CVS commit: [pkgsrc-2025Q3] pkgsrc/graphics/png

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2025Q3] pkgsrc/graphics/png
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Sat, 6 Dec 2025 21:36:04 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Sat Dec  6 21:36:04 UTC 2025

Modified Files:
        pkgsrc/graphics/png [pkgsrc-2025Q3]: Makefile distinfo

Log Message:
Pullup ticket #7035 - requested by bsiegert
graphics/png: Security fix

Revisions pulled up:
- graphics/png/Makefile                                         1.215-1.216
- graphics/png/distinfo                                         1.160-1.161

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Sat Nov 22 07:06:11 UTC 2025

   Modified Files:
        pkgsrc/graphics/png: Makefile distinfo

   Log Message:
   png: update to 1.6.51.

   Version 1.6.51 [November 21, 2025]
     Fixed CVE-2025-64505 (moderate severity):
       Heap buffer overflow in `png_do_quantize` via malformed palette index.
       (Reported by Samsung; analyzed by Fabio Gritti.)
     Fixed CVE-2025-64506 (moderate severity):
       Heap buffer over-read in `png_write_image_8bit` with 8-bit input and
       `convert_to_8bit` enabled.
       (Reported by Samsung and <weijinjinnihao%users.noreply.github.com@localhost>;
       analyzed by Fabio Gritti.)
     Fixed CVE-2025-64720 (high severity):
       Buffer overflow in `png_image_read_composite` via incorrect palette
       premultiplication.
       (Reported by Samsung; analyzed by John Bowler.)
     Fixed CVE-2025-65018 (high severity):
       Heap buffer overflow in `png_combine_row` triggered via
       `png_image_finish_read`.
       (Reported by <yosiimich%users.noreply.github.com@localhost>.)
     Fixed a memory leak in `png_set_quantize`.
       (Reported by Samsung; analyzed by Fabio Gritti.)
     Removed the experimental and incomplete ERROR_NUMBERS code.
       (Contributed by Tobias Stoeckmann.)
     Improved the RISC-V vector extension support; required RVV 1.0 or newer.
       (Contributed by Filip Wasil.)
     Added GitHub Actions workflows for automated testing.
     Performed various refactorings and cleanups.

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Wed Dec  3 23:11:32 UTC 2025

   Modified Files:
        pkgsrc/graphics/png: Makefile distinfo

   Log Message:
   png: update to 1.6.52.

   Security fix release.

   Version 1.6.52 [December 3, 2025]
     Fixed CVE-2025-66293 (high severity):
       Out-of-bounds read in `png_image_read_composite`.
       (Reported by flyfish101 <flyfish101%users.noreply.github.com@localhost>.)
     Fixed the Paeth filter handling in the RISC-V RVV implementation.
       (Reported by Filip Wasil; fixed by Liang Junzhao.)
     Improved the performance of the RISC-V RVV implementation.
       (Contributed by Liang Junzhao.)
     Added allocation failure fuzzing to oss-fuzz.
       (Contributed by Philippe Antoine.)


To generate a diff of this commit:
cvs rdiff -u -r1.214 -r1.214.2.1 pkgsrc/graphics/png/Makefile
cvs rdiff -u -r1.159 -r1.159.2.1 pkgsrc/graphics/png/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/png/Makefile
diff -u pkgsrc/graphics/png/Makefile:1.214 pkgsrc/graphics/png/Makefile:1.214.2.1
--- pkgsrc/graphics/png/Makefile:1.214  Thu Jul  3 13:15:49 2025
+++ pkgsrc/graphics/png/Makefile        Sat Dec  6 21:36:04 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.214 2025/07/03 13:15:49 wiz Exp $
+# $NetBSD: Makefile,v 1.214.2.1 2025/12/06 21:36:04 maya Exp $
 
-DISTNAME=      libpng-1.6.50
+DISTNAME=      libpng-1.6.52
 PKGNAME=       ${DISTNAME:S/lib//}
 CATEGORIES=    graphics
 MASTER_SITES+= ${MASTER_SITE_SOURCEFORGE:=libpng/}

Index: pkgsrc/graphics/png/distinfo
diff -u pkgsrc/graphics/png/distinfo:1.159 pkgsrc/graphics/png/distinfo:1.159.2.1
--- pkgsrc/graphics/png/distinfo:1.159  Thu Jul  3 13:15:49 2025
+++ pkgsrc/graphics/png/distinfo        Sat Dec  6 21:36:04 2025
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.159 2025/07/03 13:15:49 wiz Exp $
+$NetBSD: distinfo,v 1.159.2.1 2025/12/06 21:36:04 maya Exp $
 
 BLAKE2s (apng-20250220.patch) = 456a8fcead8bb3fd29936de9a6288bef6769026ff2c955371db0c2098548d68b
 SHA512 (apng-20250220.patch) = 120ac618b60d5e1ff2406d241e4ddc2c1893978653adcf462ce394ce3b6b2e5847545e04b0fcb20aab563a1546017ce622d1d2dd14f89d1d594130d626f1e6eb
 Size (apng-20250220.patch) = 49281 bytes
-BLAKE2s (libpng-1.6.50.tar.xz) = bebe99204ef8ba7b90b8f9961c0a788ffaa11a8ff3344afd9d2de85ab700cfed
-SHA512 (libpng-1.6.50.tar.xz) = 05adc94ef532bbddaae46e087088a23236e6528fd3fc705c8edfb5ff293983b790d4361d6b20c20df73632a9fbe55d2f394296385cd8efd646f58393ff21257d
-Size (libpng-1.6.50.tar.xz) = 1060992 bytes
+BLAKE2s (libpng-1.6.52.tar.xz) = 972ef470292507fcc7df75720624d86a66360b1d3751ebf8e5750cbcdcfd60ca
+SHA512 (libpng-1.6.52.tar.xz) = 2bb1318f36712fc007613373a44a3276b4ed129b51b908464d9577ea9704d3caa469ec5bc7ebfb8b1de57ba3998c0b3375cd105054011ec54c21e9f208ec3c8b
+Size (libpng-1.6.52.tar.xz) = 1063580 bytes
 SHA1 (patch-libpng-config.in) = 04f8d6af31114017ce9d1280e62f1768c35c289d
 SHA1 (patch-pngpriv.h) = 16f80df18a2f58eec784e2d821e8bb93c3e81747

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: [pkgsrc-2025Q3] pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: [pkgsrc-2025Q3] pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index