Update to 1.2.27, released 29 April 2008. Relevant changes:
Fixed bug (introduced in libpng-1.0.5h) with handling zero-length
Added more information about png_set_keep_unknown_chunks() to the
Reject tRNS chunk with out-of-range samples instead of masking off
the invalid high bits as done in since libpng-1.2.19beta5.
Revised documentation about unknown chunk and user chunk handling.
Keep tRNS chunk with out-of-range samples and issue a png_warning().
Added check for NULL ptr in TURBOC version of png_free_default().
Removed several unnecessary checks for NULL before calling png_free().
Revised png_set_tRNS() so that calling it twice removes and invalidates
the previous call.
Revised pngtest to check for out-of-range tRNS samples.
Avoid changing color_type from GRAY to RGB by
Since this fixes CVE-2008-1382 (see, for example,
), the security/vuxml database should be updated to show that this version of the port is not insecure. Also, it's probably time to switch to USE_LDCONFIG, but since my last proposed changes in this direction were rejected, I'll let the maintainer/portmgr worry about it. This is related to PR ports/122869, but the proposed update in this PR is to a later stable version.
Fix: Patch attached with submission follows:
Over to maintainer (via the GNATS Auto Assign Tool)
ache 2008-04-29 12:09:06 UTC
FreeBSD ports repository
graphics/png Makefile distinfo
Upgrade to 1.2.27
It fix CVE-2008-1382
Submitted by: bf <email@example.com>
Revision Changes Path
1.87 +1 -1 ports/graphics/png/Makefile
1.40 +3 -3 ports/graphics/png/distinfo
1.13 +1 -1 ports/graphics/png/files/patch-ab
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"