From 5646b27ba70b57599ac44bd8fd224b987f3f0a1edd2ff3b540dd152909da2ae0 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Thu, 3 Dec 2015 15:14:24 +0000 Subject: [PATCH] - update to 1.6.20: Avoid potential pointer overflow/underflow in png_handle_sPLT() and png_handle_pCAL() (Bug report by John Regehr). Fixed incorrect implementation of png_set_PLTE() that uses png_ptr not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 vulnerability. Backported tests from libpng-1.7.0beta69. Fixed an error in handling of bad zlib CMINFO field in pngfix, found by American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't immediately fault a bad CMINFO field; instead a 'too far back' error happens later (at least some times). pngfix failed to limit CMINFO to the allowed values but then assumed that window_bits was in range, triggering an assert. The bug is mostly harmless; the PNG file cannot be fixed. In libpng 1.6 zlib initialization was changed to use the window size in the zlib stream, not a fixed value. This causes some invalid images, where CINFO is too large, to display 'correctly' if the rest of the data is valid. This provides a workaround for zlib versions where the error arises (ones that support the API change to use the window size in the stream). OBS-URL: https://build.opensuse.org/package/show/graphics/libpng16?expand=0&rev=75 --- libpng-1.6.19.tar.xz | 3 --- libpng-1.6.19.tar.xz.asc | 17 ----------------- libpng-1.6.20.tar.xz | 3 +++ libpng-1.6.20.tar.xz.asc | 17 +++++++++++++++++ libpng16.changes | 24 ++++++++++++++++++++++++ libpng16.spec | 2 +- 6 files changed, 45 insertions(+), 21 deletions(-) delete mode 100644 libpng-1.6.19.tar.xz delete mode 100644 libpng-1.6.19.tar.xz.asc create mode 100644 libpng-1.6.20.tar.xz create mode 100644 libpng-1.6.20.tar.xz.asc diff --git a/libpng-1.6.19.tar.xz b/libpng-1.6.19.tar.xz deleted file mode 100644 index 1f9206d..0000000 --- a/libpng-1.6.19.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:311c5657f53516986c67713c946f616483e3cdb52b8b2ee26711be74e8ac35e8 -size 941280 diff --git a/libpng-1.6.19.tar.xz.asc b/libpng-1.6.19.tar.xz.asc deleted file mode 100644 index 8b27960..0000000 --- a/libpng-1.6.19.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQIcBAABAgAGBQJWRJdjAAoJEPVJhL+hbGQPfQgQAKr/BrU1ZGbvJjyQ6dxGDKjN -bshmoTp+u+B24qUmjM0mYFGiv2WeHIvSvaao0YEfL/u7S9+NINT1sL1+0K5PT+ZF -DgEy4R3OqvEUlnix3nTJ7UgIf9iPBniq747Xv+N3NMc2dzUMATbqyma1MNiGQpvE -pDuYQhIGauydimXlhqzYMm7/sE54j7uf1ecYxIsKHHLyIKy7Pwog+c5Rjb5BTjVS -tGx+TCSGsWbMy+hw74/h8ESkjjd6Bk4+S+aEzCoUoAdUCu3ziOSqVAdWN3z++w8S -1vM9lhguYvatz2hgLeHgngc3NvAeJLV5sOCUUqsxA+pilIlV6Tcmr/tmNsAWnWe5 -nO5iJ4YnU+7CZYrX5V47AijaLtRDzXh07sdwefpooyEB+OUYKprNVi+jH9PFAFId -GLIiize/PevkeOheMMkafOyESEzD9zS9lPFgCIfRl+qZSKGLjA8Cq0QA56I1E60F -i6w2j9U3VAHUi+PcrBO3BTsUkVc8H2OWsClCwMlyYxkb4exgDAxV3XbnUdTXuF9A -ABQn1H/dLFmJcyLKRY+pQ7+XCWz/nnDQhIIFlwnlZH/lMzR4e6gtnjOBXDOZUS3W -vlTjx2OcxVEXFiafhKvHFk0fsnJscXinB88HpSrb/83aEOc++eMq6wmwySK1zf0T -TuCarcJ0DZkGmLBg2bRC -=XCSM ------END PGP SIGNATURE----- diff --git a/libpng-1.6.20.tar.xz b/libpng-1.6.20.tar.xz new file mode 100644 index 0000000..813d390 --- /dev/null +++ b/libpng-1.6.20.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:55c5959e9f3484d96141a3226c53bc9da42a4845e70879d3e1d6e94833d1918b +size 942672 diff --git a/libpng-1.6.20.tar.xz.asc b/libpng-1.6.20.tar.xz.asc new file mode 100644 index 0000000..c989cff --- /dev/null +++ b/libpng-1.6.20.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJWYEXlAAoJEPVJhL+hbGQP2YwP/02NCjKPni/pgQMTgmfs8Dgg +Wsotwy5/SKmtFmGScfSyF+0UI2sVzTyy/16udNs2noyza2T0uTXk2KX2vwxB463I +QRha8EZb53dwzUHJhNI6Z3UAk5uOGHUnGUysBhQ6K5DiEHAmHmGtHVchxpow0gjU +DAG30+PTC57NxNWV1/qEuGM1ht+yjH4as0haxxYw46jFAuN0CQyE4SUTNgh05m7A +AGmIJyE/Vi+zEfWbhofAIa6m32+LFUtq06JGK8hVcgmBLctG8BGX1RwImq7Jorin +AEuB4XUk5B5a6gRTDp1UWinw1McXC6xdepfq42RhfT/mkvw2LQR7gdfPBFntj9xs +OXxZCWUHfWgTgFyM1m7tjiYsM+UGO49+xELtoLj2nRFLEKFhrJ1cBZG7h0Zu5DnT ++BFZI88g6Uc7YY5G2MBLHMhVSgO6cWl+VxMlpRQr9ARrMHHqv3kQzKP9cpPde24x +xFQC+cZ8a0ja+rzzJPJvaSrNl9gZOL3GHDnOUThbzzP9zPRhxaaD6L6rxnMROFbE +3uW16UlDeMwtpy+EQcOiEQ89PyJEvwrHnIDlgHqydFHqtf/FQbeFrTvSXD1fne8k +oI/oTJRobxIAxv9ce92mFyc3FKrlalhW6lu+s0LysBwu+7Ax2+eKr92aUZ/WBj1e +SVynvw5LBFVB7z8N6M+m +=mMQk +-----END PGP SIGNATURE----- diff --git a/libpng16.changes b/libpng16.changes index 0ee52fc..a861dc6 100644 --- a/libpng16.changes +++ b/libpng16.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Thu Dec 3 15:11:03 UTC 2015 - pgajdos@suse.com + +- update to 1.6.20: + Avoid potential pointer overflow/underflow in png_handle_sPLT() and + png_handle_pCAL() (Bug report by John Regehr). + Fixed incorrect implementation of png_set_PLTE() that uses png_ptr + not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 + vulnerability. + Backported tests from libpng-1.7.0beta69. + Fixed an error in handling of bad zlib CMINFO field in pngfix, found by + American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't + immediately fault a bad CMINFO field; instead a 'too far back' error + happens later (at least some times). pngfix failed to limit CMINFO to + the allowed values but then assumed that window_bits was in range, + triggering an assert. The bug is mostly harmless; the PNG file cannot + be fixed. + In libpng 1.6 zlib initialization was changed to use the window size + in the zlib stream, not a fixed value. This causes some invalid images, + where CINFO is too large, to display 'correctly' if the rest of the + data is valid. This provides a workaround for zlib versions where the + error arises (ones that support the API change to use the window size + in the stream). + ------------------------------------------------------------------- Fri Nov 13 07:25:01 UTC 2015 - pgajdos@suse.com diff --git a/libpng16.spec b/libpng16.spec index f5f13f7..bff3526 100644 --- a/libpng16.spec +++ b/libpng16.spec @@ -19,7 +19,7 @@ # %define major 1 %define minor 6 -%define micro 19 +%define micro 20 %define branch %{major}%{minor} %define libname libpng%{branch}-%{branch}