Compare commits
No commits in common. "c8" and "c9-beta" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/libpng-1.6.34.tar.xz
|
SOURCES/libpng-1.6.37.tar.gz
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
45de4ec996ffcc3e18037e7c128abe95f4d0292a SOURCES/libpng-1.6.34.tar.xz
|
1aac0e12aa5b583f736fb6692f47dff7a3efa78b SOURCES/libpng-1.6.37.tar.gz
|
||||||
|
|||||||
@ -1,103 +0,0 @@
|
|||||||
diff --git a/pngread.c b/pngread.c
|
|
||||||
index 01b731d8eb..0086edf6cf 100644
|
|
||||||
--- a/pngread.c
|
|
||||||
+++ b/pngread.c
|
|
||||||
@@ -788,12 +788,11 @@ png_read_destroy(png_structrp png_ptr)
|
|
||||||
|
|
||||||
#if defined(PNG_tRNS_SUPPORTED) || \
|
|
||||||
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
|
|
||||||
- if ((png_ptr->free_me & PNG_FREE_TRNS) != 0)
|
|
||||||
- {
|
|
||||||
- png_free(png_ptr, png_ptr->trans_alpha);
|
|
||||||
- png_ptr->trans_alpha = NULL;
|
|
||||||
- }
|
|
||||||
- png_ptr->free_me &= ~PNG_FREE_TRNS;
|
|
||||||
+ /* png_ptr->trans_alpha is always independently allocated (not aliased
|
|
||||||
+ * with info_ptr->trans_alpha), so free it unconditionally.
|
|
||||||
+ */
|
|
||||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
|
||||||
+ png_ptr->trans_alpha = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
inflateEnd(&png_ptr->zstream);
|
|
||||||
diff --git a/pngrutil.c b/pngrutil.c
|
|
||||||
index 366379b991..a19507bf1b 100644
|
|
||||||
--- a/pngrutil.c
|
|
||||||
+++ b/pngrutil.c
|
|
||||||
@@ -1772,10 +1772,6 @@ png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* TODO: this is a horrible side effect in the palette case because the
|
|
||||||
- * png_struct ends up with a pointer to the tRNS buffer owned by the
|
|
||||||
- * png_info. Fix this.
|
|
||||||
- */
|
|
||||||
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
|
|
||||||
&(png_ptr->trans_color));
|
|
||||||
}
|
|
||||||
diff --git a/pngset.c b/pngset.c
|
|
||||||
index 4b78b8960c..47883684e4 100644
|
|
||||||
--- a/pngset.c
|
|
||||||
+++ b/pngset.c
|
|
||||||
@@ -1002,25 +1002,33 @@
|
|
||||||
|
|
||||||
if (trans_alpha != NULL)
|
|
||||||
{
|
|
||||||
- /* It may not actually be necessary to set png_ptr->trans_alpha here;
|
|
||||||
- * we do it for backward compatibility with the way the png_handle_tRNS
|
|
||||||
- * function used to do the allocation.
|
|
||||||
- *
|
|
||||||
- * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
|
|
||||||
- * relies on png_set_tRNS storing the information in png_struct
|
|
||||||
- * (otherwise it won't be there for the code in pngrtran.c).
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
|
|
||||||
|
|
||||||
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
|
|
||||||
{
|
|
||||||
- /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
|
|
||||||
+ /* Allocate info_ptr's copy of the transparency data. */
|
|
||||||
info_ptr->trans_alpha = png_voidcast(png_bytep,
|
|
||||||
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
|
||||||
memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
|
|
||||||
+
|
|
||||||
+ /* Allocate an independent copy for png_struct, so that the
|
|
||||||
+ * lifetime of png_ptr->trans_alpha is decoupled from the
|
|
||||||
+ * lifetime of info_ptr->trans_alpha. Previously these two
|
|
||||||
+ * pointers were aliased, which caused a use-after-free if
|
|
||||||
+ * png_free_data freed info_ptr->trans_alpha while
|
|
||||||
+ * png_ptr->trans_alpha was still in use by the row transform
|
|
||||||
+ * functions (e.g. png_do_expand_palette).
|
|
||||||
+ */
|
|
||||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
|
||||||
+ png_ptr->trans_alpha = png_voidcast(png_bytep,
|
|
||||||
+ png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
|
||||||
+ memcpy(png_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
|
||||||
+ png_ptr->trans_alpha = NULL;
|
|
||||||
}
|
|
||||||
- png_ptr->trans_alpha = info_ptr->trans_alpha;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (trans_color != NULL)
|
|
||||||
diff --git a/pngwrite.c b/pngwrite.c
|
|
||||||
index 5fc77d91f7..84af1e73fb 100644
|
|
||||||
--- a/pngwrite.c
|
|
||||||
+++ b/pngwrite.c
|
|
||||||
@@ -1010,6 +1010,12 @@ png_write_destroy(png_structrp png_ptr)
|
|
||||||
png_ptr->chunk_list = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#if defined(PNG_tRNS_SUPPORTED)
|
|
||||||
+ /* Free the independent copy of trans_alpha owned by png_struct. */
|
|
||||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
|
||||||
+ png_ptr->trans_alpha = NULL;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* The error handling and memory handling information is left intact at this
|
|
||||||
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
|
|
||||||
* for how this happens.
|
|
||||||
@ -1,27 +0,0 @@
|
|||||||
diff --git a/pngset.c b/pngset.c
|
|
||||||
index 47883684e4..dccc6498d7 100644
|
|
||||||
--- a/pngset.c
|
|
||||||
+++ b/pngset.c
|
|
||||||
@@ -1006,9 +1006,13 @@
|
|
||||||
|
|
||||||
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
|
|
||||||
{
|
|
||||||
- /* Allocate info_ptr's copy of the transparency data. */
|
|
||||||
+ /* Allocate info_ptr's copy of the transparency data.
|
|
||||||
+ * Initialize all entries to fully opaque (0xff), then overwrite
|
|
||||||
+ * the first num_trans entries with the actual values.
|
|
||||||
+ */
|
|
||||||
info_ptr->trans_alpha = png_voidcast(png_bytep,
|
|
||||||
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
|
||||||
+ memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
|
|
||||||
memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
|
|
||||||
|
|
||||||
/* Allocate an independent copy for png_struct, so that the
|
|
||||||
@@ -1024,6 +1028,7 @@
|
|
||||||
png_free(png_ptr, png_ptr->trans_alpha);
|
|
||||||
png_ptr->trans_alpha = png_voidcast(png_bytep,
|
|
||||||
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
|
||||||
+ memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
|
|
||||||
memcpy(png_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
@ -1,122 +0,0 @@
|
|||||||
diff -up libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngread.c
|
|
||||||
--- libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.486981492 +0200
|
|
||||||
+++ libpng-1.6.40/pngread.c 2026-05-13 17:57:13.493075382 +0200
|
|
||||||
@@ -959,12 +959,11 @@ png_read_destroy(png_structrp png_ptr)
|
|
||||||
png_ptr->quantize_index = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if ((png_ptr->free_me & PNG_FREE_PLTE) != 0)
|
|
||||||
- {
|
|
||||||
- png_zfree(png_ptr, png_ptr->palette);
|
|
||||||
- png_ptr->palette = NULL;
|
|
||||||
- }
|
|
||||||
- png_ptr->free_me &= ~PNG_FREE_PLTE;
|
|
||||||
+ /* png_ptr->palette is always independently allocated (not aliased
|
|
||||||
+ * with info_ptr->palette), so free it unconditionally.
|
|
||||||
+ */
|
|
||||||
+ png_free(png_ptr, png_ptr->palette);
|
|
||||||
+ png_ptr->palette = NULL;
|
|
||||||
|
|
||||||
#if defined(PNG_tRNS_SUPPORTED) || \
|
|
||||||
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
|
|
||||||
diff -up libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrtran.c
|
|
||||||
--- libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.483146844 +0200
|
|
||||||
+++ libpng-1.6.40/pngrtran.c 2026-05-13 17:57:13.493827754 +0200
|
|
||||||
@@ -745,7 +745,13 @@ png_set_quantize(png_structrp png_ptr, p
|
|
||||||
}
|
|
||||||
if (png_ptr->palette == NULL)
|
|
||||||
{
|
|
||||||
- png_ptr->palette = palette;
|
|
||||||
+ /* Allocate an owned copy rather than aliasing the caller's pointer,
|
|
||||||
+ * so that png_read_destroy can free png_ptr->palette unconditionally.
|
|
||||||
+ */
|
|
||||||
+ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
|
||||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
|
||||||
+ memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
|
|
||||||
+ (sizeof (png_color)));
|
|
||||||
}
|
|
||||||
png_ptr->num_palette = (png_uint_16)num_palette;
|
|
||||||
|
|
||||||
diff -up libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrutil.c
|
|
||||||
--- libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.487752910 +0200
|
|
||||||
+++ libpng-1.6.40/pngrutil.c 2026-05-13 18:02:45.747406991 +0200
|
|
||||||
@@ -1048,14 +1048,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
|
|
||||||
- * own copy of the palette. This has the side effect that when png_start_row
|
|
||||||
- * is called (this happens after any call to png_read_update_info) the
|
|
||||||
- * info_ptr palette gets changed. This is extremely unexpected and
|
|
||||||
- * confusing.
|
|
||||||
- *
|
|
||||||
- * Fix this by not sharing the palette in this way.
|
|
||||||
- */
|
|
||||||
png_set_PLTE(png_ptr, info_ptr, palette, num);
|
|
||||||
|
|
||||||
/* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
|
|
||||||
diff -up libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngset.c
|
|
||||||
--- libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.490982521 +0200
|
|
||||||
+++ libpng-1.6.40/pngset.c 2026-05-13 17:57:13.495080620 +0200
|
|
||||||
@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_i
|
|
||||||
png_error(png_ptr, "Invalid palette");
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* It may not actually be necessary to set png_ptr->palette here;
|
|
||||||
- * we do it for backward compatibility with the way the png_handle_tRNS
|
|
||||||
- * function used to do the allocation.
|
|
||||||
- *
|
|
||||||
- * 1.6.0: the above statement appears to be incorrect; something has to set
|
|
||||||
- * the palette inside png_struct on read.
|
|
||||||
- */
|
|
||||||
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
|
|
||||||
|
|
||||||
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
|
|
||||||
* of num_palette entries, in case of an invalid PNG file or incorrect
|
|
||||||
* call to png_set_PLTE() with too-large sample values.
|
|
||||||
+ *
|
|
||||||
+ * Allocate independent buffers for info_ptr and png_ptr so that the
|
|
||||||
+ * lifetime of png_ptr->palette is decoupled from the lifetime of
|
|
||||||
+ * info_ptr->palette. Previously, these two pointers were aliased,
|
|
||||||
+ * which caused a use-after-free vulnerability if png_free_data freed
|
|
||||||
+ * info_ptr->palette while png_ptr->palette was still in use by the
|
|
||||||
+ * row transform functions (e.g. png_do_expand_palette).
|
|
||||||
+ *
|
|
||||||
+ * Both buffers are allocated with png_calloc to zero-fill, because
|
|
||||||
+ * the ARM NEON palette riffle reads all 256 entries unconditionally,
|
|
||||||
+ * regardless of num_palette.
|
|
||||||
*/
|
|
||||||
+ png_free(png_ptr, png_ptr->palette);
|
|
||||||
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
|
||||||
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
|
||||||
+ info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
|
||||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
|
||||||
+ png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette;
|
|
||||||
|
|
||||||
if (num_palette > 0)
|
|
||||||
+ {
|
|
||||||
+ memcpy(info_ptr->palette, palette, (unsigned int)num_palette *
|
|
||||||
+ (sizeof (png_color)));
|
|
||||||
memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
|
|
||||||
(sizeof (png_color)));
|
|
||||||
+ }
|
|
||||||
- info_ptr->palette = png_ptr->palette;
|
|
||||||
- info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
|
|
||||||
|
|
||||||
info_ptr->free_me |= PNG_FREE_PLTE;
|
|
||||||
|
|
||||||
info_ptr->valid |= PNG_INFO_PLTE;
|
|
||||||
diff -up libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngwrite.c
|
|
||||||
--- libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.488545337 +0200
|
|
||||||
+++ libpng-1.6.40/pngwrite.c 2026-05-13 17:57:13.495368957 +0200
|
|
||||||
@@ -982,6 +982,10 @@ png_write_destroy(png_structrp png_ptr)
|
|
||||||
png_ptr->trans_alpha = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ /* Free the independent copy of the palette owned by png_struct. */
|
|
||||||
+ png_free(png_ptr, png_ptr->palette);
|
|
||||||
+ png_ptr->palette = NULL;
|
|
||||||
+
|
|
||||||
/* The error handling and memory handling information is left intact at this
|
|
||||||
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
|
|
||||||
* for how this happens.
|
|
||||||
@ -1,26 +0,0 @@
|
|||||||
diff --git a/pngrtran.c b/pngrtran.c
|
|
||||||
index fd736ab672..978dac5888 100644
|
|
||||||
--- a/pngrtran.c
|
|
||||||
+++ b/pngrtran.c
|
|
||||||
@@ -2070,6 +2070,21 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
|
|
||||||
{
|
|
||||||
png_debug(1, "in png_read_transform_info");
|
|
||||||
|
|
||||||
+ if (png_ptr->transformations != 0)
|
|
||||||
+ {
|
|
||||||
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
|
|
||||||
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
|
|
||||||
+ {
|
|
||||||
+ /* Sync info_ptr->palette with png_ptr->palette.
|
|
||||||
+ * The function png_init_read_transformations may have modified
|
|
||||||
+ * png_ptr->palette in place (e.g. for gamma correction or for
|
|
||||||
+ * background compositing).
|
|
||||||
+ */
|
|
||||||
+ memcpy(info_ptr->palette, png_ptr->palette,
|
|
||||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
#ifdef PNG_READ_EXPAND_SUPPORTED
|
|
||||||
if ((png_ptr->transformations & PNG_EXPAND) != 0)
|
|
||||||
{
|
|
||||||
@ -1,32 +0,0 @@
|
|||||||
diff --git a/pngrtran.c b/pngrtran.c
|
|
||||||
index 1b04cafa56..0ac8df749e 100644
|
|
||||||
--- a/pngrtran.c
|
|
||||||
+++ b/pngrtran.c
|
|
||||||
@@ -2070,19 +2070,15 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
|
|
||||||
{
|
|
||||||
png_debug(1, "in png_read_transform_info");
|
|
||||||
|
|
||||||
- if (png_ptr->transformations != 0)
|
|
||||||
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
|
|
||||||
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
|
|
||||||
{
|
|
||||||
- if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
|
|
||||||
- info_ptr->palette != NULL && png_ptr->palette != NULL)
|
|
||||||
- {
|
|
||||||
- /* Sync info_ptr->palette with png_ptr->palette.
|
|
||||||
- * The function png_init_read_transformations may have modified
|
|
||||||
- * png_ptr->palette in place (e.g. for gamma correction or for
|
|
||||||
- * background compositing).
|
|
||||||
- */
|
|
||||||
- memcpy(info_ptr->palette, png_ptr->palette,
|
|
||||||
- PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
|
|
||||||
- }
|
|
||||||
+ /* Sync info_ptr->palette with png_ptr->palette, which may
|
|
||||||
+ * have been modified by png_init_read_transformations
|
|
||||||
+ * (e.g. for gamma correction or background compositing).
|
|
||||||
+ */
|
|
||||||
+ memcpy(info_ptr->palette, png_ptr->palette,
|
|
||||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef PNG_READ_EXPAND_SUPPORTED
|
|
||||||
@ -1,34 +0,0 @@
|
|||||||
From 9821583a771bfe2c75b7449d8ff83cb348291b3f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Cosmin Truta <ctruta@gmail.com>
|
|
||||||
Date: Sun, 17 Jun 2018 22:56:29 -0400
|
|
||||||
Subject: [PATCH] Fix the calculation of row_factor in png_check_chunk_length
|
|
||||||
|
|
||||||
(Bug report by Thuan Pham, SourceForge issue #278)
|
|
||||||
---
|
|
||||||
pngrutil.c | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/pngrutil.c b/pngrutil.c
|
|
||||||
index 8692933..eab2973 100644
|
|
||||||
--- a/pngrutil.c
|
|
||||||
+++ b/pngrutil.c
|
|
||||||
@@ -3149,10 +3149,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
|
|
||||||
{
|
|
||||||
png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
|
|
||||||
size_t row_factor =
|
|
||||||
- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
|
|
||||||
- + 1 + (png_ptr->interlaced? 6: 0));
|
|
||||||
+ (size_t)png_ptr->width
|
|
||||||
+ * (size_t)png_ptr->channels
|
|
||||||
+ * (png_ptr->bit_depth > 8? 2: 1)
|
|
||||||
+ + 1
|
|
||||||
+ + (png_ptr->interlaced? 6: 0);
|
|
||||||
if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
|
|
||||||
- idat_limit=PNG_UINT_31_MAX;
|
|
||||||
+ idat_limit = PNG_UINT_31_MAX;
|
|
||||||
else
|
|
||||||
idat_limit = png_ptr->height * row_factor;
|
|
||||||
row_factor = row_factor > 32566? 32566 : row_factor;
|
|
||||||
--
|
|
||||||
2.17.1
|
|
||||||
|
|
||||||
@ -1,12 +0,0 @@
|
|||||||
diff --git a/libpng-config.in b/libpng-config.in
|
|
||||||
index 3739eb9..7f6b2cc 100644
|
|
||||||
--- a/libpng-config.in
|
|
||||||
+++ b/libpng-config.in
|
|
||||||
@@ -13,7 +13,6 @@
|
|
||||||
|
|
||||||
version=`pkg-config --modversion libpng`
|
|
||||||
prefix=`pkg-config --variable prefix libpng`
|
|
||||||
-exec_prefix=`pkg-config --variable exec_prefix libpng`
|
|
||||||
libdir=`pkg-config --variable libdir libpng`
|
|
||||||
includedir=`pkg-config --variable includedir libpng`
|
|
||||||
libs="-lpng@PNGLIB_MAJOR@@PNGLIB_MINOR@"
|
|
||||||
@ -1,57 +1,44 @@
|
|||||||
|
%bcond_without check
|
||||||
|
|
||||||
Summary: A library of functions for manipulating PNG image format files
|
Summary: A library of functions for manipulating PNG image format files
|
||||||
Name: libpng
|
Name: libpng
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
Version: 1.6.34
|
Version: 1.6.37
|
||||||
Release: 11%{?dist}
|
Release: 15%{?dist}
|
||||||
License: zlib
|
License: zlib
|
||||||
Group: System Environment/Libraries
|
|
||||||
URL: http://www.libpng.org/pub/png/
|
URL: http://www.libpng.org/pub/png/
|
||||||
|
|
||||||
# Note: non-current tarballs get moved to the history/ subdirectory,
|
Source0: https://github.com/glennrp/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
# so look there if you fail to retrieve the version you want
|
|
||||||
Source0: https://ftp-osl.osuosl.org/pub/libpng/src/libpng16/libpng-%{version}.tar.xz
|
|
||||||
Source1: pngusr.dfa
|
Source1: pngusr.dfa
|
||||||
Patch0: libpng-multilib.patch
|
Patch0: libpng-multilib.patch
|
||||||
Patch1: libpng-fix-arm-neon.patch
|
Patch1: libpng-fix-arm-neon.patch
|
||||||
Patch2: libpng-CVE-2018-13785.patch
|
# from upstream, for <1.6.51, RHEL-131594
|
||||||
Patch3: libpng-coverity.patch
|
|
||||||
# from upstream, for <1.6.51, RHEL-131422
|
|
||||||
# https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
|
# https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
|
||||||
Patch4: libpng-1.6-CVE-2025-64720.patch
|
Patch2: libpng-1.6-CVE-2025-64720.patch
|
||||||
# from upstream, for <1.6.51, RHEL-131435
|
# from upstream, for <1.6.51, RHEL-131603
|
||||||
# https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
|
# https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
|
||||||
Patch5: libpng-1.6-CVE-2025-65018_p1of2.patch
|
Patch3: libpng-1.6-CVE-2025-65018_p1of2.patch
|
||||||
# https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
|
# https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
|
||||||
Patch6: libpng-1.6-CVE-2025-65018_p2of2.patch
|
Patch4: libpng-1.6-CVE-2025-65018_p2of2.patch
|
||||||
# from upstream, for <1.6.52, RHEL-133212
|
# from upstream, for <1.6.52, RHEL-133294
|
||||||
# https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1
|
# https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1
|
||||||
Patch7: libpng-1.6-CVE-2025-66293_p1of2.patch
|
Patch5: libpng-1.6-CVE-2025-66293_p1of2.patch
|
||||||
# https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a
|
# https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a
|
||||||
Patch8: libpng-1.6-CVE-2025-66293_p2of2.patch
|
Patch6: libpng-1.6-CVE-2025-66293_p2of2.patch
|
||||||
# from upstream, for <1.6.54, RHEL-148852
|
# from upstream, for <1.6.54, RHEL-147356
|
||||||
# https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
|
# https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
|
||||||
Patch9: libpng-1.6-cve-2026-22695.patch
|
Patch7: libpng-1.6-cve-2026-22695.patch
|
||||||
# from upstream, for <1.6.54, RHEL-146659
|
# from upstream, for <1.6.54, RHEL-149000
|
||||||
# https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
|
# https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
|
||||||
Patch10: libpng-1.6-cve-2026-22801.patch
|
Patch8: libpng-1.6-cve-2026-22801.patch
|
||||||
# from upstream, for <1.6.55, RHEL-148338
|
# from upstream, for <1.6.55, RHEL-148328
|
||||||
# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
|
# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
|
||||||
Patch11: libpng-1.6-cve-2026-25646.patch
|
Patch9: libpng-1.6-cve-2026-25646.patch
|
||||||
# from upstream, for <1.6.56 (fix), for <1.6.58 (regression fix), RHEL-161436
|
|
||||||
# https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
|
|
||||||
Patch13: libpng-1.6-CVE-2026-33416_p1of5.patch
|
|
||||||
# https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
|
|
||||||
Patch14: libpng-1.6-CVE-2026-33416_p2of5.patch
|
|
||||||
# https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
|
|
||||||
Patch15: libpng-1.6-CVE-2026-33416_p3of5.patch
|
|
||||||
# https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
|
|
||||||
Patch16: libpng-1.6-CVE-2026-33416_p4of5.patch
|
|
||||||
# regression fix for 7ea9eea8 (part 3)
|
|
||||||
# https://github.com/pnggroup/libpng/commit/d4c4e49eb5c8981075ec2cd946428758c0cda6ac
|
|
||||||
Patch17: libpng-1.6-CVE-2026-33416_p5of5.patch
|
|
||||||
|
|
||||||
|
BuildRequires: gcc
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
BuildRequires: autoconf automake libtool
|
BuildRequires: autoconf automake libtool
|
||||||
|
BuildRequires: make
|
||||||
|
|
||||||
%description
|
%description
|
||||||
The libpng package contains a library of functions for creating and
|
The libpng package contains a library of functions for creating and
|
||||||
@ -65,9 +52,8 @@ files.
|
|||||||
|
|
||||||
%package devel
|
%package devel
|
||||||
Summary: Development tools for programs to manipulate PNG image format files
|
Summary: Development tools for programs to manipulate PNG image format files
|
||||||
Group: Development/Libraries
|
|
||||||
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
Requires: zlib-devel%{?_isa} pkgconfig%{?_isa}
|
Requires: zlib-devel%{?_isa} pkgconfig
|
||||||
|
|
||||||
%description devel
|
%description devel
|
||||||
The libpng-devel package contains header files and documentation necessary
|
The libpng-devel package contains header files and documentation necessary
|
||||||
@ -79,7 +65,6 @@ the libpng package.
|
|||||||
|
|
||||||
%package static
|
%package static
|
||||||
Summary: Static PNG image format file library
|
Summary: Static PNG image format file library
|
||||||
Group: Development/Libraries
|
|
||||||
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
%description static
|
%description static
|
||||||
@ -89,7 +74,6 @@ necessary for some boot packages.
|
|||||||
|
|
||||||
%package tools
|
%package tools
|
||||||
Summary: Tools for PNG image format file library
|
Summary: Tools for PNG image format file library
|
||||||
Group: Development/Libraries
|
|
||||||
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
%description tools
|
%description tools
|
||||||
@ -102,36 +86,28 @@ cp -p %{SOURCE1} .
|
|||||||
|
|
||||||
%patch -P 0 -p1
|
%patch -P 0 -p1
|
||||||
%patch -P 1 -p1 -b .arm
|
%patch -P 1 -p1 -b .arm
|
||||||
%patch -P 2 -p1 -b .CVE-2018-13785
|
%patch -P 2 -p1 -b .CVE-2025-64720
|
||||||
%patch -P 3 -p1 -b .coverity
|
%patch -P 3 -p1 -b .CVE-2025-65018_p1of2
|
||||||
%patch -P 4 -p1 -b .CVE-2025-64720
|
%patch -P 4 -p1 -b .CVE-2025-65018_p2of2
|
||||||
%patch -P 5 -p1 -b .CVE-2025-65018_p1of2
|
%patch -P 5 -p1 -b .CVE-2025-66293_p1of2
|
||||||
%patch -P 6 -p1 -b .CVE-2025-65018_p2of2
|
%patch -P 6 -p1 -b .CVE-2025-66293_p2of2
|
||||||
%patch -P 7 -p1 -b .CVE-2025-66293_p1of2
|
%patch -P 7 -p1 -b .cve-2026-22695
|
||||||
%patch -P 8 -p1 -b .CVE-2025-66293_p2of2
|
%patch -P 8 -p1 -b .cve-2026-22801
|
||||||
%patch -P 9 -p1 -b .cve-2026-22695
|
%patch -P 9 -p1 -b .cve-2026-25646
|
||||||
%patch -P 10 -p1 -b .cve-2026-22801
|
|
||||||
%patch -P 11 -p1 -b .cve-2026-25646
|
|
||||||
%patch -P 13 -p1 -b .CVE-2026-33416_p1of5
|
|
||||||
%patch -P 14 -p1 -b .CVE-2026-33416_p2of5
|
|
||||||
%patch -P 15 -p1 -b .CVE-2026-33416_p3of5
|
|
||||||
%patch -P 16 -p1 -b .CVE-2026-33416_p4of5
|
|
||||||
%patch -P 17 -p1 -b .CVE-2026-33416_p5of5
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -vif
|
autoreconf -vif
|
||||||
%configure
|
%configure
|
||||||
make %{?_smp_mflags} DFA_XTRA=pngusr.dfa
|
%make_build DFA_XTRA=pngusr.dfa
|
||||||
|
|
||||||
%install
|
%install
|
||||||
make DESTDIR=$RPM_BUILD_ROOT install
|
%make_install
|
||||||
|
|
||||||
# We don't ship .la files.
|
# We don't ship .la files.
|
||||||
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||||
|
|
||||||
|
%if 0%{?with_check}
|
||||||
%check
|
%check
|
||||||
#to run make check use "--with check"
|
|
||||||
%if %{?_with_check:1}%{!?_with_check:0}
|
|
||||||
make check
|
make check
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
@ -158,33 +134,77 @@ make check
|
|||||||
%{_bindir}/pngfix
|
%{_bindir}/pngfix
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed May 13 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-11
|
* Tue Mar 03 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-15
|
||||||
- fix CVE-2026-33416: use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE (RHEL-161344)
|
- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148411)
|
||||||
|
|
||||||
* Thu Mar 05 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-10
|
* Thu Feb 19 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-14
|
||||||
- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148338)
|
- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-147356)
|
||||||
- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148852)
|
- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-149000)
|
||||||
- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-146659)
|
|
||||||
|
|
||||||
* Tue Dec 16 2025 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-9
|
* Wed Jan 21 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-13
|
||||||
- CVE-2025-64720: buffer overflow (RHEL-131452)
|
- CVE-2025-64720: buffer overflow (RHEL-131594)
|
||||||
- CVE-2025-65018: heap buffer overflow (RHEL-131465)
|
- CVE-2025-65018: heap buffer overflow (RHEL-131603)
|
||||||
- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133226)
|
- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133294)
|
||||||
|
|
||||||
* Thu Nov 28 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-8
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.6.37-12
|
||||||
- Remove redundant fix for CVE-2017-12652
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
* Tue Nov 26 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-7
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.6.37-11
|
||||||
- Add upstream test suite and enable it in gating
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
* Fri Nov 22 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6
|
* Wed Mar 24 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-10
|
||||||
- Fix CVE-2017-12652 (#1744871)
|
- Remove the aarch64 test workaround, the patches causing the failures
|
||||||
|
have been dropped in zlib-1.2.11-25
|
||||||
|
|
||||||
* Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-5
|
* Thu Feb 11 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-9
|
||||||
- Fix important Covscan defects (#1602588)
|
- Run %check by default
|
||||||
|
|
||||||
* Wed Aug 01 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-4
|
* Fri Feb 05 2021 Nikola Forró <nforro@redhat.com> - 2:1.6.37-8
|
||||||
- Fix CVE-2018-13785 (#1599952)
|
- Use proper pngtest.png reference image on aarch64
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-7
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Nov 02 2020 Nikola Forró <nforro@redhat.com> - 2:1.6.37-6
|
||||||
|
- Remove libpng-devel dependency on arch-specific pkgconfig (#1893523)
|
||||||
|
|
||||||
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 2:1.6.37-4
|
||||||
|
- Use make macros
|
||||||
|
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||||
|
|
||||||
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.37-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed May 22 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.37-1
|
||||||
|
- New upstream release 1.6.37
|
||||||
|
|
||||||
|
* Wed Feb 27 2019 Debarshi Ray <rishi@fedoraproject.org> - 2:1.6.36-1
|
||||||
|
- New upstream release 1.6.36
|
||||||
|
|
||||||
|
* Fri Feb 08 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.35-3
|
||||||
|
- Fix CVE-2019-7317 (#1672411)
|
||||||
|
|
||||||
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.35-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Oct 10 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.35-1
|
||||||
|
- New upstream release 1.6.35 (#1552349)
|
||||||
|
|
||||||
|
* Wed Aug 01 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6
|
||||||
|
- Fix CVE-2018-13785 (#1599944)
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Feb 20 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-4
|
||||||
|
- Add missing gcc build dependency
|
||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-3
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-3
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user