Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Apr 2008 03:17:59 GMT
From:      bf <bf2006a@yahoo.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/123186: [PATCH]graphics/png: update to 1.2.27
Message-ID:  <200804290317.m3T3HxL5003692@www.freebsd.org>
Resent-Message-ID: <200804290320.m3T3K0fl037688@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         123186
>Category:       ports
>Synopsis:       [PATCH]graphics/png: update to 1.2.27
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 29 03:20:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     bf
>Release:        7-STABLE i386
>Organization:
-
>Environment:
>Description:
Update to 1.2.27, released 29 April 2008.  Relevant changes:

  Fixed bug (introduced in libpng-1.0.5h) with handling zero-length
    unknown chunks.
  Added more information about png_set_keep_unknown_chunks() to the
    documentation.
  Reject tRNS chunk with out-of-range samples instead of masking off
    the invalid high bits as done in since libpng-1.2.19beta5.
  Revised documentation about unknown chunk and user chunk handling.
  Keep tRNS chunk with out-of-range samples and issue a png_warning().
  Added check for NULL ptr in TURBOC version of png_free_default().
  Removed several unnecessary checks for NULL before calling png_free().
  Revised png_set_tRNS() so that calling it twice removes and invalidates
    the previous call.
  Revised pngtest to check for out-of-range tRNS samples.
  Avoid changing color_type from GRAY to RGB by
    png_set_expand_gray_1_2_4_to_8().

Since this fixes CVE-2008-1382 (see, for example, 

http://jaist.dl.sourceforge.net/sourceforge/libpng/Advisory-1.2.27.txt

), the security/vuxml database should be updated to show that this version of the port is not insecure.  Also, it's probably time to switch to USE_LDCONFIG, but since my last proposed changes in this direction were rejected, I'll let the maintainer/portmgr worry about it.  This is related to PR ports/122869, but the proposed update in this PR is to a later stable version.

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff -ruN png.orig/Makefile png/Makefile
--- png.orig/Makefile	2008-04-28 22:30:20.473072988 -0400
+++ png/Makefile	2008-04-28 22:47:35.836374748 -0400
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	png
-PORTVERSION=	1.2.26
+PORTVERSION=	1.2.27
 CATEGORIES=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	lib${PORTNAME}
diff -ruN png.orig/distinfo png/distinfo
--- png.orig/distinfo	2008-04-28 22:30:20.473072988 -0400
+++ png/distinfo	2008-04-28 22:47:35.836374748 -0400
@@ -1,3 +1,3 @@
-MD5 (libpng-1.2.26.tar.bz2) = 1f743f4a3e5a9c12ea16eff0c60c3f8e
-SHA256 (libpng-1.2.26.tar.bz2) = 17c589b64902c6fc045ad85d748c647035b9916016813182402e89114aa7ebe7
-SIZE (libpng-1.2.26.tar.bz2) = 627569
+MD5 (libpng-1.2.27.tar.bz2) = 310954baea8bedbe1a1c0fbd13a494ad
+SHA256 (libpng-1.2.27.tar.bz2) = 742891c0ec5a5fa5a7a545b08865e96e922447d8095b71e5348b9ff6d3123a9a
+SIZE (libpng-1.2.27.tar.bz2) = 641193
diff -ruN png.orig/files/patch-ab png/files/patch-ab
--- png.orig/files/patch-ab	2008-04-28 22:30:20.473072988 -0400
+++ png/files/patch-ab	2008-04-28 22:47:35.836374748 -0400
@@ -12,7 +12,7 @@
  
  Name: libpng
  Description: Loads and saves PNG files
- Version: 1.2.26
+ Version: 1.2.27
 -Libs: -L${libdir} -lpng12
 +Libs: -L${libdir} -lpng -lz -lm
  Cflags: -I${includedir}


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804290317.m3T3HxL5003692>