
||||
diff --git a/pngrtran.c b/pngrtran.c
|
||||
index 1b04cafa56..0ac8df749e 100644
|
||||
--- a/pngrtran.c
|
||||
+++ b/pngrtran.c
|
||||
@@ -2070,19 +2070,15 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
|
||||
{
|
||||
png_debug(1, "in png_read_transform_info");
|
||||
|
||||
- if (png_ptr->transformations != 0)
|
||||
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
|
||||
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
|
||||
{
|
||||
- if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
|
||||
- info_ptr->palette != NULL && png_ptr->palette != NULL)
|
||||
- {
|
||||
- /* Sync info_ptr->palette with png_ptr->palette.
|
||||
- * The function png_init_read_transformations may have modified
|
||||
- * png_ptr->palette in place (e.g. for gamma correction or for
|
||||
- * background compositing).
|
||||
- */
|
||||
- memcpy(info_ptr->palette, png_ptr->palette,
|
||||
- PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
|
||||
- }
|
||||
+ /* Sync info_ptr->palette with png_ptr->palette, which may
|
||||
+ * have been modified by png_init_read_transformations
|
||||
+ * (e.g. for gamma correction or background compositing).
|
||||
+ */
|
||||
+ memcpy(info_ptr->palette, png_ptr->palette,
|
||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
|
||||
}
|
||||
|
||||
#ifdef PNG_READ_EXPAND_SUPPORTED
|
||||
@ -1,34 +0,0 @@
|
||||
From 9821583a771bfe2c75b7449d8ff83cb348291b3f Mon Sep 17 00:00:00 2001
|
||||
From: Cosmin Truta <ctruta@gmail.com>
|
||||
Date: Sun, 17 Jun 2018 22:56:29 -0400
|
||||
Subject: [PATCH] Fix the calculation of row_factor in png_check_chunk_length
|
||||
|
||||
(Bug report by Thuan Pham, SourceForge issue #278)
|
||||
---
|
||||
pngrutil.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/pngrutil.c b/pngrutil.c
|
||||
index 8692933..eab2973 100644
|
||||
--- a/pngrutil.c
|
||||
+++ b/pngrutil.c
|
||||
@@ -3149,10 +3149,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
|
||||
{
|
||||
png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
|
||||
size_t row_factor =
|
||||
- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
|
||||
- + 1 + (png_ptr->interlaced? 6: 0));
|
||||
+ (size_t)png_ptr->width
|
||||
+ * (size_t)png_ptr->channels
|
||||
+ * (png_ptr->bit_depth > 8? 2: 1)
|
||||
+ + 1
|
||||
+ + (png_ptr->interlaced? 6: 0);
|
||||
if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
|
||||
- idat_limit=PNG_UINT_31_MAX;
|
||||
+ idat_limit = PNG_UINT_31_MAX;
|
||||
else
|
||||
idat_limit = png_ptr->height * row_factor;
|
||||
row_factor = row_factor > 32566? 32566 : row_factor;
|
||||
--
|
||||
2.17.1
|
||||
|
||||
@ -1,12 +0,0 @@
|
||||
diff --git a/libpng-config.in b/libpng-config.in
|
||||
index 3739eb9..7f6b2cc 100644
|
||||
--- a/libpng-config.in
|
||||
+++ b/libpng-config.in
|
||||
@@ -13,7 +13,6 @@
|
||||
|
||||
version=`pkg-config --modversion libpng`
|
||||
prefix=`pkg-config --variable prefix libpng`
|
||||
-exec_prefix=`pkg-config --variable exec_prefix libpng`
|
||||
libdir=`pkg-config --variable libdir libpng`
|
||||
includedir=`pkg-config --variable includedir libpng`
|
||||
libs="-lpng@PNGLIB_MAJOR@@PNGLIB_MINOR@"
|
||||
@ -1,57 +1,44 @@
|
||||
%bcond_without check
|
||||
|
||||
Summary: A library of functions for manipulating PNG image format files
|
||||
Name: libpng
|
||||
Epoch: 2
|
||||
Version: 1.6.34
|
||||
Release: 11%{?dist}
|
||||
Version: 1.6.37
|
||||
Release: 15%{?dist}
|
||||
License: zlib
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.libpng.org/pub/png/
|
||||
|
||||
# Note: non-current tarballs get moved to the history/ subdirectory,
|
||||
# so look there if you fail to retrieve the version you want
|
||||
Source0: https://ftp-osl.osuosl.org/pub/libpng/src/libpng16/libpng-%{version}.tar.xz
|
||||
Source0: https://github.com/glennrp/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: pngusr.dfa
|
||||
Patch0: libpng-multilib.patch
|
||||
Patch1: libpng-fix-arm-neon.patch
|
||||
Patch2: libpng-CVE-2018-13785.patch
|
||||
Patch3: libpng-coverity.patch
|
||||
# from upstream, for <1.6.51, RHEL-131422
|
||||
# from upstream, for <1.6.51, RHEL-131594
|
||||
# https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
|
||||
Patch4: libpng-1.6-CVE-2025-64720.patch
|
||||
# from upstream, for <1.6.51, RHEL-131435
|
||||
Patch2: libpng-1.6-CVE-2025-64720.patch
|
||||
# from upstream, for <1.6.51, RHEL-131603
|
||||
# https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
|
||||
Patch5: libpng-1.6-CVE-2025-65018_p1of2.patch
|
||||
Patch3: libpng-1.6-CVE-2025-65018_p1of2.patch
|
||||
# https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
|
||||
Patch6: libpng-1.6-CVE-2025-65018_p2of2.patch
|
||||
# from upstream, for <1.6.52, RHEL-133212
|
||||
Patch4: libpng-1.6-CVE-2025-65018_p2of2.patch
|
||||
# from upstream, for <1.6.52, RHEL-133294
|
||||
# https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1
|
||||
Patch7: libpng-1.6-CVE-2025-66293_p1of2.patch
|
||||
Patch5: libpng-1.6-CVE-2025-66293_p1of2.patch
|
||||
# https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a
|
||||
Patch8: libpng-1.6-CVE-2025-66293_p2of2.patch
|
||||
# from upstream, for <1.6.54, RHEL-148852
|
||||
Patch6: libpng-1.6-CVE-2025-66293_p2of2.patch
|
||||
# from upstream, for <1.6.54, RHEL-147356
|
||||
# https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
|
||||
Patch9: libpng-1.6-cve-2026-22695.patch
|
||||
# from upstream, for <1.6.54, RHEL-146659
|
||||
Patch7: libpng-1.6-cve-2026-22695.patch
|
||||
# from upstream, for <1.6.54, RHEL-149000
|
||||
# https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
|
||||
Patch10: libpng-1.6-cve-2026-22801.patch
|
||||
# from upstream, for <1.6.55, RHEL-148338
|
||||
Patch8: libpng-1.6-cve-2026-22801.patch
|
||||
# from upstream, for <1.6.55, RHEL-148328
|
||||
# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
|
||||
Patch11: libpng-1.6-cve-2026-25646.patch
|
||||
# from upstream, for <1.6.56 (fix), for <1.6.58 (regression fix), RHEL-161436
|
||||
# https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
|
||||
Patch13: libpng-1.6-CVE-2026-33416_p1of5.patch
|
||||
# https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
|
||||
Patch14: libpng-1.6-CVE-2026-33416_p2of5.patch
|
||||
# https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
|
||||
Patch15: libpng-1.6-CVE-2026-33416_p3of5.patch
|
||||
# https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
|
||||
Patch16: libpng-1.6-CVE-2026-33416_p4of5.patch
|
||||
# regression fix for 7ea9eea8 (part 3)
|
||||
# https://github.com/pnggroup/libpng/commit/d4c4e49eb5c8981075ec2cd946428758c0cda6ac
|
||||
Patch17: libpng-1.6-CVE-2026-33416_p5of5.patch
|
||||
Patch9: libpng-1.6-cve-2026-25646.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: make
|
||||
|
||||
%description
|
||||
The libpng package contains a library of functions for creating and
|
||||
@ -65,9 +52,8 @@ files.
|
||||
|
||||
%package devel
|
||||
Summary: Development tools for programs to manipulate PNG image format files
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: zlib-devel%{?_isa} pkgconfig%{?_isa}
|
||||
Requires: zlib-devel%{?_isa} pkgconfig
|
||||
|
||||
%description devel
|
||||
The libpng-devel package contains header files and documentation necessary
|
||||
@ -79,7 +65,6 @@ the libpng package.
|
||||
|
||||
%package static
|
||||
Summary: Static PNG image format file library
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description static
|
||||
@ -89,7 +74,6 @@ necessary for some boot packages.
|
||||
|
||||
%package tools
|
||||
Summary: Tools for PNG image format file library
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description tools
|
||||
@ -102,36 +86,28 @@ cp -p %{SOURCE1} .
|
||||
|
||||
%patch -P 0 -p1
|
||||
%patch -P 1 -p1 -b .arm
|
||||
%patch -P 2 -p1 -b .CVE-2018-13785
|
||||
%patch -P 3 -p1 -b .coverity
|
||||
%patch -P 4 -p1 -b .CVE-2025-64720
|
||||
%patch -P 5 -p1 -b .CVE-2025-65018_p1of2
|
||||
%patch -P 6 -p1 -b .CVE-2025-65018_p2of2
|
||||
%patch -P 7 -p1 -b .CVE-2025-66293_p1of2
|
||||
%patch -P 8 -p1 -b .CVE-2025-66293_p2of2
|
||||
%patch -P 9 -p1 -b .cve-2026-22695
|
||||
%patch -P 10 -p1 -b .cve-2026-22801
|
||||
%patch -P 11 -p1 -b .cve-2026-25646
|
||||
%patch -P 13 -p1 -b .CVE-2026-33416_p1of5
|
||||
%patch -P 14 -p1 -b .CVE-2026-33416_p2of5
|
||||
%patch -P 15 -p1 -b .CVE-2026-33416_p3of5
|
||||
%patch -P 16 -p1 -b .CVE-2026-33416_p4of5
|
||||
%patch -P 17 -p1 -b .CVE-2026-33416_p5of5
|
||||
%patch -P 2 -p1 -b .CVE-2025-64720
|
||||
%patch -P 3 -p1 -b .CVE-2025-65018_p1of2
|
||||
%patch -P 4 -p1 -b .CVE-2025-65018_p2of2
|
||||
%patch -P 5 -p1 -b .CVE-2025-66293_p1of2
|
||||
%patch -P 6 -p1 -b .CVE-2025-66293_p2of2
|
||||
%patch -P 7 -p1 -b .cve-2026-22695
|
||||
%patch -P 8 -p1 -b .cve-2026-22801
|
||||
%patch -P 9 -p1 -b .cve-2026-25646
|
||||
|
||||
%build
|
||||
autoreconf -vif
|
||||
%configure
|
||||
make %{?_smp_mflags} DFA_XTRA=pngusr.dfa
|
||||
%make_build DFA_XTRA=pngusr.dfa
|
||||
|
||||
%install
|
||||
make DESTDIR=$RPM_BUILD_ROOT install
|
||||
%make_install
|
||||
|
||||
# We don't ship .la files.
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||
|
||||
%if 0%{?with_check}
|
||||
%check
|
||||
#to run make check use "--with check"
|
||||
%if %{?_with_check:1}%{!?_with_check:0}
|
||||
make check
|
||||
%endif
|
||||
|
||||
@ -158,33 +134,77 @@ make check
|
||||
%{_bindir}/pngfix
|
||||
|
||||
%changelog
|
||||
* Wed May 13 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-11
|
||||
- fix CVE-2026-33416: use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE (RHEL-161344)
|
||||
* Tue Mar 03 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-15
|
||||
- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148411)
|
||||
|
||||
* Thu Mar 05 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-10
|
||||
- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148338)
|
||||
- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148852)
|
||||
- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-146659)
|
||||
* Thu Feb 19 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-14
|
||||
- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-147356)
|
||||
- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-149000)
|
||||
|
||||
* Tue Dec 16 2025 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-9
|
||||
- CVE-2025-64720: buffer overflow (RHEL-131452)
|
||||
- CVE-2025-65018: heap buffer overflow (RHEL-131465)
|
||||
- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133226)
|
||||
* Wed Jan 21 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-13
|
||||
- CVE-2025-64720: buffer overflow (RHEL-131594)
|
||||
- CVE-2025-65018: heap buffer overflow (RHEL-131603)
|
||||
- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133294)
|
||||
|
||||
* Thu Nov 28 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-8
|
||||
- Remove redundant fix for CVE-2017-12652
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.6.37-12
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Tue Nov 26 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-7
|
||||
- Add upstream test suite and enable it in gating
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.6.37-11
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Fri Nov 22 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6
|
||||
- Fix CVE-2017-12652 (#1744871)
|
||||
* Wed Mar 24 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-10
|
||||
- Remove the aarch64 test workaround, the patches causing the failures
|
||||
have been dropped in zlib-1.2.11-25
|
||||
|
||||
* Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-5
|
||||
- Fix important Covscan defects (#1602588)
|
||||
* Thu Feb 11 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-9
|
||||
- Run %check by default
|
||||
|
||||
* Wed Aug 01 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-4
|
||||
- Fix CVE-2018-13785 (#1599952)
|
||||
* Fri Feb 05 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-8
|
||||
- Use proper pngtest.png reference image on aarch64
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Mon Nov 02 2020 Nikola Forró <nforro@redhat.com> - 2:1.6.37-6
|
||||
- Remove libpng-devel dependency on arch-specific pkgconfig (#1893523)
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 2:1.6.37-4
|
||||
- Use make macros
|
||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Wed May 22 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.37-1
|
||||
- New upstream release 1.6.37
|
||||
|
||||
* Wed Feb 27 2019 Debarshi Ray <rishi@fedoraproject.org> - 2:1.6.36-1
|
||||
- New upstream release 1.6.36
|
||||
|
||||
* Fri Feb 08 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.35-3
|
||||
- Fix CVE-2019-7317 (#1672411)
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.35-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Wed Oct 10 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.35-1
|
||||
- New upstream release 1.6.35 (#1552349)
|
||||
|
||||
* Wed Aug 01 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6
|
||||
- Fix CVE-2018-13785 (#1599944)
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Tue Feb 20 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-4
|
||||
- Add missing gcc build dependency
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
Loading…
Reference in New Issue
Block a user