From bdca3c879812216334ed7f1d0dc870902a4910d2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 5 Nov 2019 14:43:05 -0500 Subject: [PATCH] import libpng15-1.5.30-7.el8 --- .gitignore | 1 + .libpng15.metadata | 1 + SOURCES/libpng15-CVE-2013-6954.patch | 21 ++++++++++ SOURCES/libpng15-CVE-2018-13785.patch | 34 ++++++++++++++++ SOURCES/pngusr.dfa | 6 +++ SPECS/libpng15.spec | 58 +++++++++++++++++++++++++++ 6 files changed, 121 insertions(+) create mode 100644 .gitignore create mode 100644 .libpng15.metadata create mode 100644 SOURCES/libpng15-CVE-2013-6954.patch create mode 100644 SOURCES/libpng15-CVE-2018-13785.patch create mode 100644 SOURCES/pngusr.dfa create mode 100644 SPECS/libpng15.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9082c2b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libpng-1.5.30.tar.xz diff --git a/.libpng15.metadata b/.libpng15.metadata new file mode 100644 index 0000000..107f58e --- /dev/null +++ b/.libpng15.metadata @@ -0,0 +1 @@ +d3736c0235721b089abc72462fc6d961f75c972e SOURCES/libpng-1.5.30.tar.xz diff --git a/SOURCES/libpng15-CVE-2013-6954.patch b/SOURCES/libpng15-CVE-2013-6954.patch new file mode 100644 index 0000000..43a1d46 --- /dev/null +++ b/SOURCES/libpng15-CVE-2013-6954.patch @@ -0,0 +1,21 @@ +diff --git a/pngset.c b/pngset.c +index 4177e62..3876103 100644 +--- a/pngset.c ++++ b/pngset.c +@@ -524,6 +524,16 @@ png_set_PLTE(png_structp png_ptr, png_infop info_ptr, + return; + } + } ++ if ((num_palette > 0 && palette == NULL) || ++ (num_palette == 0 ++ # ifdef PNG_MNG_FEATURES_SUPPORTED ++ && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 ++ # endif ++ )) ++ { ++ png_error(png_ptr, "Invalid palette"); ++ return; ++ } + + /* It may not actually be necessary to set png_ptr->palette here; + * we do it for backward compatibility with the way the png_handle_tRNS diff --git a/SOURCES/libpng15-CVE-2018-13785.patch b/SOURCES/libpng15-CVE-2018-13785.patch new file mode 100644 index 0000000..32d8df7 --- /dev/null +++ b/SOURCES/libpng15-CVE-2018-13785.patch @@ -0,0 +1,34 @@ +From 1748e52e41b7bd8bde8cc917053c39bd6849c17d Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Sun, 17 Jun 2018 22:56:29 -0400 +Subject: [PATCH] Fix the calculation of row_factor in png_check_chunk_length + +(Bug report by Thuan Pham, SourceForge issue #278) +--- + pngrutil.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/pngrutil.c b/pngrutil.c +index d5a344d..1e90863 100644 +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -2839,10 +2839,13 @@ png_check_chunk_length(png_structp png_ptr, png_uint_32 length) + { + png_alloc_size_t idat_limit = PNG_UINT_31_MAX; + size_t row_factor = +- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) +- + 1 + (png_ptr->interlaced? 6: 0)); ++ (size_t)png_ptr->width ++ * (size_t)png_ptr->channels ++ * (png_ptr->bit_depth > 8? 2: 1) ++ + 1 ++ + (png_ptr->interlaced? 6: 0); + if (png_ptr->height > PNG_UINT_32_MAX/row_factor) +- idat_limit=PNG_UINT_31_MAX; ++ idat_limit = PNG_UINT_31_MAX; + else + idat_limit = png_ptr->height * row_factor; + row_factor = row_factor > 32566? 32566 : row_factor; +-- +2.17.1 + diff --git a/SOURCES/pngusr.dfa b/SOURCES/pngusr.dfa new file mode 100644 index 0000000..316761f --- /dev/null +++ b/SOURCES/pngusr.dfa @@ -0,0 +1,6 @@ +# Enable use of "safe" default limits on image size and chunk size. +#option SAFE_LIMITS on +# However, the default defaults seem a tad too restrictive for general +# purpose use, so back them off a little. +setting USER_CHUNK_CACHE_MAX default 1000 +setting USER_CHUNK_MALLOC_MAX default 1000000000 diff --git a/SPECS/libpng15.spec b/SPECS/libpng15.spec new file mode 100644 index 0000000..f1f047d --- /dev/null +++ b/SPECS/libpng15.spec @@ -0,0 +1,58 @@ +Summary: Old version of libpng, needed to run old binaries +Name: libpng15 +Version: 1.5.30 +Release: 7%{?dist} +License: zlib +URL: http://www.libpng.org/pub/png/ + +# Note: non-current tarballs get moved to the history/ subdirectory, +# so look there if you fail to retrieve the version you want +Source0: https://ftp-osl.osuosl.org/pub/libpng/src/libpng15/libpng-%{version}.tar.xz + +Source1: pngusr.dfa + +Patch0: libpng15-CVE-2013-6954.patch +Patch1: libpng15-CVE-2018-13785.patch + +BuildRequires: gcc +BuildRequires: zlib-devel + +%description +The libpng15 package provides libpng 1.5, an older version of the libpng. +library for manipulating PNG (Portable Network Graphics) image format files. +This version should be used only if you are unable to use the current +version of libpng. + +%prep +%setup -q -n libpng-%{version} + +%patch0 -p1 +%patch1 -p1 + +# Provide pngusr.dfa for build. +cp -p %{SOURCE1} . + +%build +%configure --disable-static +make %{?_smp_mflags} DFA_XTRA=pngusr.dfa + +%install +make DESTDIR=$RPM_BUILD_ROOT install + +# We don't ship .la files. +rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la +rm -rf $RPM_BUILD_ROOT%{_libdir}/libpng*.so +rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig/libpng.pc +rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig/libpng15.pc +rm -rf $RPM_BUILD_ROOT%{_mandir}/* +rm -rf $RPM_BUILD_ROOT%{_includedir}/* +rm -rf $RPM_BUILD_ROOT%{_bindir}/* + +%files +%doc LICENSE +%{_libdir}/libpng15.so.* + +%changelog +* Thu Jun 06 2019 Nikola Forró - 1.5.30-7 +- New package for RHEL 8.1.0 + resolves: #1687581