diff mbox series

libpng: Update to version 1.6.56

Message ID	20260407151108.3472751-17-adolf.belka@ipfire.org
State	Staged
Commit	afb941004c256997d43966b63274319fea3fb4d2
Headers	From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Cc: Adolf Belka <adolf.belka@ipfire.org> Subject: [PATCH] libpng: Update to version 1.6.56 Date: Tue, 7 Apr 2026 17:10:50 +0200 Message-ID: <20260407151108.3472751-17-adolf.belka@ipfire.org> In-Reply-To: <20260407151108.3472751-1-adolf.belka@ipfire.org> References: <20260407151108.3472751-1-adolf.belka@ipfire.org> Precedence: list Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	libpng: Update to version 1.6.56 \| libpng: Update to version 1.6.56

Commit Message

Adolf Belka 7 Apr 2026, 3:10 p.m. UTC

- Update from version 1.6.55 to 1.6.56
- Update of rootfile
- Fixes for two high severity CVE's
- Changelog
    1.6.56
  Fixed CVE-2026-33416 (high severity):
    Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
    (Reported by Halil Oktay and Ryo Shimada;
    fixed by Halil Oktay and Cosmin Truta.)
  Fixed CVE-2026-33636 (high severity):
    Out-of-bounds read/write in the palette expansion on ARM Neon.
    (Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.)
  Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers.
    (Contributed by Halil Oktay.)
  Fixed stale `info_ptr->palette` after in-place gamma and background
    transforms.
  Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path.
    (Contributed by Yuelin Wang.)
  Fixed wrong background color in colormap read.
    (Contributed by Yuelin Wang.)
  Fixed dead loop in sPLT write.
    (Contributed by Yuelin Wang.)
  Added missing null pointer checks in four public API functions.
    (Contributed by Yuelin Wang.)
  Validated shift bit depths in `png_set_shift` to prevent infinite loop.
    (Contributed by Yuelin Wang.)
  Avoided undefined behavior in library and tests.
  Deprecated the hardly-ever-tested POINTER_INDEXING config option.
  Added negative-stride test coverage for the simplified API.
  Fixed memory leaks and API misuse in oss-fuzz.
    (Contributed by Owen Sanzas.)
  Implemented various fixes and improvements in oss-fuzz.
    (Contributed by Bob Friesenhahn and Philippe Antoine.)
  Performed various refactorings and cleanups.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/libpng | 2 +-
 lfs/libpng                     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff mbox series

Patch

diff --git a/config/rootfiles/common/libpng b/config/rootfiles/common/libpng
index 3a263172a..c19c261c5 100644
--- a/config/rootfiles/common/libpng
+++ b/config/rootfiles/common/libpng
@@ -16,7 +16,7 @@  usr/lib/libpng.so
 #usr/lib/libpng16.la
 usr/lib/libpng16.so
 usr/lib/libpng16.so.16
-usr/lib/libpng16.so.16.55.0
+usr/lib/libpng16.so.16.56.0
 #usr/lib/pkgconfig/libpng.pc
 #usr/lib/pkgconfig/libpng16.pc
 #usr/share/man/man3/libpng.3
diff --git a/lfs/libpng b/lfs/libpng
index cadba768d..d65a5d86e 100644
--- a/lfs/libpng
+++ b/lfs/libpng
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 1.6.55
+VER        = 1.6.56
 
 THISAPP    = libpng-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 2fd88e6e9f4e72edbafbfdd6d8e78522033920a250f8cb37f29ba8e9593cdf006b06f4e73de4e83fc5ddaaa3725362f27f5a16727ae841fd8969b74f28517ec4
+$(DL_FILE)_BLAKE2 = f653a3177e0910fc156a792d5522fc2a0c04ce0bb43eabb68e06922303dcf6062d8f9b570440bfe1a94ac1b901ef6e9c32b6882d0f4a406e5a9090ea3396f89a
 
 install : $(TARGET)