Navigation:
Browse pkgsrc
(this page)
graphics png
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] | 2026-05-17 15:50:09 by Tobias Nygren | Files touched by this commit (1) |
Log message: png: bump revision (for https://github.com/pnggroup/libpng/security/advisories/GHSA-c4v6-gxrq-6g2x) |
2026-05-17 15:45:31 by Tobias Nygren | Files touched by this commit (2) |  |
Log message: png: update apng patch |
| 2026-04-16 08:41:53 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
png: update to 1.6.58.
Version 1.6.58 [April 15, 2026]
Fixed a regression introduced in version 1.6.56 that caused `png_get_PLTE`
to return stale palette data after applying gamma and background transforms
in-place.
(Reported by ralfjunker <[email protected]>.)
|
| 2026-04-09 07:50:43 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
png: update to 1.6.57.
Version 1.6.57 [April 8, 2026]
Fixed CVE-2026-34757 (medium severity):
Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST`
leading to corrupted chunk data and potential heap information disclosure.
Also hardened the append-style setters (`png_set_text`, `png_set_sPLT`,
`png_set_unknown_chunks`) against a theoretical variant of the same
aliasing pattern.
(Reported by Iv4n <[email protected]>.)
Fixed integer overflow in rowbytes computation in read transforms.
(Contributed by Mohammad Seet.)
|
| 2026-03-26 08:42:55 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
png: update to 1.6.56.
Version 1.6.56 [March 25, 2026]
Fixed CVE-2026-33416 (high severity):
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
(Reported by Halil Oktay and Ryo Shimada;
fixed by Halil Oktay and Cosmin Truta.)
Fixed CVE-2026-33636 (high severity):
Out-of-bounds read/write in the palette expansion on ARM Neon.
(Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.)
Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers.
(Contributed by Halil Oktay.)
Fixed stale `info_ptr->palette` after in-place gamma and background
transforms.
Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path.
(Contributed by Yuelin Wang.)
Fixed wrong background color in colormap read.
(Contributed by Yuelin Wang.)
Fixed dead loop in sPLT write.
(Contributed by Yuelin Wang.)
Added missing null pointer checks in four public API functions.
(Contributed by Yuelin Wang.)
Validated shift bit depths in `png_set_shift` to prevent infinite loop.
(Contributed by Yuelin Wang.)
Avoided undefined behavior in library and tests.
Deprecated the hardly-ever-tested POINTER_INDEXING config option.
Added negative-stride test coverage for the simplified API.
Fixed memory leaks and API misuse in oss-fuzz.
(Contributed by Owen Sanzas.)
Implemented various fixes and improvements in oss-fuzz.
(Contributed by Bob Friesenhahn and Philippe Antoine.)
Performed various refactorings and cleanups.
|
| 2026-02-10 08:01:20 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
png: update to 1.6.55.
Version 1.6.55 [February 9, 2026]
Fixed CVE-2026-25646 (high severity):
Heap buffer overflow in `png_set_quantize`.
(Reported and fixed by Joshua Inscoe.)
Resolved an oss-fuzz build issue involving nalloc.
(Contributed by Philippe Antoine.)
|
| 2026-01-21 10:18:19 by Tobias Nygren | Files touched by this commit (2) |
Log message: png: reference apng commit id instead of the tip. NFC |
| 2026-01-21 10:14:43 by Tobias Nygren | Files touched by this commit (2) | |
Log message: png: update apng patch for current release |
New packages: