CVS commit: [pkgsrc-2026Q1] pkgsrc/graphics/png

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sun Apr 12 10:08:48 UTC 2026

Modified Files:
        pkgsrc/graphics/png [pkgsrc-2026Q1]: Makefile distinfo

Log Message:
Pullup ticket #7077 - requested by taca
graphics/png: security fix

Revisions pulled up:
- graphics/png/Makefile                                         1.222
- graphics/png/distinfo                                         1.168

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Thu Apr  9 05:50:43 UTC 2026

   Modified Files:
        pkgsrc/graphics/png: Makefile distinfo

   Log Message:
   png: update to 1.6.57.

   Version 1.6.57 [April 8, 2026]
     Fixed CVE-2026-34757 (medium severity):
       Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST`
       leading to corrupted chunk data and potential heap information disclosure.
       Also hardened the append-style setters (`png_set_text`, `png_set_sPLT`,
       `png_set_unknown_chunks`) against a theoretical variant of the same
       aliasing pattern.
       (Reported by Iv4n <Iv4n550%users.noreply.github.com@localhost>.)
     Fixed integer overflow in rowbytes computation in read transforms.
       (Contributed by Mohammad Seet.)


To generate a diff of this commit:
cvs rdiff -u -r1.220.2.1 -r1.220.2.2 pkgsrc/graphics/png/Makefile
cvs rdiff -u -r1.166.2.1 -r1.166.2.2 pkgsrc/graphics/png/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/png/Makefile
diff -u pkgsrc/graphics/png/Makefile:1.220.2.1 pkgsrc/graphics/png/Makefile:1.220.2.2
--- pkgsrc/graphics/png/Makefile:1.220.2.1      Fri Mar 27 01:37:17 2026
+++ pkgsrc/graphics/png/Makefile        Sun Apr 12 10:08:48 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.220.2.1 2026/03/27 01:37:17 maya Exp $
+# $NetBSD: Makefile,v 1.220.2.2 2026/04/12 10:08:48 bsiegert Exp $
 
-DISTNAME=      libpng-1.6.56
+DISTNAME=      libpng-1.6.57
 PKGNAME=       ${DISTNAME:S/lib//}
 CATEGORIES=    graphics
 MASTER_SITES+= ${MASTER_SITE_SOURCEFORGE:=libpng/}

Index: pkgsrc/graphics/png/distinfo
diff -u pkgsrc/graphics/png/distinfo:1.166.2.1 pkgsrc/graphics/png/distinfo:1.166.2.2
--- pkgsrc/graphics/png/distinfo:1.166.2.1      Fri Mar 27 01:37:17 2026
+++ pkgsrc/graphics/png/distinfo        Sun Apr 12 10:08:48 2026
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.166.2.1 2026/03/27 01:37:17 maya Exp $
+$NetBSD: distinfo,v 1.166.2.2 2026/04/12 10:08:48 bsiegert Exp $
 
 BLAKE2s (apng-20260116.patch) = b60bc1c57608e79afb87ba55fb152137d1910ba986d6aacad6d600392096b48a
 SHA512 (apng-20260116.patch) = f8de2168a1a8ed546de7eb6c3da993f99139f385ceaf008ecd8dc64869bb86a4cf61b749ee4060fa207a89917ead7c61d35e409ff477b6240e1a7bc141e2de24
 Size (apng-20260116.patch) = 49195 bytes
-BLAKE2s (libpng-1.6.56.tar.xz) = f197f3661f2bde5843bb12dd02e5e68d9d371e8bdc34db01b14565b3ecfa7438
-SHA512 (libpng-1.6.56.tar.xz) = e405c46d7c9cf8c6c9fb6cf35b7e8498bb863bb24a918f4a6b1aca9f1e61d8b9feb46cb67a5478b6d87da74b2baf1d1f25c43889866408fc23c0ac498094081f
-Size (libpng-1.6.56.tar.xz) = 1067028 bytes
+BLAKE2s (libpng-1.6.57.tar.xz) = ab0bb253e9a4d33520f861b00bb4038865d9ebbadbb393ed05a9eb7b4bbdf7f5
+SHA512 (libpng-1.6.57.tar.xz) = 9e7a691b96dd2c2c2ab66666685685a6c29824653aa85b15e764ff4afcebf02cfe776d58881a88d91e9cf60b11958079c923e2ea16bc5374b01a7f3edf56a71d
+Size (libpng-1.6.57.tar.xz) = 1069484 bytes
 SHA1 (patch-libpng-config.in) = 04f8d6af31114017ce9d1280e62f1768c35c289d
 SHA1 (patch-pngpriv.h) = 16f80df18a2f58eec784e2d821e8bb93c3e81747