From patchwork Tue Dec 2 11:57:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9352 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4dLK664wY7z3wb0 for ; Tue, 02 Dec 2025 11:58:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4dLK634gkrz425 for ; Tue, 02 Dec 2025 11:58:03 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dLK630kzdz3340 for ; Tue, 02 Dec 2025 11:58:03 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dLK5v0WCvz3345 for ; Tue, 02 Dec 2025 11:57:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4dLK5t3jYVz3vW; Tue, 02 Dec 2025 11:57:54 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1764676674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cmkyFBNJ4gbvhmEp4k0J+bQ3TKHS/6fVEfZzPyjlTKo=; b=pmkbTadgzze0p3jmROd6vfhiEVV7xnx92PVXQMTppajo0d9PKF46k/5klkViWRMoMczXhl LyS7njzTOcyeCrBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1764676674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cmkyFBNJ4gbvhmEp4k0J+bQ3TKHS/6fVEfZzPyjlTKo=; b=VGcX8u4LhfJoNHcsM4VfChKFXuOKMtP1TLRYfZ8iHXYXTusT43feaH/j6VXRrqkA9r0BuN +lrSV8yf+ttsNuO8XxFIMWB3dw8118WfZgM8iB87ZtcIpcGiM9/sAwah76xO2MEI0uZBqh k5nkMtzZP13jkOfqXahV0I296gTr1bRrfmZ+1KI60rAZQzwRe1pF2p+X0jyL+j4xiUBrWr r9zLVn3aQPda9YJ1g16qv3tu/L3ATX1fxZ722hdEgaazoJss6RF4woRgaoOWYbvyZdE+TV o/LK15bW592ZzH9Yikdi23mOAhhTe4EQcYwtcqg3/DRHXPPQdMG9Cp0ZxCpgag== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] libpng: Update to version 1.6.51 Date: Tue, 2 Dec 2025 12:57:44 +0100 Message-ID: <20251202115747.50373-6-adolf.belka@ipfire.org> In-Reply-To: <20251202115747.50373-1-adolf.belka@ipfire.org> References: <20251202115747.50373-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 1.6.50 to 1.6.51 - Update of rootfile - Four CVE fixes - Changelog 1.6.51 Fixed CVE-2025-64505 (moderate severity): Heap buffer overflow in `png_do_quantize` via malformed palette index. (Reported by Samsung; analyzed by Fabio Gritti.) Fixed CVE-2025-64506 (moderate severity): Heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled. (Reported by Samsung and ; analyzed by Fabio Gritti.) Fixed CVE-2025-64720 (high severity): Buffer overflow in `png_image_read_composite` via incorrect palette premultiplication. (Reported by Samsung; analyzed by John Bowler.) Fixed CVE-2025-65018 (high severity): Heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`. (Reported by .) Fixed a memory leak in `png_set_quantize`. (Reported by Samsung; analyzed by Fabio Gritti.) Removed the experimental and incomplete ERROR_NUMBERS code. (Contributed by Tobias Stoeckmann.) Improved the RISC-V vector extension support; required RVV 1.0 or newer. (Contributed by Filip Wasil.) Added GitHub Actions workflows for automated testing. Performed various refactorings and cleanups. Signed-off-by: Adolf Belka --- config/rootfiles/common/libpng | 2 +- lfs/libpng | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/libpng b/config/rootfiles/common/libpng index 5f3f801d5..9dfdef5c6 100644 --- a/config/rootfiles/common/libpng +++ b/config/rootfiles/common/libpng @@ -16,7 +16,7 @@ usr/lib/libpng.so #usr/lib/libpng16.la usr/lib/libpng16.so usr/lib/libpng16.so.16 -usr/lib/libpng16.so.16.50.0 +usr/lib/libpng16.so.16.51.0 #usr/lib/pkgconfig/libpng.pc #usr/lib/pkgconfig/libpng16.pc #usr/share/man/man3/libpng.3 diff --git a/lfs/libpng b/lfs/libpng index e181be4e3..545b3efef 100644 --- a/lfs/libpng +++ b/lfs/libpng @@ -24,7 +24,7 @@ include Config -VER = 1.6.50 +VER = 1.6.51 THISAPP = libpng-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 2191536b4448d3a058b9dbb31f3d780959c9daf7b104550cc89e8ae984a3c9f01b86bf6c6708983989b4bfbe7232e3716b8a3b8cd3313a12c31e0623b6241d11 +$(DL_FILE)_BLAKE2 = 2d1ee36f9796e90a533abf26597df82c39cfab42f8d4044d35e0fdbab65612b9fc0234780677e2ea758450db9815b9d30870e8024bcebc0170c87361b7c4cc0a install : $(TARGET)