Date: Tue, 29 Apr 2008 03:17:59 GMT From: bf <bf2006a@yahoo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/123186: [PATCH]graphics/png: update to 1.2.27 Message-ID: <200804290317.m3T3HxL5003692@www.freebsd.org> Resent-Message-ID: <200804290320.m3T3K0fl037688@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 123186
>Category: ports
>Synopsis: [PATCH]graphics/png: update to 1.2.27
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 29 03:20:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: bf
>Release: 7-STABLE i386
>Organization:
-
>Environment:
>Description:
Update to 1.2.27, released 29 April 2008. Relevant changes:
Fixed bug (introduced in libpng-1.0.5h) with handling zero-length
unknown chunks.
Added more information about png_set_keep_unknown_chunks() to the
documentation.
Reject tRNS chunk with out-of-range samples instead of masking off
the invalid high bits as done in since libpng-1.2.19beta5.
Revised documentation about unknown chunk and user chunk handling.
Keep tRNS chunk with out-of-range samples and issue a png_warning().
Added check for NULL ptr in TURBOC version of png_free_default().
Removed several unnecessary checks for NULL before calling png_free().
Revised png_set_tRNS() so that calling it twice removes and invalidates
the previous call.
Revised pngtest to check for out-of-range tRNS samples.
Avoid changing color_type from GRAY to RGB by
png_set_expand_gray_1_2_4_to_8().
Since this fixes CVE-2008-1382 (see, for example,
http://jaist.dl.sourceforge.net/sourceforge/libpng/Advisory-1.2.27.txt
), the security/vuxml database should be updated to show that this version of the port is not insecure. Also, it's probably time to switch to USE_LDCONFIG, but since my last proposed changes in this direction were rejected, I'll let the maintainer/portmgr worry about it. This is related to PR ports/122869, but the proposed update in this PR is to a later stable version.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
diff -ruN png.orig/Makefile png/Makefile
--- png.orig/Makefile 2008-04-28 22:30:20.473072988 -0400
+++ png/Makefile 2008-04-28 22:47:35.836374748 -0400
@@ -6,7 +6,7 @@
#
PORTNAME= png
-PORTVERSION= 1.2.26
+PORTVERSION= 1.2.27
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= lib${PORTNAME}
diff -ruN png.orig/distinfo png/distinfo
--- png.orig/distinfo 2008-04-28 22:30:20.473072988 -0400
+++ png/distinfo 2008-04-28 22:47:35.836374748 -0400
@@ -1,3 +1,3 @@
-MD5 (libpng-1.2.26.tar.bz2) = 1f743f4a3e5a9c12ea16eff0c60c3f8e
-SHA256 (libpng-1.2.26.tar.bz2) = 17c589b64902c6fc045ad85d748c647035b9916016813182402e89114aa7ebe7
-SIZE (libpng-1.2.26.tar.bz2) = 627569
+MD5 (libpng-1.2.27.tar.bz2) = 310954baea8bedbe1a1c0fbd13a494ad
+SHA256 (libpng-1.2.27.tar.bz2) = 742891c0ec5a5fa5a7a545b08865e96e922447d8095b71e5348b9ff6d3123a9a
+SIZE (libpng-1.2.27.tar.bz2) = 641193
diff -ruN png.orig/files/patch-ab png/files/patch-ab
--- png.orig/files/patch-ab 2008-04-28 22:30:20.473072988 -0400
+++ png/files/patch-ab 2008-04-28 22:47:35.836374748 -0400
@@ -12,7 +12,7 @@
Name: libpng
Description: Loads and saves PNG files
- Version: 1.2.26
+ Version: 1.2.27
-Libs: -L${libdir} -lpng12
+Libs: -L${libdir} -lpng -lz -lm
Cflags: -I${includedir}
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804290317.m3T3HxL5003692>