.gitignore

@@ -1 +1 @@
-SOURCES/libpng-1.6.34.tar.xz
+SOURCES/libpng-1.6.37.tar.gz

.libpng.metadata

@@ -1 +1 @@
-45de4ec996ffcc3e18037e7c128abe95f4d0292a SOURCES/libpng-1.6.34.tar.xz
+1aac0e12aa5b583f736fb6692f47dff7a3efa78b SOURCES/libpng-1.6.37.tar.gz

SOURCES/libpng-CVE-2018-13785.patch

@@ -1,34 +0,0 @@
-From 9821583a771bfe2c75b7449d8ff83cb348291b3f Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Sun, 17 Jun 2018 22:56:29 -0400
-Subject: [PATCH] Fix the calculation of row_factor in png_check_chunk_length
-
-(Bug report by Thuan Pham, SourceForge issue #278)
----
- pngrutil.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/pngrutil.c b/pngrutil.c
-index 8692933..eab2973 100644
---- a/pngrutil.c
-+++ b/pngrutil.c
-@@ -3149,10 +3149,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
-    {
-       png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
-       size_t row_factor =
--         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
--          + 1 + (png_ptr->interlaced? 6: 0));
-+         (size_t)png_ptr->width
-+         * (size_t)png_ptr->channels
-+         * (png_ptr->bit_depth > 8? 2: 1)
-+         + 1
-+         + (png_ptr->interlaced? 6: 0);
-       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
--         idat_limit=PNG_UINT_31_MAX;
-+         idat_limit = PNG_UINT_31_MAX;
-       else
-          idat_limit = png_ptr->height * row_factor;
-       row_factor = row_factor > 32566? 32566 : row_factor;
--- 
-2.17.1
-

SOURCES/libpng-coverity.patch

@@ -1,12 +0,0 @@
-diff --git a/libpng-config.in b/libpng-config.in
-index 3739eb9..7f6b2cc 100644
---- a/libpng-config.in
-+++ b/libpng-config.in
-@@ -13,7 +13,6 @@
- 
- version=`pkg-config --modversion libpng`
- prefix=`pkg-config --variable prefix libpng`
--exec_prefix=`pkg-config --variable exec_prefix libpng`
- libdir=`pkg-config --variable libdir libpng`
- includedir=`pkg-config --variable includedir libpng`
- libs="-lpng@PNGLIB_MAJOR@@PNGLIB_MINOR@"

SPECS/libpng.spec

@@ -1,45 +1,44 @@
+%bcond_without check
+
 Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
-Version:       1.6.34
-Release:       10%{?dist}
+Version:       1.6.37
+Release:       15%{?dist}
 License:       zlib
-Group:         System Environment/Libraries
 URL:           http://www.libpng.org/pub/png/
 
-# Note: non-current tarballs get moved to the history/ subdirectory,
-# so look there if you fail to retrieve the version you want
-Source0:       https://ftp-osl.osuosl.org/pub/libpng/src/libpng16/libpng-%{version}.tar.xz
+Source0:       https://github.com/glennrp/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:       pngusr.dfa
 Patch0:        libpng-multilib.patch
 Patch1:        libpng-fix-arm-neon.patch
-Patch2:        libpng-CVE-2018-13785.patch
-Patch3:        libpng-coverity.patch
-# from upstream, for <1.6.51, RHEL-131422
+# from upstream, for <1.6.51, RHEL-131594
 # https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
-Patch4:        libpng-1.6-CVE-2025-64720.patch
-# from upstream, for <1.6.51, RHEL-131435
+Patch2:        libpng-1.6-CVE-2025-64720.patch
+# from upstream, for <1.6.51, RHEL-131603
 # https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
-Patch5:        libpng-1.6-CVE-2025-65018_p1of2.patch
+Patch3:        libpng-1.6-CVE-2025-65018_p1of2.patch
 # https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
-Patch6:        libpng-1.6-CVE-2025-65018_p2of2.patch
-# from upstream, for <1.6.52, RHEL-133212
+Patch4:        libpng-1.6-CVE-2025-65018_p2of2.patch
+# from upstream, for <1.6.52, RHEL-133294
 # https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1
-Patch7:        libpng-1.6-CVE-2025-66293_p1of2.patch
+Patch5:        libpng-1.6-CVE-2025-66293_p1of2.patch
 # https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a
-Patch8:        libpng-1.6-CVE-2025-66293_p2of2.patch
-# from upstream, for <1.6.54, RHEL-148852
+Patch6:        libpng-1.6-CVE-2025-66293_p2of2.patch
+# from upstream, for <1.6.54, RHEL-147356
 # https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
-Patch9:        libpng-1.6-cve-2026-22695.patch
-# from upstream, for <1.6.54, RHEL-146659
+Patch7:        libpng-1.6-cve-2026-22695.patch
+# from upstream, for <1.6.54, RHEL-149000
 # https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
-Patch10:       libpng-1.6-cve-2026-22801.patch
-# from upstream, for <1.6.55, RHEL-148338
+Patch8:        libpng-1.6-cve-2026-22801.patch
+# from upstream, for <1.6.55, RHEL-148328
 # https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
-Patch11:       libpng-1.6-cve-2026-25646.patch
+Patch9:        libpng-1.6-cve-2026-25646.patch
 
+BuildRequires: gcc
 BuildRequires: zlib-devel
 BuildRequires: autoconf automake libtool
+BuildRequires: make
 
 %description
 The libpng package contains a library of functions for creating and
@@ -53,9 +52,8 @@ files.
 
 %package devel
 Summary:       Development tools for programs to manipulate PNG image format files
-Group:         Development/Libraries
 Requires:      %{name}%{?_isa} = %{epoch}:%{version}-%{release}
-Requires:      zlib-devel%{?_isa} pkgconfig%{?_isa}
+Requires:      zlib-devel%{?_isa} pkgconfig
 
 %description devel
 The libpng-devel package contains header files and documentation necessary
@@ -67,7 +65,6 @@ the libpng package.
 
 %package static
 Summary:       Static PNG image format file library
-Group:         Development/Libraries
 Requires:      %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description static
@@ -77,7 +74,6 @@ necessary for some boot packages.
 
 %package tools
 Summary:       Tools for PNG image format file library
-Group:         Development/Libraries
 Requires:      %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description tools
@@ -90,31 +86,28 @@ cp -p %{SOURCE1} .
 
 %patch -P 0 -p1
 %patch -P 1 -p1 -b .arm
-%patch -P 2 -p1 -b .CVE-2018-13785
-%patch -P 3 -p1 -b .coverity
-%patch -P 4 -p1 -b .CVE-2025-64720
-%patch -P 5 -p1 -b .CVE-2025-65018_p1of2
-%patch -P 6 -p1 -b .CVE-2025-65018_p2of2
-%patch -P 7 -p1 -b .CVE-2025-66293_p1of2
-%patch -P 8 -p1 -b .CVE-2025-66293_p2of2
-%patch -P 9 -p1 -b .cve-2026-22695
-%patch -P 10 -p1 -b .cve-2026-22801
-%patch -P 11 -p1 -b .cve-2026-25646
+%patch -P 2 -p1 -b .CVE-2025-64720
+%patch -P 3 -p1 -b .CVE-2025-65018_p1of2
+%patch -P 4 -p1 -b .CVE-2025-65018_p2of2
+%patch -P 5 -p1 -b .CVE-2025-66293_p1of2
+%patch -P 6 -p1 -b .CVE-2025-66293_p2of2
+%patch -P 7 -p1 -b .cve-2026-22695
+%patch -P 8 -p1 -b .cve-2026-22801
+%patch -P 9 -p1 -b .cve-2026-25646
 
 %build
 autoreconf -vif
 %configure
-make %{?_smp_mflags} DFA_XTRA=pngusr.dfa
+%make_build DFA_XTRA=pngusr.dfa
 
 %install
-make DESTDIR=$RPM_BUILD_ROOT install
+%make_install
 
 # We don't ship .la files.
 rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 
+%if 0%{?with_check}
 %check
-#to run make check use "--with check"
-%if %{?_with_check:1}%{!?_with_check:0}
 make check
 %endif
 
@@ -141,30 +134,77 @@ make check
 %{_bindir}/pngfix
 
 %changelog
-* Thu Mar 05 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-10
-- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148338)
-- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148852)
-- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-146659)
+* Tue Mar 03 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-15
+- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148411)
 
-* Tue Dec 16 2025 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-9
-- CVE-2025-64720: buffer overflow (RHEL-131452)
-- CVE-2025-65018: heap buffer overflow (RHEL-131465)
-- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133226)
+* Thu Feb 19 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-14
+- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-147356)
+- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-149000)
 
-* Thu Nov 28 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-8
-- Remove redundant fix for CVE-2017-12652
+* Wed Jan 21 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-13
+- CVE-2025-64720: buffer overflow (RHEL-131594)
+- CVE-2025-65018: heap buffer overflow (RHEL-131603)
+- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133294)
 
-* Tue Nov 26 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-7
-- Add upstream test suite and enable it in gating
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.6.37-12
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Fri Nov 22 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6
-- Fix CVE-2017-12652 (#1744871)
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.6.37-11
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-5
-- Fix important Covscan defects (#1602588)
+* Wed Mar 24 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-10
+- Remove the aarch64 test workaround, the patches causing the failures
+  have been dropped in zlib-1.2.11-25
 
-* Wed Aug 01 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-4
-- Fix CVE-2018-13785 (#1599952)
+* Thu Feb 11 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-9
+- Run %check by default
+
+* Fri Feb 05 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-8
+- Use proper pngtest.png reference image on aarch64
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Nov 02 2020 Nikola Forró <nforro@redhat.com> - 2:1.6.37-6
+- Remove libpng-devel dependency on arch-specific pkgconfig (#1893523)
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 2:1.6.37-4
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed May 22 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.37-1
+- New upstream release 1.6.37
+
+* Wed Feb 27 2019 Debarshi Ray <rishi@fedoraproject.org> - 2:1.6.36-1
+- New upstream release 1.6.36
+
+* Fri Feb 08 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.35-3
+- Fix CVE-2019-7317 (#1672411)
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.35-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Oct 10 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.35-1
+- New upstream release 1.6.35 (#1552349)
+
+* Wed Aug 01 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6
+- Fix CVE-2018-13785 (#1599944)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Feb 20 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-4
+- Add missing gcc build dependency
 
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild