From patchwork Sun Apr 26 11:44:13 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9730 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4g3PyH0qQrz3xNR for ; Sun, 26 Apr 2026 11:45:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4g3PyG5Vpgz7GR for ; Sun, 26 Apr 2026 11:45:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4g3Pxy3j9Bz37SG for ; Sun, 26 Apr 2026 11:44:54 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4g3Pxn4RLDz33xJ for ; Sun, 26 Apr 2026 11:44:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4g3Pxn1J44z7DM; Sun, 26 Apr 2026 11:44:45 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1777203885; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=N48K6Oo9IXGqokPVWc/3zT3GBZhrrbJMkA87OPPi2t0=; b=594snSCpyvGCMB6ASNKkiNBrxHXQIa2WPJSs0uWnNEyCRvzMxQdnvNrLZ5xq5Y4rns9mht FWOeWFmZlgjqMADQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1777203885; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=N48K6Oo9IXGqokPVWc/3zT3GBZhrrbJMkA87OPPi2t0=; b=NBhY+qZ+I7434Sar2/dHxnU1QJ3h5QSX/msDrAh/suOq7zliBtkMpkhYLp2Y3FAU28+/rF JQG5FLK6XZDkd1E8L8RD30Gvresb3+YMU5iFd97UngGzJn8HIQ3ByntLoodStNGtJmYN6H Z8rANRDME0oJbnR6o2QGWlotGrjrzknPf8tQkODTjP14nwVKAr98byOU70QkAGgzWSUgle jSDxrsKWscH2axNouF8yg5BawtkRk6IzUUtZWo1MoSTzIykKuAmv0BGA7e+oomJEPvpaXh vRbYIAmKQOdvuf9+U+4k8tsqZaU9tlSTt8+I7J+HH2JNELloi41fb/wtFKNstw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] libpng: Update to version 1.6.58 Date: Sun, 26 Apr 2026 13:44:13 +0200 Message-ID: <20260426114418.122889-24-adolf.belka@ipfire.org> In-Reply-To: <20260426114418.122889-1-adolf.belka@ipfire.org> References: <20260426114418.122889-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 1.6.56 to 1.6.58 - Update of rootfile - CVE fix applied in 1.6.57 - Changelog 1.6.58 Fixed a regression introduced in version 1.6.56 that caused `png_get_PLTE` to return stale palette data after applying gamma and background transforms in-place. (Reported by ralfjunker .) 1.6.57 Fixed CVE-2026-34757 (medium severity): Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST` leading to corrupted chunk data and potential heap information disclosure. Also hardened the append-style setters (`png_set_text`, `png_set_sPLT`, `png_set_unknown_chunks`) against a theoretical variant of the same aliasing pattern. (Reported by Iv4n .) Fixed integer overflow in rowbytes computation in read transforms. (Contributed by Mohammad Seet.) Signed-off-by: Adolf Belka --- config/rootfiles/common/libpng | 2 +- lfs/libpng | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/libpng b/config/rootfiles/common/libpng index c19c261c5..ef7d888f3 100644 --- a/config/rootfiles/common/libpng +++ b/config/rootfiles/common/libpng @@ -16,7 +16,7 @@ usr/lib/libpng.so #usr/lib/libpng16.la usr/lib/libpng16.so usr/lib/libpng16.so.16 -usr/lib/libpng16.so.16.56.0 +usr/lib/libpng16.so.16.58.0 #usr/lib/pkgconfig/libpng.pc #usr/lib/pkgconfig/libpng16.pc #usr/share/man/man3/libpng.3 diff --git a/lfs/libpng b/lfs/libpng index d65a5d86e..6aa7fbee9 100644 --- a/lfs/libpng +++ b/lfs/libpng @@ -24,7 +24,7 @@ include Config -VER = 1.6.56 +VER = 1.6.58 THISAPP = libpng-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = f653a3177e0910fc156a792d5522fc2a0c04ce0bb43eabb68e06922303dcf6062d8f9b570440bfe1a94ac1b901ef6e9c32b6882d0f4a406e5a9090ea3396f89a +$(DL_FILE)_BLAKE2 = 51042e8f2b56d469b516db9cbde6d4b6813a62d1b7117898ba32a9a5ac5cd73832c627d7377745e5d5154aade6ec6928fc6b9cd9b96885f64b7ca7df19ca40ec install : $(TARGET)