Compare commits

..

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

10 changed files with 99 additions and 435 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libpng-1.6.34.tar.xz SOURCES/libpng-1.6.37.tar.gz

View File

@ -1 +1 @@
45de4ec996ffcc3e18037e7c128abe95f4d0292a SOURCES/libpng-1.6.34.tar.xz 1aac0e12aa5b583f736fb6692f47dff7a3efa78b SOURCES/libpng-1.6.37.tar.gz

View File

@ -1,103 +0,0 @@
diff --git a/pngread.c b/pngread.c
index 01b731d8eb..0086edf6cf 100644
--- a/pngread.c
+++ b/pngread.c
@@ -788,12 +788,11 @@ png_read_destroy(png_structrp png_ptr)
#if defined(PNG_tRNS_SUPPORTED) || \
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
- if ((png_ptr->free_me & PNG_FREE_TRNS) != 0)
- {
- png_free(png_ptr, png_ptr->trans_alpha);
- png_ptr->trans_alpha = NULL;
- }
- png_ptr->free_me &= ~PNG_FREE_TRNS;
+ /* png_ptr->trans_alpha is always independently allocated (not aliased
+ * with info_ptr->trans_alpha), so free it unconditionally.
+ */
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = NULL;
#endif
inflateEnd(&png_ptr->zstream);
diff --git a/pngrutil.c b/pngrutil.c
index 366379b991..a19507bf1b 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1772,10 +1772,6 @@ png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
return;
}
- /* TODO: this is a horrible side effect in the palette case because the
- * png_struct ends up with a pointer to the tRNS buffer owned by the
- * png_info. Fix this.
- */
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
&(png_ptr->trans_color));
}
diff --git a/pngset.c b/pngset.c
index 4b78b8960c..47883684e4 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1002,25 +1002,33 @@
if (trans_alpha != NULL)
{
- /* It may not actually be necessary to set png_ptr->trans_alpha here;
- * we do it for backward compatibility with the way the png_handle_tRNS
- * function used to do the allocation.
- *
- * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
- * relies on png_set_tRNS storing the information in png_struct
- * (otherwise it won't be there for the code in pngrtran.c).
- */
-
png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
{
- /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
+ /* Allocate info_ptr's copy of the transparency data. */
info_ptr->trans_alpha = png_voidcast(png_bytep,
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
+
+ /* Allocate an independent copy for png_struct, so that the
+ * lifetime of png_ptr->trans_alpha is decoupled from the
+ * lifetime of info_ptr->trans_alpha. Previously these two
+ * pointers were aliased, which caused a use-after-free if
+ * png_free_data freed info_ptr->trans_alpha while
+ * png_ptr->trans_alpha was still in use by the row transform
+ * functions (e.g. png_do_expand_palette).
+ */
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = png_voidcast(png_bytep,
+ png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
+ memcpy(png_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
+ }
+ else
+ {
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = NULL;
}
- png_ptr->trans_alpha = info_ptr->trans_alpha;
}
if (trans_color != NULL)
diff --git a/pngwrite.c b/pngwrite.c
index 5fc77d91f7..84af1e73fb 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -1010,6 +1010,12 @@ png_write_destroy(png_structrp png_ptr)
png_ptr->chunk_list = NULL;
#endif
+#if defined(PNG_tRNS_SUPPORTED)
+ /* Free the independent copy of trans_alpha owned by png_struct. */
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = NULL;
+#endif
+
/* The error handling and memory handling information is left intact at this
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
* for how this happens.

View File

@ -1,27 +0,0 @@
diff --git a/pngset.c b/pngset.c
index 47883684e4..dccc6498d7 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1006,9 +1006,13 @@
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
{
- /* Allocate info_ptr's copy of the transparency data. */
+ /* Allocate info_ptr's copy of the transparency data.
+ * Initialize all entries to fully opaque (0xff), then overwrite
+ * the first num_trans entries with the actual values.
+ */
info_ptr->trans_alpha = png_voidcast(png_bytep,
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
+ memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
/* Allocate an independent copy for png_struct, so that the
@@ -1024,6 +1028,7 @@
png_free(png_ptr, png_ptr->trans_alpha);
png_ptr->trans_alpha = png_voidcast(png_bytep,
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
+ memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
memcpy(png_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
}
else

View File

@ -1,122 +0,0 @@
diff -up libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngread.c
--- libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.486981492 +0200
+++ libpng-1.6.40/pngread.c 2026-05-13 17:57:13.493075382 +0200
@@ -959,12 +959,11 @@ png_read_destroy(png_structrp png_ptr)
png_ptr->quantize_index = NULL;
#endif
- if ((png_ptr->free_me & PNG_FREE_PLTE) != 0)
- {
- png_zfree(png_ptr, png_ptr->palette);
- png_ptr->palette = NULL;
- }
- png_ptr->free_me &= ~PNG_FREE_PLTE;
+ /* png_ptr->palette is always independently allocated (not aliased
+ * with info_ptr->palette), so free it unconditionally.
+ */
+ png_free(png_ptr, png_ptr->palette);
+ png_ptr->palette = NULL;
#if defined(PNG_tRNS_SUPPORTED) || \
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
diff -up libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrtran.c
--- libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.483146844 +0200
+++ libpng-1.6.40/pngrtran.c 2026-05-13 17:57:13.493827754 +0200
@@ -745,7 +745,13 @@ png_set_quantize(png_structrp png_ptr, p
}
if (png_ptr->palette == NULL)
{
- png_ptr->palette = palette;
+ /* Allocate an owned copy rather than aliasing the caller's pointer,
+ * so that png_read_destroy can free png_ptr->palette unconditionally.
+ */
+ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+ memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
+ (sizeof (png_color)));
}
png_ptr->num_palette = (png_uint_16)num_palette;
diff -up libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrutil.c
--- libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.487752910 +0200
+++ libpng-1.6.40/pngrutil.c 2026-05-13 18:02:45.747406991 +0200
@@ -1048,14 +1048,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
}
#endif
- /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
- * own copy of the palette. This has the side effect that when png_start_row
- * is called (this happens after any call to png_read_update_info) the
- * info_ptr palette gets changed. This is extremely unexpected and
- * confusing.
- *
- * Fix this by not sharing the palette in this way.
- */
png_set_PLTE(png_ptr, info_ptr, palette, num);
/* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
diff -up libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngset.c
--- libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.490982521 +0200
+++ libpng-1.6.40/pngset.c 2026-05-13 17:57:13.495080620 +0200
@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_i
png_error(png_ptr, "Invalid palette");
}
- /* It may not actually be necessary to set png_ptr->palette here;
- * we do it for backward compatibility with the way the png_handle_tRNS
- * function used to do the allocation.
- *
- * 1.6.0: the above statement appears to be incorrect; something has to set
- * the palette inside png_struct on read.
- */
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
* of num_palette entries, in case of an invalid PNG file or incorrect
* call to png_set_PLTE() with too-large sample values.
+ *
+ * Allocate independent buffers for info_ptr and png_ptr so that the
+ * lifetime of png_ptr->palette is decoupled from the lifetime of
+ * info_ptr->palette. Previously, these two pointers were aliased,
+ * which caused a use-after-free vulnerability if png_free_data freed
+ * info_ptr->palette while png_ptr->palette was still in use by the
+ * row transform functions (e.g. png_do_expand_palette).
+ *
+ * Both buffers are allocated with png_calloc to zero-fill, because
+ * the ARM NEON palette riffle reads all 256 entries unconditionally,
+ * regardless of num_palette.
*/
+ png_free(png_ptr, png_ptr->palette);
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+ info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+ png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette;
if (num_palette > 0)
+ {
+ memcpy(info_ptr->palette, palette, (unsigned int)num_palette *
+ (sizeof (png_color)));
memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
(sizeof (png_color)));
+ }
- info_ptr->palette = png_ptr->palette;
- info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
info_ptr->free_me |= PNG_FREE_PLTE;
info_ptr->valid |= PNG_INFO_PLTE;
diff -up libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngwrite.c
--- libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.488545337 +0200
+++ libpng-1.6.40/pngwrite.c 2026-05-13 17:57:13.495368957 +0200
@@ -982,6 +982,10 @@ png_write_destroy(png_structrp png_ptr)
png_ptr->trans_alpha = NULL;
#endif
+ /* Free the independent copy of the palette owned by png_struct. */
+ png_free(png_ptr, png_ptr->palette);
+ png_ptr->palette = NULL;
+
/* The error handling and memory handling information is left intact at this
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
* for how this happens.

View File

@ -1,26 +0,0 @@
diff --git a/pngrtran.c b/pngrtran.c
index fd736ab672..978dac5888 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -2070,6 +2070,21 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
{
png_debug(1, "in png_read_transform_info");
+ if (png_ptr->transformations != 0)
+ {
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
+ {
+ /* Sync info_ptr->palette with png_ptr->palette.
+ * The function png_init_read_transformations may have modified
+ * png_ptr->palette in place (e.g. for gamma correction or for
+ * background compositing).
+ */
+ memcpy(info_ptr->palette, png_ptr->palette,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
+ }
+ }
+
#ifdef PNG_READ_EXPAND_SUPPORTED
if ((png_ptr->transformations & PNG_EXPAND) != 0)
{

View File

@ -1,32 +0,0 @@
diff --git a/pngrtran.c b/pngrtran.c
index 1b04cafa56..0ac8df749e 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -2070,19 +2070,15 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
{
png_debug(1, "in png_read_transform_info");
- if (png_ptr->transformations != 0)
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
{
- if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
- info_ptr->palette != NULL && png_ptr->palette != NULL)
- {
- /* Sync info_ptr->palette with png_ptr->palette.
- * The function png_init_read_transformations may have modified
- * png_ptr->palette in place (e.g. for gamma correction or for
- * background compositing).
- */
- memcpy(info_ptr->palette, png_ptr->palette,
- PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
- }
+ /* Sync info_ptr->palette with png_ptr->palette, which may
+ * have been modified by png_init_read_transformations
+ * (e.g. for gamma correction or background compositing).
+ */
+ memcpy(info_ptr->palette, png_ptr->palette,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
}
#ifdef PNG_READ_EXPAND_SUPPORTED

View File

@ -1,34 +0,0 @@
From 9821583a771bfe2c75b7449d8ff83cb348291b3f Mon Sep 17 00:00:00 2001
From: Cosmin Truta <ctruta@gmail.com>
Date: Sun, 17 Jun 2018 22:56:29 -0400
Subject: [PATCH] Fix the calculation of row_factor in png_check_chunk_length
(Bug report by Thuan Pham, SourceForge issue #278)
---
pngrutil.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/pngrutil.c b/pngrutil.c
index 8692933..eab2973 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -3149,10 +3149,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
{
png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
size_t row_factor =
- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
- + 1 + (png_ptr->interlaced? 6: 0));
+ (size_t)png_ptr->width
+ * (size_t)png_ptr->channels
+ * (png_ptr->bit_depth > 8? 2: 1)
+ + 1
+ + (png_ptr->interlaced? 6: 0);
if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
- idat_limit=PNG_UINT_31_MAX;
+ idat_limit = PNG_UINT_31_MAX;
else
idat_limit = png_ptr->height * row_factor;
row_factor = row_factor > 32566? 32566 : row_factor;
--
2.17.1

View File

@ -1,12 +0,0 @@
diff --git a/libpng-config.in b/libpng-config.in
index 3739eb9..7f6b2cc 100644
--- a/libpng-config.in
+++ b/libpng-config.in
@@ -13,7 +13,6 @@
version=`pkg-config --modversion libpng`
prefix=`pkg-config --variable prefix libpng`
-exec_prefix=`pkg-config --variable exec_prefix libpng`
libdir=`pkg-config --variable libdir libpng`
includedir=`pkg-config --variable includedir libpng`
libs="-lpng@PNGLIB_MAJOR@@PNGLIB_MINOR@"

View File

@ -1,57 +1,44 @@
%bcond_without check
Summary: A library of functions for manipulating PNG image format files Summary: A library of functions for manipulating PNG image format files
Name: libpng Name: libpng
Epoch: 2 Epoch: 2
Version: 1.6.34 Version: 1.6.37
Release: 11%{?dist} Release: 15%{?dist}
License: zlib License: zlib
Group: System Environment/Libraries
URL: http://www.libpng.org/pub/png/ URL: http://www.libpng.org/pub/png/
# Note: non-current tarballs get moved to the history/ subdirectory, Source0: https://github.com/glennrp/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# so look there if you fail to retrieve the version you want
Source0: https://ftp-osl.osuosl.org/pub/libpng/src/libpng16/libpng-%{version}.tar.xz
Source1: pngusr.dfa Source1: pngusr.dfa
Patch0: libpng-multilib.patch Patch0: libpng-multilib.patch
Patch1: libpng-fix-arm-neon.patch Patch1: libpng-fix-arm-neon.patch
Patch2: libpng-CVE-2018-13785.patch # from upstream, for <1.6.51, RHEL-131594
Patch3: libpng-coverity.patch
# from upstream, for <1.6.51, RHEL-131422
# https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643 # https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
Patch4: libpng-1.6-CVE-2025-64720.patch Patch2: libpng-1.6-CVE-2025-64720.patch
# from upstream, for <1.6.51, RHEL-131435 # from upstream, for <1.6.51, RHEL-131603
# https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d # https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
Patch5: libpng-1.6-CVE-2025-65018_p1of2.patch Patch3: libpng-1.6-CVE-2025-65018_p1of2.patch
# https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea # https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
Patch6: libpng-1.6-CVE-2025-65018_p2of2.patch Patch4: libpng-1.6-CVE-2025-65018_p2of2.patch
# from upstream, for <1.6.52, RHEL-133212 # from upstream, for <1.6.52, RHEL-133294
# https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1 # https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1
Patch7: libpng-1.6-CVE-2025-66293_p1of2.patch Patch5: libpng-1.6-CVE-2025-66293_p1of2.patch
# https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a # https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a
Patch8: libpng-1.6-CVE-2025-66293_p2of2.patch Patch6: libpng-1.6-CVE-2025-66293_p2of2.patch
# from upstream, for <1.6.54, RHEL-148852 # from upstream, for <1.6.54, RHEL-147356
# https://github.com/pnggroup/libpng/commit/e4f7ad4ea2 # https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
Patch9: libpng-1.6-cve-2026-22695.patch Patch7: libpng-1.6-cve-2026-22695.patch
# from upstream, for <1.6.54, RHEL-146659 # from upstream, for <1.6.54, RHEL-149000
# https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072 # https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
Patch10: libpng-1.6-cve-2026-22801.patch Patch8: libpng-1.6-cve-2026-22801.patch
# from upstream, for <1.6.55, RHEL-148338 # from upstream, for <1.6.55, RHEL-148328
# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88 # https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
Patch11: libpng-1.6-cve-2026-25646.patch Patch9: libpng-1.6-cve-2026-25646.patch
# from upstream, for <1.6.56 (fix), for <1.6.58 (regression fix), RHEL-161436
# https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
Patch13: libpng-1.6-CVE-2026-33416_p1of5.patch
# https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
Patch14: libpng-1.6-CVE-2026-33416_p2of5.patch
# https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
Patch15: libpng-1.6-CVE-2026-33416_p3of5.patch
# https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
Patch16: libpng-1.6-CVE-2026-33416_p4of5.patch
# regression fix for 7ea9eea8 (part 3)
# https://github.com/pnggroup/libpng/commit/d4c4e49eb5c8981075ec2cd946428758c0cda6ac
Patch17: libpng-1.6-CVE-2026-33416_p5of5.patch
BuildRequires: gcc
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
BuildRequires: make
%description %description
The libpng package contains a library of functions for creating and The libpng package contains a library of functions for creating and
@ -65,9 +52,8 @@ files.
%package devel %package devel
Summary: Development tools for programs to manipulate PNG image format files Summary: Development tools for programs to manipulate PNG image format files
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
Requires: zlib-devel%{?_isa} pkgconfig%{?_isa} Requires: zlib-devel%{?_isa} pkgconfig
%description devel %description devel
The libpng-devel package contains header files and documentation necessary The libpng-devel package contains header files and documentation necessary
@ -79,7 +65,6 @@ the libpng package.
%package static %package static
Summary: Static PNG image format file library Summary: Static PNG image format file library
Group: Development/Libraries
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
%description static %description static
@ -89,7 +74,6 @@ necessary for some boot packages.
%package tools %package tools
Summary: Tools for PNG image format file library Summary: Tools for PNG image format file library
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%description tools %description tools
@ -102,36 +86,28 @@ cp -p %{SOURCE1} .
%patch -P 0 -p1 %patch -P 0 -p1
%patch -P 1 -p1 -b .arm %patch -P 1 -p1 -b .arm
%patch -P 2 -p1 -b .CVE-2018-13785 %patch -P 2 -p1 -b .CVE-2025-64720
%patch -P 3 -p1 -b .coverity %patch -P 3 -p1 -b .CVE-2025-65018_p1of2
%patch -P 4 -p1 -b .CVE-2025-64720 %patch -P 4 -p1 -b .CVE-2025-65018_p2of2
%patch -P 5 -p1 -b .CVE-2025-65018_p1of2 %patch -P 5 -p1 -b .CVE-2025-66293_p1of2
%patch -P 6 -p1 -b .CVE-2025-65018_p2of2 %patch -P 6 -p1 -b .CVE-2025-66293_p2of2
%patch -P 7 -p1 -b .CVE-2025-66293_p1of2 %patch -P 7 -p1 -b .cve-2026-22695
%patch -P 8 -p1 -b .CVE-2025-66293_p2of2 %patch -P 8 -p1 -b .cve-2026-22801
%patch -P 9 -p1 -b .cve-2026-22695 %patch -P 9 -p1 -b .cve-2026-25646
%patch -P 10 -p1 -b .cve-2026-22801
%patch -P 11 -p1 -b .cve-2026-25646
%patch -P 13 -p1 -b .CVE-2026-33416_p1of5
%patch -P 14 -p1 -b .CVE-2026-33416_p2of5
%patch -P 15 -p1 -b .CVE-2026-33416_p3of5
%patch -P 16 -p1 -b .CVE-2026-33416_p4of5
%patch -P 17 -p1 -b .CVE-2026-33416_p5of5
%build %build
autoreconf -vif autoreconf -vif
%configure %configure
make %{?_smp_mflags} DFA_XTRA=pngusr.dfa %make_build DFA_XTRA=pngusr.dfa
%install %install
make DESTDIR=$RPM_BUILD_ROOT install %make_install
# We don't ship .la files. # We don't ship .la files.
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
%if 0%{?with_check}
%check %check
#to run make check use "--with check"
%if %{?_with_check:1}%{!?_with_check:0}
make check make check
%endif %endif
@ -158,33 +134,77 @@ make check
%{_bindir}/pngfix %{_bindir}/pngfix
%changelog %changelog
* Wed May 13 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-11 * Tue Mar 03 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-15
- fix CVE-2026-33416: use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE (RHEL-161344) - fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148411)
* Thu Mar 05 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-10 * Thu Feb 19 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-14
- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148338) - fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-147356)
- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148852) - fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-149000)
- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-146659)
* Tue Dec 16 2025 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-9 * Wed Jan 21 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-13
- CVE-2025-64720: buffer overflow (RHEL-131452) - CVE-2025-64720: buffer overflow (RHEL-131594)
- CVE-2025-65018: heap buffer overflow (RHEL-131465) - CVE-2025-65018: heap buffer overflow (RHEL-131603)
- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133226) - CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133294)
* Thu Nov 28 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-8 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.6.37-12
- Remove redundant fix for CVE-2017-12652 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Nov 26 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-7 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.6.37-11
- Add upstream test suite and enable it in gating - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Nov 22 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6 * Wed Mar 24 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-10
- Fix CVE-2017-12652 (#1744871) - Remove the aarch64 test workaround, the patches causing the failures
have been dropped in zlib-1.2.11-25
* Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-5 * Thu Feb 11 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-9
- Fix important Covscan defects (#1602588) - Run %check by default
* Wed Aug 01 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-4 * Fri Feb 05 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-8
- Fix CVE-2018-13785 (#1599952) - Use proper pngtest.png reference image on aarch64
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 02 2020 Nikola Forró <nforro@redhat.com> - 2:1.6.37-6
- Remove libpng-devel dependency on arch-specific pkgconfig (#1893523)
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 2:1.6.37-4
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed May 22 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.37-1
- New upstream release 1.6.37
* Wed Feb 27 2019 Debarshi Ray <rishi@fedoraproject.org> - 2:1.6.36-1
- New upstream release 1.6.36
* Fri Feb 08 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.35-3
- Fix CVE-2019-7317 (#1672411)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.35-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 10 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.35-1
- New upstream release 1.6.35 (#1552349)
* Wed Aug 01 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6
- Fix CVE-2018-13785 (#1599944)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Feb 20 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-4
- Add missing gcc build dependency
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-3 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild