Accepting request 694940 from graphics

- make check actually works under asan

- version update to 1.6.37
  Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free.
  Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette.
  Fixed a memory leak in pngtest.c.
  Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in
    contrib/pngminus; refactor.
  Changed the license of contrib/pngminus to MIT; refresh makefile and docs.
    (Contributed by Willem van Schaik)
  Added makefiles for AddressSanitizer-enabled builds.
- deleted patches
  - libpng-arm-free.patch (upstreamed)

OBS-URL: https://build.opensuse.org/request/show/694940
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libpng16?expand=0&rev=42

libpng-1.6.36.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:eceb924c1fa6b79172fdfd008d335f0e59172a86a66481e09d4089df872aa319
-size 1012544

libpng-1.6.37.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca
+size 1012272

libpng-arm-free.patch

@@ -1,16 +0,0 @@
-Index: libpng-1.6.36/pngread.c
-===================================================================
---- libpng-1.6.36.orig/pngread.c	2018-12-01 15:36:00.000000000 +0100
-+++ libpng-1.6.36/pngread.c	2019-01-28 12:41:14.044709070 +0100
-@@ -994,6 +994,11 @@ png_read_destroy(png_structrp png_ptr)
-    png_ptr->chunk_list = NULL;
- #endif
- 
-+#if PNG_ARM_NEON_IMPLEMENTATION == 1
-+   png_free(png_ptr, png_ptr->riffled_palette);
-+   png_ptr->riffled_palette = NULL;
-+#endif
-+
-    /* NOTE: the 'setjmp' buffer may still be allocated and the memory and error
-     * callbacks are still set at this point.  They are required to complete the
-     * destruction of the png_struct itself.

libpng16.changes

@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Apr 17 06:29:11 UTC 2019 - pgajdos@suse.com
+
+- make check actually works under asan
+
+-------------------------------------------------------------------
+Mon Apr 15 15:02:33 UTC 2019 - pgajdos@suse.com
+
+- version update to 1.6.37
+  Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free.
+  Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette.
+  Fixed a memory leak in pngtest.c.
+  Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in
+    contrib/pngminus; refactor.
+  Changed the license of contrib/pngminus to MIT; refresh makefile and docs.
+    (Contributed by Willem van Schaik)
+  Added makefiles for AddressSanitizer-enabled builds.
+- deleted patches
+  - libpng-arm-free.patch (upstreamed)
+
 -------------------------------------------------------------------
 Mon Jan 28 11:43:05 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
 

libpng16.spec

@@ -21,7 +21,7 @@
 
 %define major   1
 %define minor   6
-%define micro   36
+%define micro   37
 %define branch  %{major}%{minor}
 %define libname libpng%{branch}-%{branch}
 %define debug_package_requires %{libname} = %{version}-%{release}
@@ -32,7 +32,6 @@ Summary:        Library for the Portable Network Graphics Format (PNG)
 License:        Zlib
 Group:          Development/Libraries/C and C++
 Url:            http://www.libpng.org/pub/png/libpng.html
-Patch0:         libpng-arm-free.patch
 Source0:        http://prdownloads.sourceforge.net/libpng/libpng-%{version}.tar.xz
 Source2:        libpng16.keyring
 Source3:        rpm-macros.libpng-tools
@@ -98,7 +97,6 @@ PNG files.
 
 %prep
 %setup -q -n libpng-%{version}
-%patch0 -p1
 
 %build
 # PNG_SAFE_LIMITS_SUPPORTED: http://www.openwall.com/lists/oss-security/2015/01/10/1
@@ -116,10 +114,6 @@ sed -i -e 's/^\(CFLAGS.*\)$/\1 -fsanitize=address/' \
 make %{?_smp_mflags}
 
 %check
-%if %{asan_build}
-# ASAN needs /proc to be mounted
-exit 0
-%endif
 make -j1 check
 
 %install