diff options
authortron <tron>2014-02-27 15:54:45 +0000
committertron <tron>2014-02-27 15:54:45 +0000
commit3a73d1d3345f75852e32a899f77fe092df310937 (patch)
parent7280a5e597680818a32aeb08db7ea30beed27c33 (diff)
Pullup ticket #4334 - requested by wiz
graphics/png: security update Revisions pulled up: - graphics/png/Makefile 1.166-1.168 - graphics/png/distinfo 1.111-1.113 - graphics/png/patches/patch-aa deleted - graphics/png/patches/patch-contrib_tools_pngfix.c deleted --- Module Name: pkgsrc Committed By: wiz Date: Tue Dec 31 17:27:48 UTC 2013 Modified Files: pkgsrc/graphics/png: Makefile distinfo Log Message: Update to 1.6.8: Version 1.6.8beta01 [November 24, 2013] Moved prototype for png_handle_unknown() in pngpriv.h outside of the #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED/#endif block. Added "-Wall" to CFLAGS in contrib/pngminim/*/makefile Conditionally compile some unused functions reported by -Wall in pngminim. Fixed 'minimal' builds. Various obviously useful minimal configurations don't build because of missing contrib/libtests test programs and overly complex dependencies in scripts/pnglibconf.dfa. This change adds contrib/conftest/*.dfa files that can be used in automatic build scripts to ensure that these configurations continue to build. Enabled WRITE_INVERT and WRITE_PACK in contrib/pngminim/encoder. Fixed pngvalid 'fail' function declaration on the Intel C Compiler. This reverts to the previous 'static' implementation and works round the 'unused static function' warning by using PNG_UNUSED(). Version 1.6.8beta02 [November 30, 2013] Removed or marked PNG_UNUSED some harmless "dead assignments" reported by clang scan-build. Changed tabs to 3 spaces in png_debug macros and changed '"%s"m' to '"%s" m' to improve portability among compilers. Changed png_free_default() to free() in pngtest.c Version 1.6.8rc01 [December 12, 2013] Tidied up pngfix inits and fixed pngtest no-write builds. Version 1.6.8rc02 [December 14, 2013] Handle zero-length PLTE chunk or NULL palette with png_error() instead of png_chunk_report(), which by default issues a warning rather than an error, leading to later reading from a NULL pointer (png_ptr->palette) in png_do_expand_palette(). This is CVE-2013-6954 and VU#650142. Version 1.6.8 [December 19, 2013] --- Module Name: pkgsrc Committed By: wiz Date: Thu Feb 6 18:24:11 UTC 2014 Modified Files: pkgsrc/graphics/png: Makefile distinfo Removed Files: pkgsrc/graphics/png/patches: patch-aa patch-contrib_tools_pngfix.c Log Message: Update to 1.6.9, getting rid of the final two patches after discussion with very helpful upstream. Changes: Version 1.6.9beta01 [December 26, 2013] Bookkeeping: Moved functions around (no changes). Moved transform function definitions before the place where they are called so that they can be masde static. Move the intrapixel functions and the grayscale palette builder out of the png?tran.c files. The latter isn't a transform function and is no longer used internally, and the former MNG specific functions are better placed in pngread/pngwrite.c Made transform implementation functions static. This makes the internal functions called by png_do_{read|write}_transformations static. On an x86-64 DLL build (Gentoo Linux) this reduces the size of the text segment of the DLL by 1208 bytes, about 0.6%. It also simplifies maintenance by removing the declarations from pngpriv.h and allowing easier changes to the internal interfaces. Rebuilt configure scripts with automake-1.14.1 and autoconf-2.69 in the tar distributions. Version 1.6.9beta02 [January 1, 2014] Added checks for libpng 1.5 to pngvalid.c. This supports the use of this version of pngvalid in libpng 1.5 Merged with pngvalid.c from libpng-1.7 changes to create a single pngvalid.c Removed #error macro from contrib/tools/pngfix.c (Thomas Klausner). Merged pngrio.c, pngtrans.c, pngwio.c, and pngerror.c with libpng-1.7.0 Merged libpng-1.7.0 changes to make no-interlace configurations work with test programs. Revised pngvalid.c to support libpng 1.5, which does not support the PNG_MAXIMUM_INFLATE_WINDOW option, so #define it out when appropriate in pngvalid.c Allow unversioned links created on install to be disabled in configure. In configure builds 'make install' changes/adds links like png.h and libpng.a to point to the newly installed, versioned, files (e.g. libpng17/png.h and libpng17.a). Three new configure options and some rearrangement of allow creation of these links to be disabled. Version 1.6.9beta03 [January 10, 2014] Removed potentially misleading warning from png_check_IHDR(). Version 1.6.9beta04 [January 20, 2014] Updated scripts/makefile.* to use CPPFLAGS (Cosmin). Added clang attribute support (Cosmin). Version 1.6.9rc01 [January 28, 2014] No changes. Version 1.6.9rc02 [January 30, 2014] Quiet an uninitialized memory warning from VC2013 in png_get_png(). Version 1.6.9 [February 6, 2014] --- Module Name: pkgsrc Committed By: wiz Date: Thu Feb 27 15:07:09 UTC 2014 Modified Files: pkgsrc/graphics/png: Makefile distinfo Log Message: Update to 1.6.10rc01: This fixes CERT VU#684412 and CVE-2014-0333. Version 1.6.10beta01 [February 9, 2014] Backported changes from libpng-1.7.0beta30 and beta31: Fixed a large number of instances where PNGCBAPI was omitted from function definitions. Added pngimage test program for png_read_png() and png_write_png() with two new test scripts. Removed dependence on !PNG_READ_EXPAND_SUPPORTED for calling png_set_packing() in png_read_png(). Fixed combination of ~alpha with shift. On read invert alpha, processing occurred after shift processing, which causes the final values to be outside the range that should be produced by the shift. Reversing the order on read makes the two transforms work together correctly and mirrors the order used on write. Do not read invalid sBIT chunks. Previously libpng only checked sBIT values on write, so a malicious PNG writer could therefore cause the read code to return an invalid sBIT chunk, which might lead to application errors or crashes. Such chunks are now skipped (with chunk_benign_error). Make png_read_png() and png_write_png() prototypes in png.h depend upon PNG_READ_SUPPORTED and PNG_WRITE_SUPPORTED. Support builds with unsupported PNG_TRANSFORM_* values. All of the PNG_TRANSFORM_* values are always defined in png.h and, because they are used for both read and write in some cases, it is not reliable to #if out ones that are totally unsupported. This change adds error detection in png_read_image() and png_write_image() to do a png_app_error() if the app requests something that cannot be done and it adds corresponding code to pngimage.c to handle such options by not attempting to test them. Version 1.6.10beta02 [February 23, 2014] Moved redefines of png_error(), png_warning(), png_chunk_error(), and png_chunk_warning() from pngpriv.h to png.h to make them visible to libpng-calling applications. Moved OS dependent code from arm/arm_init.c, to allow the included implementation of the ARM NEON discovery function to be set at build-time and provide sample implementations from the current code in the contrib/arm-neon subdirectory. The __linux__ code has also been changed to compile and link on Android by using /proc/cpuinfo, and the old linux code is in contrib/arm-neon/linux-auxv.c. The new code avoids POSIX and Linux dependencies apart from opening /proc/cpuinfo and is C90 compliant. Check for info_ptr == NULL early in png_read_end() so we don't need to run all the png_handle_*() and depend on them to return if info_ptr == NULL. This improves the performance of png_read_end(png_ptr, NULL) and makes it more robust against future programming errors. Check for __has_extension before using it in pngconf.h, to support older Clang versions (Jeremy Sequoia). Treat CRC error handling with png_set_crc_action(), instead of with png_set_benign_errors(), which has been the case since libpng-1.6.0beta18. Use a user warning handler in contrib/gregbook/readpng2.c instead of default, so warnings will be put on stderr even if libpng has CONSOLE_IO disabled. Added png_ptr->process_mode = PNG_READ_IDAT_MODE in png_push_read_chunk after recognizing the IDAT chunk, which avoids an infinite loop while reading a datastream whose first IDAT chunk is of zero-length. This fixes CERT VU#684412 and CVE-2014-0333. Don't recognize known sRGB profiles as sRGB if they have been hacked, but don't reject them and don't issue a copyright violation warning. Version 1.6.10beta03 [February 25, 2014] Moved some documentation from png.h to libpng.3 and libpng-manual.txt Minor editing of contrib/arm-neon/README and contrib/examples/*.c Version 1.6.10rc01 [February 27, 2014] Fixed typos in the manual and in scripts/pnglibconf.dfa (CFLAGS -> CPPFLAGS and PNG_USR_CONFIG -> PNG_USER_CONFIG).
4 files changed, 12 insertions, 46 deletions
diff --git a/graphics/png/Makefile b/graphics/png/Makefile
index a132099104e..e249647090c 100644
--- a/graphics/png/Makefile
+++ b/graphics/png/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.165 2013/11/15 07:42:08 tron Exp $
+# $NetBSD: Makefile,v 2014/02/27 15:54:45 tron Exp $
-DISTNAME= libpng-1.6.7
+DISTNAME= libpng-1.6.10rc01
CATEGORIES= graphics
@@ -15,6 +15,12 @@ LICENSE= zlib
PKG_INSTALLATION_TYPES= overwrite pkgviews
+# do not create
+CONFIGURE_ARGS+= --disable-unversioned-links
+# but do install png.h outside include/libpng$VERSION for now
+# until pkgsrc is fixed to use libpng-config or the pc file everywhere
+INSTALL_TARGET= install install-header-links
diff --git a/graphics/png/distinfo b/graphics/png/distinfo
index db2bb7509cf..97081f6b7e2 100644
--- a/graphics/png/distinfo
+++ b/graphics/png/distinfo
@@ -1,7 +1,5 @@
-$NetBSD: distinfo,v 1.110 2013/12/26 15:59:20 tron Exp $
+$NetBSD: distinfo,v 2014/02/27 15:54:45 tron Exp $
-SHA1 (libpng-1.6.7.tar.xz) = d2917fe56d416354a0dffdc852401b364624a7de
-RMD160 (libpng-1.6.7.tar.xz) = fec3676e60e019e3b2fb84c1470baec4fd9105de
-Size (libpng-1.6.7.tar.xz) = 873472 bytes
-SHA1 (patch-aa) = 080c890ee48923db959fcdeeb12e4a5a27845138
-SHA1 (patch-contrib_tools_pngfix.c) = 76d84ef9db87cb3e04e33c94a442110b2ab115da
+SHA1 (libpng-1.6.10rc01.tar.xz) = 982cdf5b19c02643b250603dafaa4c19ea22d024
+RMD160 (libpng-1.6.10rc01.tar.xz) = 9b7af69821a5df7d18334088d13fe859c8d93aef
+Size (libpng-1.6.10rc01.tar.xz) = 899072 bytes
diff --git a/graphics/png/patches/patch-aa b/graphics/png/patches/patch-aa
deleted file mode 100644
index d5fdb04ac06..00000000000
--- a/graphics/png/patches/patch-aa
+++ /dev/null
@@ -1,24 +0,0 @@
-$NetBSD: patch-aa,v 1.33 2013/01/24 08:15:51 wiz Exp $
-Don't install compat links to libpng. Programs should use
-the pkg-config or libpng-config scripts to get the correct png library
---- 2013-01-24 02:59:12.000000000 +0000
-@@ -1526,15 +1526,6 @@ install-exec-hook:
- cd '$(DESTDIR)$(bindir)'; rm -f libpng-config
- cd '$(DESTDIR)$(bindir)';\
- $(LN_S) $(PNGLIB_BASENAME)-config libpng-config
-- @set -x;\
-- cd '$(DESTDIR)$(libdir)';\
-- for ext in a la so so.@PNGLIB_MAJOR@@PNGLIB_MINOR@.@PNGLIB_RELEASE@\
-- sl dylib dll.a; do\
-- rm -f libpng.$$ext;\
-- if test -f $(PNGLIB_BASENAME).$$ext; then\
-- $(LN_S) $(PNGLIB_BASENAME).$$ext libpng.$$ext;\
-- fi;\
-- done
- uninstall-hook:
- cd '$(DESTDIR)$(includedir)'; rm -f png.h pngconf.h pnglibconf.h
diff --git a/graphics/png/patches/patch-contrib_tools_pngfix.c b/graphics/png/patches/patch-contrib_tools_pngfix.c
deleted file mode 100644
index 3d508340cb1..00000000000
--- a/graphics/png/patches/patch-contrib_tools_pngfix.c
+++ /dev/null
@@ -1,14 +0,0 @@
-$NetBSD: patch-contrib_tools_pngfix.c,v 1.1 2013/12/26 15:59:20 tron Exp $
-Fix build with C compilers other than GCC.
---- contrib/tools/pngfix.c.orig 2013-11-14 19:03:02.000000000 +0000
-+++ contrib/tools/pngfix.c 2013-12-26 15:44:27.000000000 +0000
-@@ -32,7 +32,6 @@
- # define FIX_GCC volatile
- #else
- # define FIX_GCC
--# error not tested
- #endif
- #define PROGRAM_NAME "pngfix"