Bug 123186 - [PATCH]graphics/png: update to 1.2.27
Summary: [PATCH]graphics/png: update to 1.2.27
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Andrey A. Chernov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-29 04:20 UTC by bf
Modified: 2008-04-29 13:10 UTC (History)
0 users

See Also:

Attachments
file.diff (1.25 KB, patch)
2008-04-29 04:20 UTC, bf 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description bf 2008-04-29 04:20:00 UTC 
Update to 1.2.27, released 29 April 2008.  Relevant changes:

  Fixed bug (introduced in libpng-1.0.5h) with handling zero-length
    unknown chunks.
  Added more information about png_set_keep_unknown_chunks() to the
    documentation.
  Reject tRNS chunk with out-of-range samples instead of masking off
    the invalid high bits as done in since libpng-1.2.19beta5.
  Revised documentation about unknown chunk and user chunk handling.
  Keep tRNS chunk with out-of-range samples and issue a png_warning().
  Added check for NULL ptr in TURBOC version of png_free_default().
  Removed several unnecessary checks for NULL before calling png_free().
  Revised png_set_tRNS() so that calling it twice removes and invalidates
    the previous call.
  Revised pngtest to check for out-of-range tRNS samples.
  Avoid changing color_type from GRAY to RGB by
    png_set_expand_gray_1_2_4_to_8().

Since this fixes CVE-2008-1382 (see, for example, 

http://jaist.dl.sourceforge.net/sourceforge/libpng/Advisory-1.2.27.txt

), the security/vuxml database should be updated to show that this version of the port is not insecure.  Also, it's probably time to switch to USE_LDCONFIG, but since my last proposed changes in this direction were rejected, I'll let the maintainer/portmgr worry about it.  This is related to PR ports/122869, but the proposed update in this PR is to a later stable version.

Fix: Patch attached with submission follows:
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2008-04-29 04:20:06 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->ache

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2008-04-29 13:09:10 UTC 
ache        2008-04-29 12:09:06 UTC

  FreeBSD ports repository

  Modified files:
    graphics/png         Makefile distinfo 
    graphics/png/files   patch-ab 
  Log:
  Upgrade to 1.2.27
  It fix CVE-2008-1382
  
  PR:             123186
  Submitted by:   bf <bf2006a@yahoo.com>
  
  Revision  Changes    Path
  1.87      +1 -1      ports/graphics/png/Makefile
  1.40      +3 -3      ports/graphics/png/distinfo
  1.13      +1 -1      ports/graphics/png/files/patch-ab
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Andrey A. Chernov freebsd_committer freebsd_triage 2008-04-29 13:10:07 UTC 
State Changed
From-To: open->closed

Committed