rpms/libpng15
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c8s
rpms:c9
rpms:c9s
rpms:c9-beta
rpms:c8-beta
rpms:c10s
rpms:imports/c8/libpng15-1.5.30-8.el8_10
rpms:imports/c9/libpng15-1.5.30-14.el9_7.1
rpms:imports/c8s/libpng15-1.5.30-7.el8
rpms:imports/c9/libpng15-1.5.30-14.el9
rpms:imports/c9-beta/libpng15-1.5.30-14.el9
rpms:imports/c8-beta/libpng15-1.5.30-7.el8
rpms:imports/c8/libpng15-1.5.30-7.el8
rpms:imports/c10s/libpng15-1.5.30-14.el10
..
compare: rpms:c8-beta
Branches Tags
rpms:c8s
rpms:c8
rpms:c9
rpms:c9s
rpms:c9-beta
rpms:c8-beta
rpms:c10s
rpms:imports/c8/libpng15-1.5.30-8.el8_10
rpms:imports/c9/libpng15-1.5.30-14.el9_7.1
rpms:imports/c8s/libpng15-1.5.30-7.el8
rpms:imports/c9/libpng15-1.5.30-14.el9
rpms:imports/c9-beta/libpng15-1.5.30-14.el9
rpms:imports/c8-beta/libpng15-1.5.30-7.el8
rpms:imports/c8/libpng15-1.5.30-7.el8
rpms:imports/c10s/libpng15-1.5.30-14.el10

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

2 changed files with 3 additions and 25 deletions
Show Stats Expand all files Collapse all files

15
SOURCES/libpng-1.6-cve-2026-25646.patch
View File

@ -1,15 +0,0 @@
diff --git a/pngrtran.c b/pngrtran.c
index fe8f9d32c9..1fce9af121 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -708,8 +708,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
break;
t->next = hash[d];
- t->left = (png_byte)i;
- t->right = (png_byte)j;
+ t->left = png_ptr->palette_to_index[i];
+ t->right = png_ptr->palette_to_index[j];
hash[d] = t;
}
}

13
SPECS/libpng15.spec
View File

@ -1,7 +1,7 @@
Summary: Old version of libpng, needed to run old binaries Summary: Old version of libpng, needed to run old binaries
Name: libpng15 Name: libpng15
Version: 1.5.30 Version: 1.5.30
Release: 8%{?dist} Release: 7%{?dist}
License: zlib License: zlib
URL: http://www.libpng.org/pub/png/ URL: http://www.libpng.org/pub/png/
@ -13,9 +13,6 @@ Source1: pngusr.dfa
Patch0: libpng15-CVE-2013-6954.patch Patch0: libpng15-CVE-2013-6954.patch
Patch1: libpng15-CVE-2018-13785.patch Patch1: libpng15-CVE-2018-13785.patch
# from upstream, for <= 1.6.54, RHEL-148340
# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
Patch2: libpng-1.6-cve-2026-25646.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: zlib-devel BuildRequires: zlib-devel
@ -29,9 +26,8 @@ version of libpng.
%prep %prep
%setup -q -n libpng-%{version} %setup -q -n libpng-%{version}
%patch -P 0 -p1 %patch0 -p1
%patch -P 1 -p1 %patch1 -p1
%patch -P 2 -p1 -b .cve-2026-25646
# Provide pngusr.dfa for build. # Provide pngusr.dfa for build.
cp -p %{SOURCE1} . cp -p %{SOURCE1} .
@ -57,9 +53,6 @@ rm -rf $RPM_BUILD_ROOT%{_bindir}/*
%{_libdir}/libpng15.so.* %{_libdir}/libpng15.so.*
%changelog %changelog
* Thu Mar 12 2026 Michal Hlavinka <mhlavink@redhat.com> - 1.5.30-8
- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148340)
* Thu Jun 06 2019 Nikola Forró <nforro@redhat.com> - 1.5.30-7 * Thu Jun 06 2019 Nikola Forró <nforro@redhat.com> - 1.5.30-7
- New package for RHEL 8.1.0 - New package for RHEL 8.1.0
resolves: #1687581 resolves: #1687581