libpng 1.6.36 build failure on linux arm64 (Debian and Ubuntu) #266

LocutusOfBorg · 2018-12-28T11:23:17Z

See e.g. https://buildd.debian.org/status/fetch.php?pkg=libpng1.6&arch=arm64&ver=1.6.36-1&stamp=1545917181&raw=0

make  check-TESTS
make[3]: Entering directory '/<<PKGBUILDDIR>>'
make[4]: Entering directory '/<<PKGBUILDDIR>>'
PASS: tests/pngtest
PASS: tests/pngtest-badpngs
PASS: tests/pngvalid-gamma-16-to-8
PASS: tests/pngvalid-gamma-threshold
FAIL: tests/pngvalid-gamma-expand16-transform
PASS: tests/pngvalid-progressive-interlace-standard
PASS: tests/pngvalid-gamma-expand16-background
PASS: tests/pngvalid-gamma-background
PASS: tests/pngvalid-gamma-transform
PASS: tests/pngvalid-progressive-standard
PASS: tests/pngvalid-standard
PASS: tests/pngvalid-progressive-size
PASS: tests/pngvalid-gamma-sbit
FAIL: tests/pngvalid-transform
PASS: tests/pngvalid-gamma-alpha-mode
PASS: tests/pngvalid-gamma-expand16-alpha-mode
PASS: tests/pngstest-linear-alpha
PASS: tests/pngunknown-IDAT
PASS: tests/pngunknown-discard
PASS: tests/pngunknown-if-safe
PASS: tests/pngunknown-sAPI
PASS: tests/pngunknown-sTER
PASS: tests/pngunknown-save
PASS: tests/pngunknown-vpAg
PASS: tests/pngstest-1.8-alpha
PASS: tests/pngimage-quick
PASS: tests/pngstest-linear
PASS: tests/pngstest-1.8
PASS: tests/pngstest-none-alpha
PASS: tests/pngstest-sRGB-alpha
PASS: tests/pngstest-none
PASS: tests/pngstest-sRGB
PASS: tests/pngimage-full
=====================================
   libpng 1.6.36: ./test-suite.log
=====================================

# TOTAL: 33
# PASS:  31
# SKIP:  0
# XFAIL: 0
# FAIL:  2
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: tests/pngvalid-gamma-expand16-transform
=============================================

Gamma correction error summary

The printed value is the maximum error in the pixel values
calculated by the libpng gamma correction code.  The error
is calculated as the difference between the output pixel
value (always an integer) and the ideal value from the
libpng specification (typically not an integer).

Expect this value to be less than .5 for 8 bit formats,
less than 1 for formats with fewer than 8 bits and a small
number (typically less than 5) for the 16 bit formats.
For performance reasons the value for 16 bit formats
increases when the image file includes an sBIT chunk.
gamma 0.455->1.000: read indexed-colour[0] 8 bit: memory lost (list follows):
	1024 bytes @ 0xaaaac9b84440

Basic gamma correction:
  2 bit gray:  127.07023
  4 bit gray:  127.07023
  8 bit gray:  128.32752
  8 bit color: 128.32752
  indexed:     128.32752
 16 bit gray:  0.74080
 16 bit color: 0.74080
pngvalid: 
pngvalid: 1 errors, 0 warnings
FAIL: pngvalid --strict --gamma-transform --expand16 (floating point arithmetic)
FAIL tests/pngvalid-gamma-expand16-transform (exit status: 1)

FAIL: tests/pngvalid-transform
==============================

transform: +rgb_to_gray: read indexed-colour[0] 8 bit: memory lost (list follows):
	1024 bytes @ 0xaaaad27974c0
pngvalid: 
pngvalid: 1 errors, 0 warnings
FAIL: pngvalid --strict --transform (floating point arithmetic)
FAIL tests/pngvalid-transform (exit status: 1)

============================================================================
Testsuite summary for libpng 1.6.36
============================================================================
# TOTAL: 33
# PASS:  31
# SKIP:  0
# XFAIL: 0
# FAIL:  2
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to png-mng-implement@lists.sourceforge.net

The text was updated successfully, but these errors were encountered:

LocutusOfBorg · 2018-12-28T13:00:17Z

a git bisect reveals 7734cda as the bad commit

LocutusOfBorg · 2018-12-28T13:00:42Z

@richard-townsend-arm do you have any idea for this regression on aarch64?

ctruta · 2018-12-31T04:45:45Z

Looks like a memory leak in the ARM-specific png_do_expand_palette. I don't have access to an aarch64 machine at this moment. I'll get back to you in a week or two, unless @richard-townsend-arm comes back to us with a fix.

ctruta · 2018-12-31T06:29:51Z

Speculative fix: #268

Caveat: not tested. (No ARM machine available at this moment; see my other comment above.)

LocutusOfBorg · 2018-12-31T08:46:27Z

Seems to be not fixing this issue...

LD_LIBRARY_PATH=".libs:" dh_auto_test
	make -j8 test VERBOSE=1
make[2]: Entering directory '/<<PKGBUILDDIR>>'
/usr/bin/make  pngtest pngunknown pngstest pngvalid pngimage pngcp timepng
make[3]: Entering directory '/<<PKGBUILDDIR>>'
make[3]: 'pngtest' is up to date.
make[3]: 'pngunknown' is up to date.
make[3]: 'pngstest' is up to date.
make[3]: 'pngvalid' is up to date.
make[3]: 'pngimage' is up to date.
make[3]: 'pngcp' is up to date.
make[3]: 'timepng' is up to date.
make[3]: Leaving directory '/<<PKGBUILDDIR>>'
/usr/bin/make  check-TESTS
make[3]: Entering directory '/<<PKGBUILDDIR>>'
make[4]: Entering directory '/<<PKGBUILDDIR>>'
PASS: tests/pngtest
PASS: tests/pngtest-badpngs
PASS: tests/pngvalid-gamma-threshold
PASS: tests/pngvalid-gamma-16-to-8
FAIL: tests/pngvalid-gamma-expand16-transform
PASS: tests/pngvalid-progressive-size
PASS: tests/pngvalid-progressive-interlace-standard
PASS: tests/pngvalid-progressive-standard
PASS: tests/pngvalid-gamma-transform
PASS: tests/pngvalid-gamma-expand16-background
PASS: tests/pngvalid-gamma-background
PASS: tests/pngvalid-standard
FAIL: tests/pngvalid-transform
PASS: tests/pngvalid-gamma-sbit
PASS: tests/pngvalid-gamma-alpha-mode
PASS: tests/pngvalid-gamma-expand16-alpha-mode
PASS: tests/pngstest-linear-alpha
PASS: tests/pngstest-1.8-alpha
PASS: tests/pngunknown-IDAT
PASS: tests/pngunknown-discard
PASS: tests/pngunknown-if-safe
PASS: tests/pngunknown-sAPI
PASS: tests/pngunknown-sTER
PASS: tests/pngunknown-save
PASS: tests/pngunknown-vpAg
PASS: tests/pngimage-quick
PASS: tests/pngstest-linear
PASS: tests/pngstest-1.8
PASS: tests/pngstest-none-alpha
PASS: tests/pngstest-none
PASS: tests/pngstest-sRGB-alpha
PASS: tests/pngstest-sRGB
PASS: tests/pngimage-full
qemu: Unsupported syscall: 276
=====================================
   libpng 1.6.36: ./test-suite.log
=====================================

# TOTAL: 33
# PASS:  31
# SKIP:  0
# XFAIL: 0
# FAIL:  2
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: tests/pngvalid-gamma-expand16-transform
=============================================

Gamma correction error summary

The printed value is the maximum error in the pixel values
calculated by the libpng gamma correction code.  The error
is calculated as the difference between the output pixel
value (always an integer) and the ideal value from the
libpng specification (typically not an integer).

Expect this value to be less than .5 for 8 bit formats,
less than 1 for formats with fewer than 8 bits and a small
number (typically less than 5) for the 16 bit formats.
For performance reasons the value for 16 bit formats
increases when the image file includes an sBIT chunk.
gamma 0.455->1.000: read indexed-colour[0] 8 bit: memory lost (list follows):
	1024 bytes @ 0x4000b41490

Basic gamma correction:
  2 bit gray:  127.07023
  4 bit gray:  127.07023
  8 bit gray:  128.32752
  8 bit color: 128.32752
  indexed:     128.32752
 16 bit gray:  0.74080
 16 bit color: 0.74080
pngvalid: 
pngvalid: 1 errors, 0 warnings
FAIL: pngvalid --strict --gamma-transform --expand16 (floating point arithmetic)
FAIL tests/pngvalid-gamma-expand16-transform (exit status: 1)

FAIL: tests/pngvalid-transform
==============================

transform: +rgb_to_gray: read indexed-colour[0] 8 bit: memory lost (list follows):
	1024 bytes @ 0x4000b2c510
pngvalid: 
pngvalid: 1 errors, 0 warnings
FAIL: pngvalid --strict --transform (floating point arithmetic)
FAIL tests/pngvalid-transform (exit status: 1)

============================================================================
Testsuite summary for libpng 1.6.36
============================================================================
# TOTAL: 33
# PASS:  31
# SKIP:  0
# XFAIL: 0
# FAIL:  2
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to png-mng-implement@lists.sourceforge.net
============================================================================
make[4]: *** [Makefile:1457: test-suite.log] Error 1
make[4]: Leaving directory '/<<PKGBUILDDIR>>'
make[3]: *** [Makefile:1565: check-TESTS] Error 2
make[3]: Leaving directory '/<<PKGBUILDDIR>>'
make[2]: *** [Makefile:1998: check-am] Error 2
make[2]: Leaving directory '/<<PKGBUILDDIR>>'
dh_auto_test: make -j8 test VERBOSE=1 returned exit code 2
make[1]: *** [debian/rules:21: override_dh_auto_test] Error 2
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
make: *** [debian/rules:14: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
--------------------------------------------------------------------------------
Build finished at 2018-12-31T08:34:59Z

btw I use pbuilder-dist to setup an arm64 machine on my amd64 pc
(pbuilder-dist sid arm64 create), with qemu it works well for debugging this kind of things, even if slow :)

richard-townsend-arm · 2018-12-31T11:53:16Z

Hi, thanks for reporting @LocutusOfBorg. The riffled palette is currently allocated lazily, so I think it's just figuring out how to make sure that the test suite cleans it up in an appropriate place, I'll be able to investigate it a bit more once I'm back in the office.

LocutusOfBorg · 2018-12-31T13:02:27Z

thanks a lot!

LocutusOfBorg · 2018-12-31T13:02:57Z

right now, I'm disabling your arm optimizations on arm64, and this solution is really sub-optimal for Debian and Ubuntu :)

hmaarrfk · 2019-01-08T05:04:28Z

@LocutusOfBorg do you have a patch for disabling the optimization you want to share?

LocutusOfBorg · 2019-01-08T09:35:25Z

yes, reverting the commits on arm64 :)
apply the following patches:
https://sources.debian.org/src/libpng1.6/1.6.36-2/debian/patches/revert-1ceaa83a844cd3ecef25279d60720f910b96f297.patch/
https://sources.debian.org/src/libpng1.6/1.6.36-2/debian/patches/revert-b66ed711315c46ef6c556c83c0074ecdcbd9937f.patch/
https://sources.debian.org/src/libpng1.6/1.6.36-2/debian/patches/revert-7734cda20cf1236aef60f3bbd2267c97bbb40869.patch/
conditionally on arm64

hmaarrfk · 2019-01-08T14:29:23Z

Strange, I keep failing with:

make[1]: *** No rule to make target 'arm/palette_neon_intrinsics.c', needed by 'arm/palette_neon_intrinsics.lo'.  Stop.

Do I need to run any autotools?

LocutusOfBorg · 2019-01-08T14:36:39Z

sure, because one patch deletes the file :)

LocutusOfBorg · 2019-01-08T14:36:59Z

this is what I do:

override_dh_autoreconf:
ifeq (arm64,$(DEB_HOST_ARCH))
	patch -p1 < debian/patches/revert-1ceaa83a844cd3ecef25279d60720f910b96f297.patch
	patch -p1 < debian/patches/revert-b66ed711315c46ef6c556c83c0074ecdcbd9937f.patch
	patch -p1 < debian/patches/revert-7734cda20cf1236aef60f3bbd2267c97bbb40869.patch
endif
	dh_autoreconf

LocutusOfBorg · 2019-01-08T14:37:07Z

so, I have to do it before autoreconfing

hmaarrfk · 2019-01-08T15:28:34Z

magic, thanks @LocutusOfBorg!

Fixes pnggroup#266

richard-townsend-arm · 2019-01-11T19:58:59Z

I managed to replicate the issue on an arm64 debian system, @LocutusOfBorg, could you try #272 and see whether it fixes your issue?

LocutusOfBorg · 2019-01-13T09:38:38Z

yeah it works! I uploaded in debian, lets see what happens in a few minutes
https://buildd.debian.org/status/package.php?p=libpng1.6&suite=unstable

ctruta · 2019-01-21T07:15:56Z

Thank you for the patches, @richard-townsend-arm

In your two patches, there is the first patch which fixes the core problem as in my original hotfix, and the second one, which fixes the testing issue.

I updated my hotfix also, see the new branch hotfix/memleak-riffled-palette-r2. I hope you won't mind, by I prefer the original solution from my hotfix, because it removes the unnecessary code from pngwrite.c, and it compiles the ARM-specific optimization conditionally so that the rest of the platforms aren't affected. This optimization can be added later to x86, etc., and then the conditionals can be expanded.

As for your 2nd patch, the fix to pngvalid.c, please don't mind me but I'm still looking for a better solution. At this moment I believe that the error is in the validation code, not in libpng itself, and a proper fix is needed. You are making a supplemental call to png_destroy_read_struct() with a contrived set of parameters, which appeases the tests, but the real question is: why is there a need for a supplemental call? Why isn't the original call insufficient?

To illustrate the underlying problem (which is still not fixed, unfortunately), I pushed my draft work to the topic branch topic/fix-pngstruct-memleak. You can see that, outside of ARM-specific code, I'm adding a dummy malloc, which I am freeing, and yet the pngvalid.c test program is showing leaks. With and without your png_destroy_read_struct() call, there are still leaks shown. (3 leaks with your patch, or 4 leaks without your patch.) There should be no leaks.

Still investigating.

Sentimentron · 2019-01-29T13:42:58Z

This has come back on my radar as a few more people try to roll libpng on arm64 platforms. When you say original call, is store_read_reset in pngvalid.c supposed to take care of cleaning everything up?

ctruta · 2019-01-30T07:20:30Z

Yes. See my debug experiment:

https://github.com/glennrp/libpng/commits/topic/debug-pngstruct-memleak
7cfabf1

I wanted to investigate it closer last weekend, but something came up and I couldn't. Hope to be able to do it next weekend.

For the time being, just by picking up this hotfix:
https://github.com/glennrp/libpng/commits/hotfix/memleak-riffled-palette-r2
abaf471
the users should consider libpng fixed, even though pngvalid.c fails.

Although I understand that disabling the checks based on pngvalid.c in regression scripts feels less than ideal, it is the best course of action available at this moment. If pngvalid.c fails and yet memory checking tools like Valgrind or Address Sanitizer are not complaining, then the problem is clearly with pngvalid.c.

For the longer term, I contemplate replacing pngvalid.c with simpler tools that do a better job. Address Sanitizer FTW!

ctruta · 2019-02-04T09:43:33Z

Fixed in master. Also refactored. "Works For Me (tm)."
See 70d122a

A hotfix for 1.6.36 is also available, see the branch hotfix/memleak-riffled-palette.

LocutusOfBorg · 2019-02-05T18:15:42Z

@ctruta looks like there is still something wrong.
EDIT: I reuploaded to my ppa after forgetting one chunk of the patch
I applied
70d122a
and also
8439534

on top of 1.6.36 release, and it failed on arm64 again
https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/locutusofborg-ppa/+sourcepub/9893938/+listing-archive-extra

   debian/rules override_dh_auto_test
make[1]: Entering directory '/<<PKGBUILDDIR>>'
LD_LIBRARY_PATH=".libs:" dh_auto_test
	make -j4 test VERBOSE=1
make[2]: Entering directory '/<<PKGBUILDDIR>>'
make  pngtest pngunknown pngstest pngvalid pngimage pngcp timepng
make[3]: Entering directory '/<<PKGBUILDDIR>>'
make[3]: 'pngtest' is up to date.
make[3]: 'pngunknown' is up to date.
make[3]: 'pngstest' is up to date.
make[3]: 'pngvalid' is up to date.
make[3]: 'pngimage' is up to date.
make[3]: 'pngcp' is up to date.
make[3]: 'timepng' is up to date.
make[3]: Leaving directory '/<<PKGBUILDDIR>>'
make  check-TESTS
make[3]: Entering directory '/<<PKGBUILDDIR>>'
make[4]: Entering directory '/<<PKGBUILDDIR>>'
PASS: tests/pngtest
PASS: tests/pngtest-badpngs
PASS: tests/pngvalid-gamma-16-to-8
PASS: tests/pngvalid-gamma-background
PASS: tests/pngvalid-gamma-expand16-background
FAIL: tests/pngvalid-gamma-expand16-transform
PASS: tests/pngvalid-gamma-threshold
PASS: tests/pngvalid-gamma-alpha-mode
PASS: tests/pngvalid-gamma-transform
PASS: tests/pngvalid-gamma-expand16-alpha-mode
PASS: tests/pngvalid-progressive-interlace-standard
PASS: tests/pngvalid-progressive-standard
PASS: tests/pngvalid-gamma-sbit
PASS: tests/pngvalid-standard
PASS: tests/pngvalid-progressive-size
PASS: tests/pngvalid-transform
PASS: tests/pngstest-1.8-alpha
FAIL: tests/pngstest-linear
FAIL: tests/pngstest-1.8
PASS: tests/pngstest-linear-alpha
PASS: tests/pngstest-none-alpha
PASS: tests/pngunknown-IDAT
PASS: tests/pngunknown-discard
PASS: tests/pngunknown-if-safe
PASS: tests/pngunknown-sAPI
PASS: tests/pngunknown-sTER
PASS: tests/pngunknown-save
PASS: tests/pngunknown-vpAg
PASS: tests/pngimage-quick
FAIL: tests/pngstest-none
FAIL: tests/pngstest-sRGB
PASS: tests/pngstest-sRGB-alpha
PASS: tests/pngimage-full
=====================================
   libpng 1.6.36: ./test-suite.log
=====================================

# TOTAL: 33
# PASS:  28
# SKIP:  0
# XFAIL: 0
# FAIL:  5
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: tests/pngvalid-gamma-expand16-transform
=============================================

Gamma correction error summary

The printed value is the maximum error in the pixel values
calculated by the libpng gamma correction code.  The error
is calculated as the difference between the output pixel
value (always an integer) and the ideal value from the
libpng specification (typically not an integer).

Expect this value to be less than .5 for 8 bit formats,
less than 1 for formats with fewer than 8 bits and a small
number (typically less than 5) for the 16 bit formats.
For performance reasons the value for 16 bit formats
increases when the image file includes an sBIT chunk.

Basic gamma correction:
  2 bit gray:  127.07023
  4 bit gray:  127.07023
  8 bit gray:  128.32752
  8 bit color: 128.32752
  indexed:     18530.13919
 16 bit gray:  0.74080
 16 bit color: 0.74080
pngvalid: read: indexed-colour[0] 8 bit: gamma 0.455->1.000: red(131/255) ^2.20(gamma correction) = 15163.0 < 15138.5 (libpng: 33667)/65535 < 15163.0
pngvalid: 0 errors, 739 warnings
FAIL: pngvalid --strict --gamma-transform --expand16 (floating point arithmetic)
FAIL tests/pngvalid-gamma-expand16-transform (exit status: 1)

FAIL: tests/pngstest-1.8
========================

PASS: ./contrib/testpngs/gray-1-1.8-tRNS.png
PASS: ./contrib/testpngs/gray-1-1.8.png
PASS: ./contrib/testpngs/gray-16-1.8-tRNS.png
PASS: ./contrib/testpngs/gray-16-1.8.png
PASS: ./contrib/testpngs/gray-2-1.8-tRNS.png
PASS: ./contrib/testpngs/gray-2-1.8.png
PASS: ./contrib/testpngs/gray-4-1.8-tRNS.png
PASS: ./contrib/testpngs/gray-4-1.8.png
PASS: ./contrib/testpngs/gray-8-1.8-tRNS.png
PASS: ./contrib/testpngs/gray-8-1.8.png
PASS: ./contrib/testpngs/palette-1-1.8-tRNS.png
PASS: ./contrib/testpngs/palette-1-1.8.png
PASS: ./contrib/testpngs/palette-2-1.8-tRNS.png
PASS: ./contrib/testpngs/palette-2-1.8.png
PASS: ./contrib/testpngs/palette-4-1.8-tRNS.png
PASS: ./contrib/testpngs/palette-4-1.8.png
./contrib/testpngs/palette-8-1.8-tRNS.png(10,0) alpha component error:
 color-mapped-sRGB-rgb+alpha(78,78,255,220) on background sRGB-rgb(251,188,65) ->
       sRGB-rgb(47,47,255)
  not: sRGB-rgb(123,103,240).
 The error happened when reading the original file with this format.
FAIL: ./contrib/testpngs/palette-8-1.8-tRNS.png
PASS: ./contrib/testpngs/palette-8-1.8.png
PASS: ./contrib/testpngs/rgb-16-1.8-tRNS.png
PASS: ./contrib/testpngs/rgb-16-1.8.png
PASS: ./contrib/testpngs/rgb-8-1.8-tRNS.png
PASS: ./contrib/testpngs/rgb-8-1.8.png
FAIL tests/pngstest-1.8 (exit status: 1)

FAIL: tests/pngstest-linear
===========================

PASS: ./contrib/testpngs/gray-1-linear-tRNS.png
PASS: ./contrib/testpngs/gray-1-linear.png
PASS: ./contrib/testpngs/gray-16-linear-tRNS.png
PASS: ./contrib/testpngs/gray-16-linear.png
PASS: ./contrib/testpngs/gray-2-linear-tRNS.png
PASS: ./contrib/testpngs/gray-2-linear.png
PASS: ./contrib/testpngs/gray-4-linear-tRNS.png
PASS: ./contrib/testpngs/gray-4-linear.png
PASS: ./contrib/testpngs/gray-8-linear-tRNS.png
PASS: ./contrib/testpngs/gray-8-linear.png
PASS: ./contrib/testpngs/palette-1-linear-tRNS.png
PASS: ./contrib/testpngs/palette-1-linear.png
PASS: ./contrib/testpngs/palette-2-linear-tRNS.png
PASS: ./contrib/testpngs/palette-2-linear.png
PASS: ./contrib/testpngs/palette-4-linear-tRNS.png
PASS: ./contrib/testpngs/palette-4-linear.png
./contrib/testpngs/palette-8-linear-tRNS.png(5,0) alpha component error:
 color-mapped-sRGB-rgb+alpha(160,160,255,236) on background sRGB-rgb(251,188,65) ->
       sRGB-rgb(90,90,255)
  not: sRGB-rgb(169,162,247).
 The error happened when reading the original file with this format.
FAIL: ./contrib/testpngs/palette-8-linear-tRNS.png
PASS: ./contrib/testpngs/palette-8-linear.png
PASS: ./contrib/testpngs/rgb-16-linear-tRNS.png
PASS: ./contrib/testpngs/rgb-16-linear.png
PASS: ./contrib/testpngs/rgb-8-linear-tRNS.png
PASS: ./contrib/testpngs/rgb-8-linear.png
FAIL tests/pngstest-linear (exit status: 1)

FAIL: tests/pngstest-none
=========================

PASS: ./contrib/testpngs/gray-1-tRNS.png
PASS: ./contrib/testpngs/gray-1.png
PASS: ./contrib/testpngs/gray-16-tRNS.png
PASS: ./contrib/testpngs/gray-16.png
PASS: ./contrib/testpngs/gray-2-tRNS.png
PASS: ./contrib/testpngs/gray-2.png
PASS: ./contrib/testpngs/gray-4-tRNS.png
PASS: ./contrib/testpngs/gray-4.png
PASS: ./contrib/testpngs/gray-8-tRNS.png
PASS: ./contrib/testpngs/gray-8.png
PASS: ./contrib/testpngs/palette-1-tRNS.png
PASS: ./contrib/testpngs/palette-1.png
PASS: ./contrib/testpngs/palette-2-tRNS.png
PASS: ./contrib/testpngs/palette-2.png
PASS: ./contrib/testpngs/palette-4-tRNS.png
PASS: ./contrib/testpngs/palette-4.png
./contrib/testpngs/palette-8-tRNS.png(13,0) alpha component error:
 color-mapped-sRGB-rgb+alpha(32,32,255,210) on background sRGB-rgb(251,188,65) ->
       sRGB-rgb(32,32,255)
  not: sRGB-rgb(118,89,235).
 The error happened when reading the original file with this format.
FAIL: ./contrib/testpngs/palette-8-tRNS.png
PASS: ./contrib/testpngs/palette-8.png
PASS: ./contrib/testpngs/rgb-16-tRNS.png
PASS: ./contrib/testpngs/rgb-16.png
PASS: ./contrib/testpngs/rgb-8-tRNS.png
PASS: ./contrib/testpngs/rgb-8.png
FAIL tests/pngstest-none (exit status: 1)

FAIL: tests/pngstest-sRGB
=========================

PASS: ./contrib/testpngs/gray-1-sRGB-tRNS.png
PASS: ./contrib/testpngs/gray-1-sRGB.png
PASS: ./contrib/testpngs/gray-16-sRGB-tRNS.png
PASS: ./contrib/testpngs/gray-16-sRGB.png
PASS: ./contrib/testpngs/gray-2-sRGB-tRNS.png
PASS: ./contrib/testpngs/gray-2-sRGB.png
PASS: ./contrib/testpngs/gray-4-sRGB-tRNS.png
PASS: ./contrib/testpngs/gray-4-sRGB.png
PASS: ./contrib/testpngs/gray-8-sRGB-tRNS.png
PASS: ./contrib/testpngs/gray-8-sRGB.png
PASS: ./contrib/testpngs/palette-1-sRGB-tRNS.png
PASS: ./contrib/testpngs/palette-1-sRGB.png
PASS: ./contrib/testpngs/palette-2-sRGB-tRNS.png
PASS: ./contrib/testpngs/palette-2-sRGB.png
PASS: ./contrib/testpngs/palette-4-sRGB-tRNS.png
PASS: ./contrib/testpngs/palette-4-sRGB.png
./contrib/testpngs/palette-8-sRGB-tRNS.png(13,0) alpha component error:
 color-mapped-sRGB-rgb+alpha(32,32,255,210) on background sRGB-rgb(251,188,65) ->
       sRGB-rgb(32,32,255)
  not: sRGB-rgb(118,89,235).
 The error happened when reading the original file with this format.
FAIL: ./contrib/testpngs/palette-8-sRGB-tRNS.png
PASS: ./contrib/testpngs/palette-8-sRGB.png
PASS: ./contrib/testpngs/rgb-16-sRGB-tRNS.png
PASS: ./contrib/testpngs/rgb-16-sRGB.png
PASS: ./contrib/testpngs/rgb-8-sRGB-tRNS.png
PASS: ./contrib/testpngs/rgb-8-sRGB.png
FAIL tests/pngstest-sRGB (exit status: 1)

============================================================================
Testsuite summary for libpng 1.6.36
============================================================================
# TOTAL: 33
# PASS:  28
# SKIP:  0
# XFAIL: 0
# FAIL:  5
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to png-mng-implement@lists.sourceforge.net
============================================================================

LocutusOfBorg · 2019-02-05T18:17:29Z

right now, I uploaded the following three patches on top of clean 1.6.36:

cat debian/patches/272.patch (PR #272)

From d0c0f5f96bad2391f62511bf1c92be6ffeaaae41 Mon Sep 17 00:00:00 2001
From: Richard Townsend <Richard.Townsend@arm.com>
Date: Fri, 11 Jan 2019 16:55:51 +0000
Subject: [PATCH 2/2] Free png_structp members after use in gamma_test

Fixes #266
---
 contrib/libtests/pngvalid.c | 3 +++
 1 file changed, 3 insertions(+)

Index: libpng1.6/pngread.c
===================================================================
--- libpng1.6.orig/pngread.c
+++ libpng1.6/pngread.c
@@ -994,6 +994,12 @@
    png_ptr->chunk_list = NULL;
 #endif
 
+#if defined(PNG_READ_EXPAND_SUPPORTED) && \
+    defined(PNG_ARM_NEON_IMPLEMENTATION)
+   png_free(png_ptr, png_ptr->riffled_palette);
+   png_ptr->riffled_palette = NULL;
+#endif
+
    /* NOTE: the 'setjmp' buffer may still be allocated and the memory and error
     * callbacks are still set at this point.  They are required to complete the
     * destruction of the png_struct itself.
Index: libpng1.6/contrib/libtests/pngvalid.c
===================================================================
--- libpng1.6.orig/contrib/libtests/pngvalid.c
+++ libpng1.6/contrib/libtests/pngvalid.c
@@ -10472,6 +10472,9 @@
             d.this.ps->validated = 1;
       }
 
+      /* Clean up png_structp, without destroying the structure itself. */
+      png_destroy_read_struct(&(d.pm->this.pread), &pi, &pi);
+
       modifier_reset(d.pm);
 
       if (d.pm->log && !d.threshold_test && !d.this.speed)

commit: 8439534

and
cat debian/patches/CVE-2019-7317.patch

Origin: https://github.com/glennrp/libpng/issues/275
Author: Cosmin Truta
Description: Fix for CVE-2019-7317
diff --git a/png.c b/png.c
index 9d9926f638..efd1aecfbd 100644
--- a/png.c
+++ b/png.c
@@ -4588,8 +4588,7 @@ png_image_free(png_imagep image)
    if (image != NULL && image->opaque != NULL &&
       image->opaque->error_buf == NULL)
    {
-      /* Ignore errors here: */
-      (void)png_safe_execute(image, png_image_free_function, image);
+      png_image_free_function(image);
       image->opaque = NULL;
    }
 }

LocutusOfBorg · 2019-02-05T18:17:48Z

this way looks like everything builds correctly

ctruta · 2019-03-25T06:34:15Z

I've been finally able to debug what's going on, and I discovered that pngvalid does some funky things that were fine with the old libpng code, but not really fine with the new one.

As of commit 70d122a, the memory leak is fixed. The riffled palette buffer is allocated and initialized once, where is should be (i.e. inside png_init_palette_transformations), and deallocated once, where is should be (i.e. inside png_read_destroy). Everything should be fine.

When executed with certain parameters, pngvalid is modifying certain png_ptr attributes (e.g. png_ptr->num_palette and png_ptr->num_trans) without going again fully through the initialization phase. I am not 100% sure that this is correct API-wise, though.

An easy fix would have been to leave the riffled palette buffer allocation as it's done in 70d122a, inside png_init_palette_transformations, but move its initialization back to its original spot, inside png_do_read_transformations. I've tested it on an ARM64 machine, and confirmed that it works. The work is not done yet, however, because, aside from the not-so-nice decoupling of allocation and initialization, a performance issue may now be introduced.

Is it a significant issue? I don't know yet. I'm still looking for the better fix.

Here is the interim fix, applicable to commit 70d122a:

diff --git a/pngrtran.c b/pngrtran.c
index 3294340912..35a867e840 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -1163,14 +1163,11 @@ png_init_palette_transformations(png_structrp png_ptr)

 #ifdef PNG_READ_EXPAND_SUPPORTED
 #ifdef PNG_ARM_NEON_INTRINSICS_AVAILABLE
-   /* Initialize the accelerated palette expansion, if applicable. */
    if ((png_ptr->transformations & PNG_EXPAND) != 0)
    {
+      /* Allocate the accelerated palette expansion buffer, if applicable. */
       if ((png_ptr->num_trans > 0) && (png_ptr->bit_depth == 8))
-      {
          png_ptr->riffled_palette = (png_bytep)png_malloc(png_ptr, 256 * 4);
-         png_riffle_palette_rgba8(png_ptr);
-      }
    }
 #endif /* PNG_ARM_NEON_INTRINSICS_AVAILABLE */

@@ -4785,6 +4782,11 @@ png_do_read_transformations(png_structrp png_ptr, png_row_infop row_info)
    {
       if (row_info->color_type == PNG_COLOR_TYPE_PALETTE)
       {
+#ifdef PNG_ARM_NEON_INTRINSICS_AVAILABLE
+         /* Initialize the accelerated palette expansion buffer. */
+         if (png_ptr->riffled_palette)
+            png_riffle_palette_rgba8(png_ptr);
+#endif
          png_do_expand_palette(png_ptr, row_info, png_ptr->row_buf + 1,
              png_ptr->palette, png_ptr->trans_alpha, png_ptr->num_trans);
       }

ctruta · 2019-03-25T06:58:49Z

Quick update:

Is it a significant issue? I don't know yet. I'm still looking for the better fix.

Of course it is significant. png_do_read_transformations is executed for every row. The original 1.6.36 code checks for "is it allocated yet?", also at every row, and does nothing unless it's the first allocation. The original check is not a free check, but it's cheap. The new one isn't.

The above patch is good enough for a proof-of-concept correctness fix, but otherwise it's unacceptable, because it will ruin the performance. A proper fix is clearly needed.

ctruta · 2019-04-08T04:01:47Z

I pushed the fix. "It Works For Me."

Could you please give it a respin, @LocutusOfBorg?

LocutusOfBorg · 2019-04-08T09:39:49Z

it looks like working, thanks!

libpng1.6 (1.6.37-2) unstable; urgency=medium [ Debian Janitor ] * Set upstream metadata fields: Bug-Database, Repository, Repository- Browse. * Rely on pre-initialized dpkg-architecture variables. * Fix day-of-week for changelog entry 1.0.0-0.1. * Set upstream metadata fields: Bug-Submit. [ Gianfranco Costamagna ] * Bump std-version to 4.5.0, no changes required libpng1.6 (1.6.37-1) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.37-1~exp4) experimental; urgency=medium * debian/patches/72fa126446460347a504f3d9b90f24aed1365595.patch: - cherry-pick upstream possible fix for tests not being parallel-safe (Closes: #920657) libpng1.6 (1.6.37-1~exp3) experimental; urgency=medium * Fix two lintian warnings: - drop upstream signing key, upstream seems to have stopped tarball signatures when moved to github (see upstream issue: #287) - double "version" tag in debian/watch libpng1.6 (1.6.37-1~exp2) experimental; urgency=medium * Simplify tests, by not passing the .libs directory during their execution libpng1.6 (1.6.37-1~exp1) experimental; urgency=medium * New upstream version 1.6.37 - upload to experimental because of freeze * Update watch file for github publish site * Update copyright years and text for pngminus * Drop all upstream patches, patch refresh for apng patch * Bump compat level to 12 libpng1.6 (1.6.36-6) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.36-5exp1) experimental; urgency=medium * Drop Anibal from uploaders list, thank you for your nice work! (Closes: #925014) * Update copyright years. * Drop patch 272.patch, superseeded by upstream commits: 70d122aac42933ab8a708c538f973c3307853212.patch (uncommented) 82ae623ec9bc3cb5c68aad22596a766e86d593b7.patch a627bd26a375f5c41d54f90a47c838157d1bec97.patch libpng1.6 (1.6.36-5) unstable; urgency=medium * Tweak old 272 patch to add the only relevant part of commit 70d122aac42933ab8a708c538f973c3307853212.patch * Drop 70d122aac42933ab8a708c538f973c3307853212.patch, it breaks the testsuite. libpng1.6 (1.6.36-4) unstable; urgency=high * debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch, debian/patches/8439534daa1d3a5705ba92e653eda9251246dd61.patch: - new fixes for arm64 and general test failures (and leaks) * debian/patches/CVE-2019-7317.patch: - fix for CVE 2019-7317 (Closes: #921355) Thanks Salvatore Bonaccorso for your report! libpng1.6 (1.6.36-3) unstable; urgency=medium * debian/patches/272.patch: - upstream fix for arm64 test failures. - drop previous revert-* patches libpng1.6 (1.6.36-2) unstable; urgency=medium * Update watch file for github location * Add apng support, like what is done in arch linux - pnggroup/libpng#267 * d/p/revert-{7734cda20cf1236aef60f3bbd2267c97bbb40869, 1ceaa83a844cd3ecef25279d60720f910b96f297, b66ed711315c46ef6c556c83c0074ecdcbd9937f}.patch: revert on arm64 only the chromebook optimizations, they are making the build fail. - discussion at pnggroup/libpng#266 [ Mattia Rizzolo ] * Fixup std-version numbering libpng1.6 (1.6.36-1) unstable; urgency=medium * New upstream version 1.6.36 * update copyright file * Bump std-version to 4.3.0.1, no changes required * drop patch 8a057: upstream * Add nocheck profile in rules file [ Ondřej Nový <onovy@debian.org> ] * d/changelog: Remove trailing whitespaces libpng1.6 (1.6.34-2) unstable; urgency=medium [ Salvatore Bonaccorso ] * debian/patches/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2.patch: Closes: #903430 CVE-2018-13785 [ Gianfranco Costamagna ] * Upload to unstable * Switch VCS fields to salsa.d.o * Bump std-version to 4.1.5, no changes required * Switch copyright in https mode libpng1.6 (1.6.34-1) unstable; urgency=medium * New upstream version 1.6.34 * Remove files removed upstream (the failing png files) libpng1.6 (1.6.33-1) unstable; urgency=medium * New upstream version 1.6.33 * Drop idat patch: upstream * Update copyright * Bump std-version to 4.1.1 * Remove some new test png files that make testsuite fail (they fail also on older libpng version, just they weren't available status is tracked at https://sourceforge.net/p/libpng/bugs/271/ ) libpng1.6 (1.6.32-3) unstable; urgency=high * Fix invalid IDAT images, thanks Felix Geyer for the debug/bug reassign! (Closes: #876563) libpng1.6 (1.6.32-2) unstable; urgency=medium * Bump std-version to 4.1.0, now priority is extra * Add missing newline on copyright entry, making lintian sad * Move the examples into the main libpng-dev (Closes: #876244) - thanks Helmut Grohne for the useful bug report! libpng1.6 (1.6.32-1) unstable; urgency=medium * New upstream version 1.6.32 * Update copyright file libpng1.6 (1.6.31-1) unstable; urgency=medium * New upstream release. * Update d/watch to point to ftp site and to verify gpg signature. * fix-arm-build.patch removed, fixed upstream. * Update d/copyright (years and add new maintainers) and remove some redudant entries. libpng1.6 (1.6.30-2) unstable; urgency=medium * Fix arm* build failures with upstream patch (Closes: #867670) libpng1.6 (1.6.30-1) unstable; urgency=medium * New upstream release. * Update copyright * Bump std-version to 4.0.0 libpng1.6 (1.6.29-3) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.29-2) experimental; urgency=medium * Enable PIE eveywhere libpng1.6 (1.6.29-1) experimental; urgency=medium * New upstream release. - Drop fix multiarch patch: upstream * Use autoreconf. libpng1.6 (1.6.28-1exp4) experimental; urgency=medium * Override autoreconf due to debhelper bug 844504 libpng1.6 (1.6.28-1exp3) experimental; urgency=medium * No-autoreconf for cmake builds libpng1.6 (1.6.28-1exp2) experimental; urgency=medium * Readd multiarch patch, it was merged by upstream on master but not on 1.6 branch libpng1.6 (1.6.28-1exp1) experimental; urgency=medium * Switch to cmake libpng1.6 (1.6.28-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.27-1) unstable; urgency=medium * New upstream release (Closes: #849799) - Fix for CVE-2016-10087 libpng1.6 (1.6.26-6) unstable; urgency=medium * Enable pie in Debian, disable it in Ubuntu. - thanks pochu :) libpng1.6 (1.6.26-5) unstable; urgency=medium * Revert cmake switch, failing on arm64. libpng1.6 (1.6.26-4) unstable; urgency=low * Upload to unstable. * Disable pie where Ubuntu has not defaulted yet. (armhf, arm64, powerpc) libpng1.6 (1.6.26-3) experimental; urgency=medium * Switch to cmake. libpng1.6 (1.6.26-2) unstable; urgency=medium * Enable full hardening (+pie) (Closes: #844429) libpng1.6 (1.6.26-1) unstable; urgency=low * New upstream release. * Switch to compat level 10 - Drop autoreconf/parallel, automatically injected libpng1.6 (1.6.25-2) unstable; urgency=medium * Mark the -tools package Multi-Arch: foreign. (Closes: #840446). Thanks Francois Gourget for the bug report! libpng1.6 (1.6.25-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.24-2) unstable; urgency=medium * Stop providing pngcp, because a tool with the same name is provided by pngtools (Closes: #834119, #834118). - Consider re-enabling it if ineeded, but for now the tool has no manpage and no help command. - An alternative might be to make pngtools and libpng-tools conflict each others. libpng1.6 (1.6.24-1) unstable; urgency=medium * New upstream release. - install also new pngcp tool in libpng-tools package. libpng1.6 (1.6.23-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.22-1) unstable; urgency=medium * New upstream release. - drop fix_define_PNG_READ_16_TO_8.patch: upstream * Update copyright file. libpng1.6 (1.6.21-5) unstable; urgency=medium * d/control: Add VCS-* to repository on collab-maint. * Add patch to properly define PNG_READ_16_TO_8_SUPPORTED (Closes: #824014) * Add d/gbp.conf to ensure signed tags. libpng1.6 (1.6.21-4) unstable; urgency=medium * add libpng-config.patch from the old src:libpng. - disabling multiarch bits in libpng-config has the "side-effect" to let us have a Multiarch libpng-dev package. Closes: #822297 * Make the libpng-dev package Multiarch ready. libpng1.6 (1.6.21-3) unstable; urgency=medium [ Manuel A. Fernandez Montecelo ] * Add hardening flags (excluding PIE. CLoses: #805822) [ Gianfranco Costamagna ] * Drop useless pre-depends line. [ Bart Martens ] * Fix watch file [ Laurent Bigonville ] * Drop useless packages in Replaces field. (Closes: #820887) libpng1.6 (1.6.21-2) unstable; urgency=medium * Upload to unstable. * Add myself and Tobias to uploaders, as per maintainers suggestion. * Bump std-version to 3.9.8, no changes required. libpng1.6 (1.6.21-1) experimental; urgency=medium * Team upload. * New upstream release. * Add upstream signing key * Fix watch file. * Update copyright file. * Drop libpng16-devtools, useless and merged in libpng-dev. (many packages relies on that script for building correctly) - breaks + replaces accordingly. * Remove multiarch -dev package * Rename libpng16-tools to libpng-tools, there is no need of strict versioning here. * Install upstream changelog. * Run upstream testsuite. * Remove README.* files, useless now. libpng1.6 (1.6.20-3) experimental; urgency=medium * Team upload * Move libpng16-dev to libpng-dev, to ease next transitions. * Drop conflicts against mzscheme, pngcrush, pngmeta, povray-3.5, qemacs, some of them disappeared, some of them have later versions already in old-oldstable. * Simplify even more the packaging, probably fixing #813288 * Fix symlinks, and two lintian errors: - library-in-root-and-usr - old-style-config-script-multiarch-path (multiarch: no for libpng16-devtools) * Update standard-version to 3.9.7, no changes required. * Switch to dh-autoreconf (Closes: #813027) * Remove libpng16-devtools circular dependency, recommend it instead. * Fix duplicate description lintian warning * Fix copyright lintian warnings * Remove copyright.in file * Use new plain dh calls in rules file * Remove some old lintian overrides. libpng1.6 (1.6.20-2) experimental; urgency=medium [ Tobias Frost ] * libpng16-16-udeb should not Conflicts: libpng-12-0. [ Anibal Monsalve Salazar ] * debhelper compat version is 9. * debian/control: libpng16-devtools is "Multi-Arch: same". libpng1.6 (1.6.20-1.1) experimental; urgency=medium * Non-maintainer upload. * Preparation for the transition, going to experimental. * Make libpng16-dev depend on libpng16-devtools to have libpng-config pulled in automatically for reverse dependencies. * Provide a so-name neutral devtools package libpng1.6 (1.6.20-1) experimental; urgency=medium * New upstream release. Fix CVE-2015-8472. Closes: #810074. * Use default options to compress. Remove debian/source/options. libpng1.6 (1.6.19-1) experimental; urgency=medium * New upstream release. * Update lintian-overrides for 1.6.19. libpng1.6 (1.6.16-1) experimental; urgency=medium * New upstream release (Closes: #773823) Fix CVE-2015-8540. * Standards Version is 3.9.6. * Update debian/copyright. Add infomation of license for other all files. * Update lintian-overrides for 1.6.16. libpng1.6 (1.6.10-2) experimental; urgency=low * Add libpng16-devtools package. Move libpng-config to this package. libpng1.6 (1.6.10-1) experimental; urgency=low * New upstream release (Closes: #740585) Fixed CVE-2014-0333. * Update overrides files. libpng1.6 (1.6.8-2) experimental; urgency=low * Update debian/copyright. (Closes: #735737) libpng1.6 (1.6.8-1) experimental; urgency=low * New upstream release. libpng1.6 (1.6.7-1) experimental; urgency=low * New upstream release. libpng (1.5.11-1) experimental; urgency=low * New upstream release. libpng (1.5.10-3) experimental; urgency=low * Remove libpng12-dev binary package. libpng-dev provides and replaces libpng12-dev. libpng (1.5.10-2) experimental; urgency=low * Add transition packages libpng3, libpng12-0 and libpng12-dev libpng (1.5.10-1) experimental; urgency=high * New upstream version 1.5.10 - Fix CVE-2011-3048 (memory corruption flaw) Closes: 667475 * Standards Version is 3.9.3 libpng (1.5.9-1) experimental; urgency=low * New upstream version 1.5.9 The purpose of this release is to fix the dangerous CVE-2011-3026. The libpng patch is different from the one that was distributed earlier by Chromium, in that the libpng user limit feature is not crippled by the patch. Remove 02-660026-CVE-2011-3026.patch libpng (1.5.8-1) experimental; urgency=high * New upstream release. Fix a one-byte (stack) buffer-overrun bug in png_formatted_warning(), which could lead to crashes (denial of service) or, conceivably, execution of hostile code. This vulnerability has been assigned ID CVE-2011-3464. * Check for both truncation (64-bit platforms) and integer overflow Fix CVE-2011-3026 Add 02-660026-CVE-2011-3026.patch Closes: 660026 libpng (1.5.7-2) experimental; urgency=low * Fix typo from PPFLAGS to CPPFLAGS. libpng (1.5.7-1) experimental; urgency=low * New upstream release. * Update debian/rules. Enabled hardened build flags. (Closes: #654149) libpng (1.5.6-1) experimental; urgency=low * New upstream release. libpng (1.5.5-1) experimental; urgency=low * New upstream release. * Fix lintian error: udeb-uses-non-gzip-data-tarball. Changed option of dh_builddeb for every package. * Fix lintian warning: brace-expansion-in-debhelper-config-file. Remove brace-expansion from debian/libpng-dev.install. libpng (1.5.4-2) experimental; urgency=low * Port Steve Langasek's changes for 1.2.46-1 - Build for multiarch. Closes: 634151 - Drop debian/libpng15-15-udeb.dirs, which just adds a pointless empty directory to the udeb * Update debian/docs and debian/libpng15-15.docs * Add debian/libpng15-15.doc-base * Build-Depend on autotools-dev libpng (1.2.46-2) unstable; urgency=low [ Steve Langasek ] * Build for multiarch. Requires converting libpng3 from Arch: all to Arch: any. Closes: 634151 * Drop debian/libpng12-0-udeb.dirs, which just adds a pointless empty directory to the udeb. [ Anibal Monsalve Salazar ] * Fix doc-base file Closes: 633944, 633957, 634120 * Pass "-Zbzip2 -z9" to dpkg-deb libpng (1.5.4-1) experimental; urgency=low * New upstream release (Closes: #633871). - Fix CVE: CVE-2011-2690 Buffer overwrite in png_rgb_to_gray - CVE: CVE-2011-2691 Crash in png_default_error due to use of NULL Pointer - CVE: CVE-2011-2692 Memory corruption when handling empty sCAL chunks - Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream. libpng (1.2.46-1) unstable; urgency=high * New upstream release (Closes: #633871). - Fix CVE: CVE-2011-2690 Buffer overwrite in png_rgb_to_gray - CVE: CVE-2011-2691 Crash in png_default_error due to use of NULL Pointer - CVE: CVE-2011-2692 Memory corruption when handling empty sCAL chunks - Update patches/01-legacy.patch - Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream. libpng (1.5.2-3) experimental; urgency=low * Rename libpng15-dev to libpng-dev libpng (1.5.2-2) experimental; urgency=low * Fix 1-byte uninitialized memory reference in png_format_buffer() Fix CVE-2011-2501 Add debian/patches/02-632786-CVE-2011-2501.patch Closes: 632786 * Pass "-Zbzip2 -z9" to dpkg-deb * Fix xc-package-type-in-debian-control * Fix debian-rules-missing-recommended-target libpng (1.2.44-3) unstable; urgency=high * Fix 1-byte uninitialized memory reference in png_format_buffer() Fix CVE-2011-2501 Add debian/patches/02-632786-CVE-2011-2501.patch Closes: 632786 * Standards version is 3.9.2 * Fix xc-package-type-in-debian-control * Fix debian-rules-missing-recommended-target libpng (1.5.2-1) experimental; urgency=low * New upstream release (Closes: #565821, #574257, #606867). * Remove Sam Hocevar from Uploaders. * Add myself to Uploaders. * Remove libtool, automake and autoconf from Build-depends. * Disable practice of autogen.sh from debian/rules. * Remove support libpng3 package (Closes: #369104, #615558). * Update debian/copyright. - Update copyright holder. - Add new license for contrib/pngsuite (Closes: #615558). * Remove patches directory. * Add libpng15-dev.lintian-overrides. Overrides manpage-has-errors-from-man usr/share/man/man3/libpng.3.gz. libpng (1.2.44-2) unstable; urgency=low * debian/libpng3.links: fix up the compat symlink to point to /lib Patch by Steve Langasek Closes: #579074, LP: #284325 libpng (1.2.44-1) unstable; urgency=low * New upstream release Stop memory leak when reading a malformed sCAL chunk libpng (1.2.43-1) unstable; urgency=high * New upstream release * Fix CVE-2010-0205 and Cert VU#576029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 https://www.kb.cert.org/vuls/id/576029 Do not stall and consume large quantities of memory while processing certain Portable Network Graphics (PNG) files Closes: 572308 libpng (1.2.42-2) unstable; urgency=low * Merge 1.2.42-1ubuntu1 Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. * Fix out-of-date-standards-version libpng (1.2.42-1ubuntu1) lucid; urgency=low * Merge from Debian testing. Remaining changes: - Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. libpng (1.2.42-1) unstable; urgency=low * New upstream release * Remove 02-export-png_set_strip_error_numbers.patch (merged) * Fix debhelper-but-no-misc-depends libpng (1.2.41-1ubuntu1) lucid; urgency=low * Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. libpng (1.2.41-1) unstable; urgency=low * New upstream release * Debian source format is 3.0 (quilt) * Update debian/watch * Add 02-export-png_set_strip_error_numbers.patch Define PNG_ERROR_NUMBERS_SUPPORTED Upstream doesn't define PNG_ERROR_NUMBERS_SUPPORTED since 1.2.41. As a consecuence, the symbol png_set_strip_error_numbe@@PNG12_0 wasn't exported. libpng (1.2.40-1) unstable; urgency=low * New upstream release libpng (1.2.39-1) unstable; urgency=low * New upstream release * Fix out-of-date-standards-version * Fix patch-system-but-no-source-readme libpng (1.2.38-1) unstable; urgency=low * New upstream release * Fix out-of-date-standards-version * Update upstream homepage Closes: 536474 libpng (1.2.37-1) unstable; urgency=low * New upstream release libpng (1.2.36-1) unstable; urgency=low * New upstream release * Standards-Version is 3.8.1 * debhelper compat is 7 * Run dh_prep instead of dh_clean -k libpng (1.2.35-1) unstable; urgency=high * New upstream release - http://secunia.com/advisories/33970/ Fix a vulnerability reported by Tavis Ormandy in which some arrays of pointers are not initialized prior to using "malloc" to define the pointers. Closes: #516256 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907 The png_check_keyword function in pngwutil.c in libpng, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. * Don't build libpng3 when binary-indep target is not called. Closes: #486415 libpng (1.2.33-2) unstable; urgency=low * Fix the following lintian issues: W: libpng12-0: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL libpng (1.2.33-1) experimental; urgency=low * New upstream release - Fix memory leak after reading a malformed tEXt chunk libpng (1.2.32-1) experimental; urgency=low * New upstream release - libpng.pc is configured to do static linking; closes: #483477 - use autoconf variables in .pc and libpng-config; closes: #483478 * Remove debian/patches/02-501109-pngtest.c.diff; it was merged libpng (1.2.27-2) unstable; urgency=medium * Fix CVE-2008-3964: off-by-one error in pngtest.c; closes: #501109 * Standards-Version is 3.8.0 libpng (1.2.27-1) unstable; urgency=low * New upstream release * Patches merged upstream: debian/patches/02-476669-CVE-2008-1382.diff debian/patches/03-404514-png.5.diff * Run ./autogen.sh libpng (1.2.26-1) unstable; urgency=high * New upstream release. Closes: #431202 * Use quilt Add 01-legacy.diff * Fix CVE-2008-1382 denial of service and possibly code execution Add 02-476669-CVE-2008-1382.diff Closes: #476669 * Fix URL in png.5. Closes: #404514 Add 03-404514-png.5.diff * Move examples to libpng12-dev. Closes: #401467 * Fix "libpng (<= 1.2.20) contains grey-licensed code". Closes: #469126 * Fix the following lintian issues: W: libpng source: debian-rules-ignores-make-clean-error line 37 W: libpng source: substvar-source-version-is-deprecated libpng12-dev W: libpng source: out-of-date-standards-version 3.7.2 (current is 3.7.3) W: libpng12-0-udeb udeb: description-contains-homepage W: libpng3: description-contains-homepage W: libpng12-dev: description-contains-homepage W: libpng12-0: package-contains-empty-directory usr/bin/ W: libpng12-0: package-contains-empty-directory usr/sbin/ W: libpng12-0: description-contains-homepage W: libpng12-0: doc-base-unknown-section libpng12:22 Apps/Programming libpng (1.2.15~beta5-3) unstable; urgency=high * ACKed NMU. * Fixed out-of-bounds read operations triggered by crafted png image files (CVE-2007-5269) (Closes: #446308). libpng (1.2.15~beta5-2.1) unstable; urgency=high * Non-maintainer upload by testing security team. * Fixed out-of-bounds read operations triggered by crafted png image files (CVE-2007-5269) (Closes: #446308). libpng (1.2.15~beta5-2) unstable; urgency=high * It seems that a grayscale image with a malformed (bad CRC) tRNS chunk will crash libpng and mozilla. Closes: #424729. - CVE-2007-2445 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2445 - CERT Vulnerability Note VU#684664 http://www.kb.cert.org/vuls/id/684664 libpng (1.2.15~beta5-1) unstable; urgency=low * Applied legacy_symbols.patch. * Changed shlibs dependecy versions to ">= 1.2.13-4". * libpng12-0: Added the following conflicts: mzscheme (<= 1:209-5), pngcrush (<= 1.5.10-2), pngmeta (<= 1.11-3), qemacs (<= 0.3.1-5), povray-3.5 (<= 3.5.0c-10). libpng (1.2.15~beta5-0) unstable; urgency=high * New upstream release. - Fixed asm API functions not exported on amd64. Closes: #401044. - Fixed "libpng hangs when saving profile". Closes: #401423. * Fixed "Incorrect shlibs information". Closes: #401465. * Removed patches for png.h and pngconf.h. * Updated debian/watch. libpng (1.2.13-4) unstable; urgency=low * Removed drop_pass_width patch. Closes: #399499. libpng (1.2.13-3) unstable; urgency=low * libpng12-dev: removed the conflict with libpng3-dev. libpng (1.2.13-2) unstable; urgency=low * Put back binary package libpng3. libpng (1.2.13-1) unstable; urgency=low * Fixed conflict with the new libpng package. Closes: #399296. * Fixed png.5 man page formatting. Closes: #353061. Patch by Kevin Ryde <user42@zip.com.au>. libpng (1.2.13-0) unstable; urgency=high * New upstream release. * CVE-2006-5793: Fixed a new security issue regarding malformed sPLT chunks. Closes: #398706. * Transitional package libpng3 is not shipped anymore. Closes: #369104. libpng (1.2.12-0) unstable; urgency=high * New upstream release. Closes: #366070. * CVE-2006-3334: Fixed Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name". Closes: #397892. * Removed debian/x86_patches/pnggccrd-PIC.patch as it's merged upstream. libpng (1.2.8rel-7) unstable; urgency=low * New maintainer. Closes: #393109. * ACK NMUs. Closes: #378463, #377298, #356252. * debian/control: - set Standards-Version to 3.7.2. - set Priority to extra for libpng12-0-udeb. - added ${misc:Depends} to libpng12-0 and libpng12-0-udeb dependency lists. * Added debian/watch file. libpng (1.2.8rel-6) unstable; urgency=low * Orphaning package. libpng (1.2.8rel-5.2) unstable; urgency=low * Non-maintainer upload. * Backport changes from 1.2.12 to fix a buffer overflow in png_decompress_chunk; patch by Alec Berryman. [CVE-2006-3334] (Closes: #377298) libpng (1.2.8rel-5.1) unstable; urgency=low * Non Maintainer Upload (closes: #356252). * Add support for udeb dependency resolution in shlibs file. * Update debhelper compatibility to level 5. libpng (1.2.8rel-5) unstable; urgency=low * drop_pass_width.patch: don't export png_pass_width, it's absolutely unnecessary. * libpng12-0.shlibs: downgrade the shlibs accordingly (closes: #331383). libpng (1.2.8rel-4) unstable; urgency=low * makefile.patch: + Use PNG_PRIVATE to get the list of private symbols as well. It sucks, but they've been there for too long (closes: #329886). + Use mawk instead of awk (closes: #329812). * control: build-depend on mawk. * rules: + Use -O2, not -O3. + Actually run the tests. + Make use of x86_patches/ on x86 architectures. * x86_patches/mmxbuild.patch: build MMX routines in pnggccrd.c. * x86_patches/pnggccrd-PIC.patch: patch from Christian Aichinger to make the assembly routines PIC-compatible. * libpng12-0.shlibs: bump the shlibs version. libpng (1.2.8rel-3) unstable; urgency=low * Upload to unstable. * Rename the source package to libpng. libpng3 (1.2.8rel-2) experimental; urgency=low * makefile.patch: + now patch makefile.elf, so that only public symbols are truly exported. + shorten the differences as much as possible. * rules: use makefile.elf now. * Move libpng3 to oldlibs. * Entirely remove libpng3-dev, making libpng12-dev provide it (closes: #322051). * poynton.patch: correct Charles Poynton's address (closes: #289437). * Don't run the test when cross-building (closes: #285427). * setjmp_error.patch: don't stop when we are not using _BSD_SOURCE, as in this case this is harmless (closes: #299343). * libpng3.postinst: removed, the fix is in sarge. * Standards-version is 3.6.2. * legacy_symbols.patch: still export png_read_destroy and png_write_destroy, which are deprecated but should nevertheless be accessible. libpng3 (1.2.8rel-1) unstable; urgency=medium * New upstream release. * read_transformations.patch: removed, included upstream. * libpng12-0.shlibs: Update to version 1.2.8rel, new flags seem to have been added. libpng3 (1.2.8beta5-2) unstable; urgency=medium * read_transformations.patch: fix segmentation fault with latex (closes: #281789) and totem (closes: #278618). libpng3 (1.2.8beta5-1) unstable; urgency=medium * New upstream release. + Correct segmentation violation in png_combine_row. Closes: #278526, #278917, #278921, #279258, #281789, #282368. libpng3 (1.2.7-1) unstable; urgency=medium * New upstream release (closes: #278308). * libpng12-0.shlibs: update shlibs to version 1.2.7. * Remove all security fixed, they are included upstream. libpng3 (1.2.5.0-9) unstable; urgency=high * CAN-2004-0954.patch: removed, this is already fixed in CAN-2004-0597_0598_0599.patch. libpng3 (1.2.5.0-8) unstable; urgency=high * Switch to CDBS. + Ship modifications and security fixes in debian/patches. + debian/rules: rewritten. + debian/control: build-depend on cdbs. + debian/libpng12-0.shlibs: new. * setjmp_error.patch: port explanation of the error when including setjmp.h from libpng10, thanks Matijs van Zuijlen <Matijs.van.Zuijlen@xs4all.nl> (closes: #273473). * CAN-2004-0954.patch: fix buffer overflow vulnerability in png_handle_tRNS(). * CAN-2004-0955.patch: fix integer arithmetic overflow vulnerability in png_read_png(). libpng3 (1.2.5.0-7) unstable; urgency=high * pngrtran.c: applied upstream patch 4 to fix incorrect calculation of buffer offsets [CAN-2004-0768]. * png.h, pngpread.c, pngrutil.c: patch from Chris Evans <chris@scary.beasts.org> to fix several vulnerabilities (closes: #263500): + libpng fails to properly check length on PNG data [CAN-2004-0597]. + libpng "png_handle_sBIT" does not perform proper checks to avoid stack buffer overflow [CAN-2004-0597]. + libpng "png_handle_iCCP" possible NULL-pointer crash [CAN-2004-0598]. + libpng "png_handle_sPLT" possible integer overflow [CAN-2004-0599]. + libpng "png_read_png" does not properly handle a PNG with excessive height (integer overflow) [CAN-2004-0599]. + libpng progressive reading integer overflow [CAN-2004-0599]. libpng3 (1.2.5.0-6) unstable; urgency=high * pngerror.c: applied patch by Steve Grubb <linux_4ever@yahoo.com> to fix unintended memory access that could result in a crash of the application linking against libpng [CAN-2004-0421]. libpng3 (1.2.5.0-5) unstable; urgency=low * Use debhelper 4.2, which generates the udeb appropriately. * Update control and rules appropriately. * Don't use ${shlibs:Depends} for the udeb, rather write the dependencies by hand. * Standards-version is 3.6.1. libpng3 (1.2.5.0-4) unstable; urgency=low * scripts/makefile.linux: use versioned dependencies (closes: #155891). * debian/rules: bump dependency for dh_makeshlibs. * add the libpng.a link in libpng12-dev. * Rework scripts/makefile.linux to make it more consistent. * Update stuff in debian/ accordingly. * Updated README.Debian. libpng3 (1.2.5.0-3) unstable; urgency=low * Make libpng3{,-dev} depend on libpng12-{0,dev} >= 1.2.5.0-2 instead of the strict source version. * Move /usr/share/doc/libpng3{,-dev} into symlinks at postinst time when directories already exist. * debian/rules: install correctly doc-base stuff. * debian/libpng12-dev.doc-base: updated URIs. libpng3 (1.2.5.0-2) unstable; urgency=low * scripts/{makefile.linux,libpng-config-body.in}: correct the libpng12-config script. * Install correctly pkg-config stuff (closes: #191081). * Make libpng12-dev conflict explicitly with libpng12-0-dev. * Update README.Debian. libpng3 (1.2.5.0-1) unstable; urgency=low * New maintainer. * Use real upstream tarball from 1.2.5 release. * Use dpkg-source's way instead of dpatch for patching. * A bit of rework in debian/rules, use dh_install and debhelper 4. * Standards-version is 3.5.9. * The -dev package is now named libpng12-dev (stop using the libpkg-guide way). * libpng3 is now arch-independent. * Improved descriptions a bit. * Don't supply libpngpf.3, it is not useful to programmers. libpng3 (1.2.5-11) unstable; urgency=low * Add udeb (closes: #174842) * Add missing section on source files. libpng3 (1.2.5-10) unstable; urgency=low * Rebuild with d-shlibs with fixed "libgcc_s1-dev" handling (for gcc-3.2). (closes: #178070), build-depend on d-shlibs 0.10 or greater. libpng3 (1.2.5-9) unstable; urgency=low * Use dpatch for patch system -- divide Debian patch, and security fix patch. * Standards-Version: 3.5.8 * add manual page libpng-config.1 and libpng12-config.1 libpng3 (1.2.5-8) unstable; urgency=low * Sorry folks, I made a mistake. * Forward-port of patch from the Security Team, really apply what was there. (closes: #172868,#172871) libpng3 (1.2.5-7) unstable; urgency=high * Forward-port of patch from the Security Team * Applied patch to pngrtran.c by Glenn Randers-Pehrson <glennrp@comcast.net> to fix a buffer overrun. libpng3 (1.2.5-6) unstable; urgency=low * Typo in scripts/makefile.linux. Mistake. -lz and -lm weren't happening. * Change LDFLAGS to not list -lz -lm, so that testsuite will catch such error. * set prefix=/usr/ in scripts/makefile.linux, since it was set to usr/local. libpng3 (1.2.5-5) unstable; urgency=low * scripts/makefile.linux: LIBADDFLAGS introduced, for shared library lib additional flags, and use that for shared library. - this should fix build failure (closes: #166704) Thanks Daniel Schepler <schepler@math.berkeley.edu> for reporting. * updated copyright file to note that libpng3 in Debian is patched to link with -lz -lm. libpng3 (1.2.5-4) unstable; urgency=low * Trying to fix the problem that libpng3 seems to be not linked against libz. LDFLAGS was defined but not being used. Thanks Mike Furr <mfurr@debian.org> for reporting (closes: #166489) libpng3 (1.2.5-3) unstable; urgency=low * Fixed description, I mixed up the -devel and non-devel packages. * updated README.Debian. libpng3 (1.2.5-2) unstable; urgency=low * careless mistake :( * reinstall libpng.so symlink in libpng-12-0-dev package. Otherwise other packages won't build ... libpng3 (1.2.5-1) unstable; urgency=low * New upstream version (closes: #163425) * re-patched makefile.linux to work with system zlib, added workaround to set CFLAGS, and remove rpath settings from LDFLAGS * Use debhelper. * No longer create /usr/doc symlinks. * Standards-Version: 3.5.7 libpng3 (1.2.1-5) unstable; urgency=low * Not yet released. * Change priority from standard to optional. libpng3 (1.2.1-4) unstable; urgency=low * change -dev dependency of libc6-dev to libc-dev libpng3 (1.2.1-3) unstable; urgency=low * Security fix backported from 1.2.4. Check bounds of variables. (closes: #155403) libpng3 (1.2.1-2) unstable; urgency=low * New maintainer (closes: #151343) * apply buffer overflow patch for interlaced png files (closes: #150595) * update description for libpng3-dev. * change libpng-dev to libpng3-dev libpng3 (1.2.1-1.1) unstable; urgency=low * NMU * Provides: libpng2-dev has been changed to Provides: libpng3-dev libpng2-dev can be put back in when some kind of sane transition has finished. (closes: #128384, #128871, #129268, #129269) libpng3 (1.2.1-1) unstable; urgency=low * New upstream version; closes: #125679. * New source package name: libpng3. * Renamed libpng<x>-dev to libpng-dev to avoid having to maintain several development packages (the -dev is source compatible). * Moved png.5 into the -dev package. * Added a Replaces: libpng2 to libpng-dev so that we can steal the png.5 manpage without fuss. * Changed debian/shlibs for libpng3. * Compress examples/pngtest.c. libpng (1.0.12-3) unstable; urgency=low * Moved the png.5 manpage to the dev package to allow multiple libpng<n> packages installed at the same time. libpng (1.0.12-2) unstable; urgency=low * Changed libpng2-dev's section to devel to resync with override file. * Fixed upstream version detection in debian/rules; closes: #105931. libpng (1.0.12-1) unstable; urgency=low * New upstream release; closes: #105354. * Bumped dependency information in debian/shlibs to libpng >= 1.0.12 since there were some non-backwards compatible changes to the API. * Added support for DEB_BUILD_OPTIONS and get-orig-source to debian/rules. * Added call to ldconfig on postrm's remove. * Removed INSTALL file from /usr/share/doc/libpng2. * Bumped standards version to 3.5.5.0. libpng (1.0.11-1) unstable; urgency=low * New upstream release. libpng (1.0.10-2) unstable; urgency=low * Force recompile because of bad sparc package. * Libpng2's priority changed to standard to comply with the override file. libpng (1.0.10-1) unstable; urgency=low * New upstream release. * Changed shlib to depend on libpng2 (>= 2.0.10) because of non-backwards compatible changes. libpng (1.0.8-1) unstable; urgency=low * Changed the doc-base type from 'test' to 'text'; closes: #59877. * New upstream relase 1.0.8; closes: #70464. * Updated copyright notice. * Removed Y2kINFO from the doc directory. * Added pngtest.c in examples; closes: #65229. * Updated to standards version 3.2.1.0. * Added build-depends line in control file; closes: #69291. libpng (1.0.5-1) frozen unstable; urgency=low * Maintainer upload (closes: #48244, #48246). * Added some extra explanations for the setjmp.h mess (closes: #56759), see pngconf.h for details. libpng (1.0.5-0.1) unstable; urgency=low * Non-maintainer release. * New upstream release. (closes:Bug#48244). * Remove versioned depend from shlibs (closes:Bug#48246). libpng (1.0.3-1) unstable; urgency=low * New upstream version (1.0.3); Closes: #31870, #46333. * Maintainer upload, closes NMU bugs; Closes: #28412, #31523, #31690. * FHS compliant. * New standard-version 3.0.1. * Lintian clean. * Removed temporary zlib1g line in control file (used to be a bug in zlib1g). * Moved the documentation file to the -dev package. * Register documentation file to doc-base. * Fontified man pages with addformat script; Closes #38680. libpng (1.0.2b-0.1) frozen unstable; urgency=low * New upstream (bug-fix only) version. (Should fix bugs #31690&#28412, since I can't reproduce them) From the author: "I have recently uploaded libpng-1.0.2b to ftp://swrinde.nde.swri.edu/pub/png-group/src I plan to release it as libpng-1.0.3 in a few days, but would like to hear whether it fixes the problems with GNOME. It restores a few lines of code that were inadvertently deleted from pngread.c, which seems to be the cause of problems with adding an alpha channel (which you fixed by downgrading to libpng-1.0.1's pngread.c)." [Glenn Randers-Pehrson <glennrp@netgsi.com>] * Masquerade version number to 1.0.3 to make Imlib & Co. happy. libpng (1.0.2-1.1) frozen unstable; urgency=low * Fix Important bug #28412 (using pngread.c from libpng-1.0.1 did the trick). libpng (1.0.2-1) unstable; urgency=low * Maintainer release (to change a bit). * Pristine sources. * Libpng2-dev includes example.c (fixes bug #10315). * Changed control file to reflect difference with libpng0g (fixes #23795). * Recompiled (should fix the zlib1g missing symbol, bug #24450). * Added -D_REENTRANT also to static library. * Added a dependency upon zlib1g >= 1.1.2 (otherwise we get a missing symbol) (fixes bug #24450). libpng (1.0.2-0.1) unstable; urgency=low * Non-maintainer release * New upstream version libpng (1.0.1-0.2) unstable; urgency=medium * debian/rules (binary-arch): don't call install with -s as an argument when installing a shared library; it doesn't know to use --strip-unneeded, and we call strip separately later anyway. * scripts/makefile.lnx (CFLAGS): killed i386-isms. * scripts/makefile.lnx: compiled shared libraries with -D_REENTRANT. (The above fixes are from James Troup, who yet again, alerted me to my screwups ;) * debian/postinst: only call ldconfig if $1 = configure. libpng (1.0.1-0.1) unstable; urgency=low * New upstream bug fix release. * Include man pages. libpng (1.0.0-0.1) unstable; urgency=low * Non-maintainer Release. * New Upstream Release. * Changed source package name to `libpng'. * Added `-f makefile.lnx' to make invocations in debian/rules. * Removed `ldconfig' call from postrm. libpng0 (0.96-5) unstable; urgency=low * Removed executable permissions on shared libs (fixes bug #15478). * Updated Standards-Version to 2.3.0.1. libpng0 (0.96-4) unstable; urgency=low * Shared libraries are stripped with --strip-unneeded and static libraries with --strip-debug (fixes bug #15669). * Made the build strip non-i386 specific (patch by James Troup) (fixes bug #13832). * Removed the dependency between the libc5 and libc6 versions. libpng0 (0.96-3) unstable; urgency=low * Libc6 compilation. libpng0 (0.96-2) unstable; urgency=low * Fixed permissions in /usr/doc/libpng0 (fixes bug #10540). libpng0 (0.96-1) unstable; urgency=low * New upstream sources. libpng0 (0.95b-1) unstable; urgency=low * New maintainer. * Upgraded to upstream version 0.95b. * Make debian/rules version independent. * Debian/rules clean now removes substvars. * Bumped the shlibs version to 0.95 as some incompatibilities were introduced between 0.89 and 0.90. * Added the Section: and Priority: fields to the control file (fixes bug #6370). * Now /usr/doc/libpng0 contains various info and the debian change log stuff (fixes bug #7925). * Added -D_REENTRANT compilation flag. libpng (0.89c-6) unstable; urgency=low * Moved shlibs file to correct location libpng (0.89c-5) unstable; urgency=low * Added shlibs file libpng (0.89c-4) unstable; urgency=low * Now stripping shared libraries (Bug#5134) libpng (0.89c-3) unstable; urgency=low * Corrected maintainers address libpng (0.89c-2) unstable; urgency=low * Accommodate the fact that dpkg-source doesn't properly preserve permissions on scripts when extracting package. (Bug#4513) libpng (0.89c-1) unstable; urgency=low * New upstream version. * Moved to new source packaging format.

libpng1.6 (1.6.37-3build5) jammy; urgency=high * No change rebuild for ppc64el baseline bump. libpng1.6 (1.6.37-3build4) impish; urgency=medium * No-change rebuild to build packages with zstd compression. libpng1.6 (1.6.37-3build3) hirsute; urgency=medium * No-change rebuild to build with lto. libpng1.6 (1.6.37-3build2) hirsute; urgency=medium * No-change rebuild to drop the udeb package. libpng1.6 (1.6.37-3build1) hirsute; urgency=medium * No-change rebuild to drop the udeb package. libpng1.6 (1.6.37-3) unstable; urgency=medium [ Debian Janitor ] * Wrap long lines in changelog entries: 1.2.5-5. [ Gianfranco Costamagna ] * debian/patches/326.patch: - add upstream proposed patch to fix a decode fail with invalid eXIf chunks (Closes: #969502) libpng1.6 (1.6.37-2) unstable; urgency=medium [ Debian Janitor ] * Set upstream metadata fields: Bug-Database, Repository, Repository- Browse. * Rely on pre-initialized dpkg-architecture variables. * Fix day-of-week for changelog entry 1.0.0-0.1. * Set upstream metadata fields: Bug-Submit. [ Gianfranco Costamagna ] * Bump std-version to 4.5.0, no changes required libpng1.6 (1.6.37-1) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.37-1~exp4) experimental; urgency=medium * debian/patches/72fa126446460347a504f3d9b90f24aed1365595.patch: - cherry-pick upstream possible fix for tests not being parallel-safe (Closes: #920657) libpng1.6 (1.6.37-1~exp3) experimental; urgency=medium * Fix two lintian warnings: - drop upstream signing key, upstream seems to have stopped tarball signatures when moved to github (see upstream issue: #287) - double "version" tag in debian/watch libpng1.6 (1.6.37-1~exp2) experimental; urgency=medium * Simplify tests, by not passing the .libs directory during their execution libpng1.6 (1.6.37-1~exp1) experimental; urgency=medium * New upstream version 1.6.37 - upload to experimental because of freeze * Update watch file for github publish site * Update copyright years and text for pngminus * Drop all upstream patches, patch refresh for apng patch * Bump compat level to 12 libpng1.6 (1.6.36-6) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.36-5exp1) experimental; urgency=medium * Drop Anibal from uploaders list, thank you for your nice work! (Closes: #925014) * Update copyright years. * Drop patch 272.patch, superseeded by upstream commits: 70d122aac42933ab8a708c538f973c3307853212.patch (uncommented) 82ae623ec9bc3cb5c68aad22596a766e86d593b7.patch a627bd26a375f5c41d54f90a47c838157d1bec97.patch libpng1.6 (1.6.36-5) unstable; urgency=medium * Tweak old 272 patch to add the only relevant part of commit 70d122aac42933ab8a708c538f973c3307853212.patch * Drop 70d122aac42933ab8a708c538f973c3307853212.patch, it breaks the testsuite. libpng1.6 (1.6.36-4) unstable; urgency=high * debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch, debian/patches/8439534daa1d3a5705ba92e653eda9251246dd61.patch: - new fixes for arm64 and general test failures (and leaks) * debian/patches/CVE-2019-7317.patch: - fix for CVE 2019-7317 (Closes: #921355) Thanks Salvatore Bonaccorso for your report! libpng1.6 (1.6.36-3) unstable; urgency=medium * debian/patches/272.patch: - upstream fix for arm64 test failures. - drop previous revert-* patches libpng1.6 (1.6.36-2) unstable; urgency=medium * Update watch file for github location * Add apng support, like what is done in arch linux - pnggroup/libpng#267 * d/p/revert-{7734cda20cf1236aef60f3bbd2267c97bbb40869, 1ceaa83a844cd3ecef25279d60720f910b96f297, b66ed711315c46ef6c556c83c0074ecdcbd9937f}.patch: revert on arm64 only the chromebook optimizations, they are making the build fail. - discussion at pnggroup/libpng#266 [ Mattia Rizzolo ] * Fixup std-version numbering libpng1.6 (1.6.36-1) unstable; urgency=medium * New upstream version 1.6.36 * update copyright file * Bump std-version to 4.3.0.1, no changes required * drop patch 8a057: upstream * Add nocheck profile in rules file [ Ondřej Nový <onovy@debian.org> ] * d/changelog: Remove trailing whitespaces libpng1.6 (1.6.34-2) unstable; urgency=medium [ Salvatore Bonaccorso ] * debian/patches/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2.patch: Closes: #903430 CVE-2018-13785 [ Gianfranco Costamagna ] * Upload to unstable * Switch VCS fields to salsa.d.o * Bump std-version to 4.1.5, no changes required * Switch copyright in https mode libpng1.6 (1.6.34-1) unstable; urgency=medium * New upstream version 1.6.34 * Remove files removed upstream (the failing png files) libpng1.6 (1.6.33-1) unstable; urgency=medium * New upstream version 1.6.33 * Drop idat patch: upstream * Update copyright * Bump std-version to 4.1.1 * Remove some new test png files that make testsuite fail (they fail also on older libpng version, just they weren't available status is tracked at https://sourceforge.net/p/libpng/bugs/271/ ) libpng1.6 (1.6.32-3) unstable; urgency=high * Fix invalid IDAT images, thanks Felix Geyer for the debug/bug reassign! (Closes: #876563) libpng1.6 (1.6.32-2) unstable; urgency=medium * Bump std-version to 4.1.0, now priority is extra * Add missing newline on copyright entry, making lintian sad * Move the examples into the main libpng-dev (Closes: #876244) - thanks Helmut Grohne for the useful bug report! libpng1.6 (1.6.32-1) unstable; urgency=medium * New upstream version 1.6.32 * Update copyright file libpng1.6 (1.6.31-1) unstable; urgency=medium * New upstream release. * Update d/watch to point to ftp site and to verify gpg signature. * fix-arm-build.patch removed, fixed upstream. * Update d/copyright (years and add new maintainers) and remove some redudant entries. libpng1.6 (1.6.30-2) unstable; urgency=medium * Fix arm* build failures with upstream patch (Closes: #867670) libpng1.6 (1.6.30-1) unstable; urgency=medium * New upstream release. * Update copyright * Bump std-version to 4.0.0 libpng1.6 (1.6.29-3) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.29-2) experimental; urgency=medium * Enable PIE eveywhere libpng1.6 (1.6.29-1) experimental; urgency=medium * New upstream release. - Drop fix multiarch patch: upstream * Use autoreconf. libpng1.6 (1.6.28-1exp4) experimental; urgency=medium * Override autoreconf due to debhelper bug 844504 libpng1.6 (1.6.28-1exp3) experimental; urgency=medium * No-autoreconf for cmake builds libpng1.6 (1.6.28-1exp2) experimental; urgency=medium * Readd multiarch patch, it was merged by upstream on master but not on 1.6 branch libpng1.6 (1.6.28-1exp1) experimental; urgency=medium * Switch to cmake libpng1.6 (1.6.28-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.27-1) unstable; urgency=medium * New upstream release (Closes: #849799) - Fix for CVE-2016-10087 libpng1.6 (1.6.26-6) unstable; urgency=medium * Enable pie in Debian, disable it in Ubuntu. - thanks pochu :) libpng1.6 (1.6.26-5) unstable; urgency=medium * Revert cmake switch, failing on arm64. libpng1.6 (1.6.26-4) unstable; urgency=low * Upload to unstable. * Disable pie where Ubuntu has not defaulted yet. (armhf, arm64, powerpc) libpng1.6 (1.6.26-3) experimental; urgency=medium * Switch to cmake. libpng1.6 (1.6.26-2) unstable; urgency=medium * Enable full hardening (+pie) (Closes: #844429) libpng1.6 (1.6.26-1) unstable; urgency=low * New upstream release. * Switch to compat level 10 - Drop autoreconf/parallel, automatically injected libpng1.6 (1.6.25-2) unstable; urgency=medium * Mark the -tools package Multi-Arch: foreign. (Closes: #840446). Thanks Francois Gourget for the bug report! libpng1.6 (1.6.25-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.24-2) unstable; urgency=medium * Stop providing pngcp, because a tool with the same name is provided by pngtools (Closes: #834119, #834118). - Consider re-enabling it if ineeded, but for now the tool has no manpage and no help command. - An alternative might be to make pngtools and libpng-tools conflict each others. libpng1.6 (1.6.24-1) unstable; urgency=medium * New upstream release. - install also new pngcp tool in libpng-tools package. libpng1.6 (1.6.23-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.22-1) unstable; urgency=medium * New upstream release. - drop fix_define_PNG_READ_16_TO_8.patch: upstream * Update copyright file. libpng1.6 (1.6.21-5) unstable; urgency=medium * d/control: Add VCS-* to repository on collab-maint. * Add patch to properly define PNG_READ_16_TO_8_SUPPORTED (Closes: #824014) * Add d/gbp.conf to ensure signed tags. libpng1.6 (1.6.21-4) unstable; urgency=medium * add libpng-config.patch from the old src:libpng. - disabling multiarch bits in libpng-config has the "side-effect" to let us have a Multiarch libpng-dev package. Closes: #822297 * Make the libpng-dev package Multiarch ready. libpng1.6 (1.6.21-3) unstable; urgency=medium [ Manuel A. Fernandez Montecelo ] * Add hardening flags (excluding PIE. CLoses: #805822) [ Gianfranco Costamagna ] * Drop useless pre-depends line. [ Bart Martens ] * Fix watch file [ Laurent Bigonville ] * Drop useless packages in Replaces field. (Closes: #820887) libpng1.6 (1.6.21-2) unstable; urgency=medium * Upload to unstable. * Add myself and Tobias to uploaders, as per maintainers suggestion. * Bump std-version to 3.9.8, no changes required. libpng1.6 (1.6.21-1) experimental; urgency=medium * Team upload. * New upstream release. * Add upstream signing key * Fix watch file. * Update copyright file. * Drop libpng16-devtools, useless and merged in libpng-dev. (many packages relies on that script for building correctly) - breaks + replaces accordingly. * Remove multiarch -dev package * Rename libpng16-tools to libpng-tools, there is no need of strict versioning here. * Install upstream changelog. * Run upstream testsuite. * Remove README.* files, useless now. libpng1.6 (1.6.20-3) experimental; urgency=medium * Team upload * Move libpng16-dev to libpng-dev, to ease next transitions. * Drop conflicts against mzscheme, pngcrush, pngmeta, povray-3.5, qemacs, some of them disappeared, some of them have later versions already in old-oldstable. * Simplify even more the packaging, probably fixing #813288 * Fix symlinks, and two lintian errors: - library-in-root-and-usr - old-style-config-script-multiarch-path (multiarch: no for libpng16-devtools) * Update standard-version to 3.9.7, no changes required. * Switch to dh-autoreconf (Closes: #813027) * Remove libpng16-devtools circular dependency, recommend it instead. * Fix duplicate description lintian warning * Fix copyright lintian warnings * Remove copyright.in file * Use new plain dh calls in rules file * Remove some old lintian overrides. libpng1.6 (1.6.20-2) experimental; urgency=medium [ Tobias Frost ] * libpng16-16-udeb should not Conflicts: libpng-12-0. [ Anibal Monsalve Salazar ] * debhelper compat version is 9. * debian/control: libpng16-devtools is "Multi-Arch: same". libpng1.6 (1.6.20-1.1) experimental; urgency=medium * Non-maintainer upload. * Preparation for the transition, going to experimental. * Make libpng16-dev depend on libpng16-devtools to have libpng-config pulled in automatically for reverse dependencies. * Provide a so-name neutral devtools package libpng1.6 (1.6.20-1) experimental; urgency=medium * New upstream release. Fix CVE-2015-8472. Closes: #810074. * Use default options to compress. Remove debian/source/options. libpng1.6 (1.6.19-1) experimental; urgency=medium * New upstream release. * Update lintian-overrides for 1.6.19. libpng1.6 (1.6.16-1) experimental; urgency=medium * New upstream release (Closes: #773823) Fix CVE-2015-8540. * Standards Version is 3.9.6. * Update debian/copyright. Add infomation of license for other all files. * Update lintian-overrides for 1.6.16. libpng1.6 (1.6.10-2) experimental; urgency=low * Add libpng16-devtools package. Move libpng-config to this package. libpng1.6 (1.6.10-1) experimental; urgency=low * New upstream release (Closes: #740585) Fixed CVE-2014-0333. * Update overrides files. libpng1.6 (1.6.8-2) experimental; urgency=low * Update debian/copyright. (Closes: #735737) libpng1.6 (1.6.8-1) experimental; urgency=low * New upstream release. libpng1.6 (1.6.7-1) experimental; urgency=low * New upstream release. libpng (1.5.11-1) experimental; urgency=low * New upstream release. libpng (1.5.10-3) experimental; urgency=low * Remove libpng12-dev binary package. libpng-dev provides and replaces libpng12-dev. libpng (1.5.10-2) experimental; urgency=low * Add transition packages libpng3, libpng12-0 and libpng12-dev libpng (1.5.10-1) experimental; urgency=high * New upstream version 1.5.10 - Fix CVE-2011-3048 (memory corruption flaw) Closes: 667475 * Standards Version is 3.9.3 libpng (1.5.9-1) experimental; urgency=low * New upstream version 1.5.9 The purpose of this release is to fix the dangerous CVE-2011-3026. The libpng patch is different from the one that was distributed earlier by Chromium, in that the libpng user limit feature is not crippled by the patch. Remove 02-660026-CVE-2011-3026.patch libpng (1.5.8-1) experimental; urgency=high * New upstream release. Fix a one-byte (stack) buffer-overrun bug in png_formatted_warning(), which could lead to crashes (denial of service) or, conceivably, execution of hostile code. This vulnerability has been assigned ID CVE-2011-3464. * Check for both truncation (64-bit platforms) and integer overflow Fix CVE-2011-3026 Add 02-660026-CVE-2011-3026.patch Closes: 660026 libpng (1.5.7-2) experimental; urgency=low * Fix typo from PPFLAGS to CPPFLAGS. libpng (1.5.7-1) experimental; urgency=low * New upstream release. * Update debian/rules. Enabled hardened build flags. (Closes: #654149) libpng (1.5.6-1) experimental; urgency=low * New upstream release. libpng (1.5.5-1) experimental; urgency=low * New upstream release. * Fix lintian error: udeb-uses-non-gzip-data-tarball. Changed option of dh_builddeb for every package. * Fix lintian warning: brace-expansion-in-debhelper-config-file. Remove brace-expansion from debian/libpng-dev.install. libpng (1.5.4-2) experimental; urgency=low * Port Steve Langasek's changes for 1.2.46-1 - Build for multiarch. Closes: 634151 - Drop debian/libpng15-15-udeb.dirs, which just adds a pointless empty directory to the udeb * Update debian/docs and debian/libpng15-15.docs * Add debian/libpng15-15.doc-base * Build-Depend on autotools-dev libpng (1.2.46-2) unstable; urgency=low [ Steve Langasek ] * Build for multiarch. Requires converting libpng3 from Arch: all to Arch: any. Closes: 634151 * Drop debian/libpng12-0-udeb.dirs, which just adds a pointless empty directory to the udeb. [ Anibal Monsalve Salazar ] * Fix doc-base file Closes: 633944, 633957, 634120 * Pass "-Zbzip2 -z9" to dpkg-deb libpng (1.5.4-1) experimental; urgency=low * New upstream release (Closes: #633871). - Fix CVE: CVE-2011-2690 Buffer overwrite in png_rgb_to_gray - CVE: CVE-2011-2691 Crash in png_default_error due to use of NULL Pointer - CVE: CVE-2011-2692 Memory corruption when handling empty sCAL chunks - Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream. libpng (1.2.46-1) unstable; urgency=high * New upstream release (Closes: #633871). - Fix CVE: CVE-2011-2690 Buffer overwrite in png_rgb_to_gray - CVE: CVE-2011-2691 Crash in png_default_error due to use of NULL Pointer - CVE: CVE-2011-2692 Memory corruption when handling empty sCAL chunks - Update patches/01-legacy.patch - Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream. libpng (1.5.2-3) experimental; urgency=low * Rename libpng15-dev to libpng-dev libpng (1.5.2-2) experimental; urgency=low * Fix 1-byte uninitialized memory reference in png_format_buffer() Fix CVE-2011-2501 Add debian/patches/02-632786-CVE-2011-2501.patch Closes: 632786 * Pass "-Zbzip2 -z9" to dpkg-deb * Fix xc-package-type-in-debian-control * Fix debian-rules-missing-recommended-target libpng (1.2.44-3) unstable; urgency=high * Fix 1-byte uninitialized memory reference in png_format_buffer() Fix CVE-2011-2501 Add debian/patches/02-632786-CVE-2011-2501.patch Closes: 632786 * Standards version is 3.9.2 * Fix xc-package-type-in-debian-control * Fix debian-rules-missing-recommended-target libpng (1.5.2-1) experimental; urgency=low * New upstream release (Closes: #565821, #574257, #606867). * Remove Sam Hocevar from Uploaders. * Add myself to Uploaders. * Remove libtool, automake and autoconf from Build-depends. * Disable practice of autogen.sh from debian/rules. * Remove support libpng3 package (Closes: #369104, #615558). * Update debian/copyright. - Update copyright holder. - Add new license for contrib/pngsuite (Closes: #615558). * Remove patches directory. * Add libpng15-dev.lintian-overrides. Overrides manpage-has-errors-from-man usr/share/man/man3/libpng.3.gz. libpng (1.2.44-2) unstable; urgency=low * debian/libpng3.links: fix up the compat symlink to point to /lib Patch by Steve Langasek Closes: #579074, LP: #284325 libpng (1.2.44-1) unstable; urgency=low * New upstream release Stop memory leak when reading a malformed sCAL chunk libpng (1.2.43-1) unstable; urgency=high * New upstream release * Fix CVE-2010-0205 and Cert VU#576029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 https://www.kb.cert.org/vuls/id/576029 Do not stall and consume large quantities of memory while processing certain Portable Network Graphics (PNG) files Closes: 572308 libpng (1.2.42-2) unstable; urgency=low * Merge 1.2.42-1ubuntu1 Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. * Fix out-of-date-standards-version libpng (1.2.42-1ubuntu1) lucid; urgency=low * Merge from Debian testing. Remaining changes: - Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. libpng (1.2.42-1) unstable; urgency=low * New upstream release * Remove 02-export-png_set_strip_error_numbers.patch (merged) * Fix debhelper-but-no-misc-depends libpng (1.2.41-1ubuntu1) lucid; urgency=low * Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. libpng (1.2.41-1) unstable; urgency=low * New upstream release * Debian source format is 3.0 (quilt) * Update debian/watch * Add 02-export-png_set_strip_error_numbers.patch Define PNG_ERROR_NUMBERS_SUPPORTED Upstream doesn't define PNG_ERROR_NUMBERS_SUPPORTED since 1.2.41. As a consecuence, the symbol png_set_strip_error_numbe@@PNG12_0 wasn't exported. libpng (1.2.40-1) unstable; urgency=low * New upstream release libpng (1.2.39-1) unstable; urgency=low * New upstream release * Fix out-of-date-standards-version * Fix patch-system-but-no-source-readme libpng (1.2.38-1) unstable; urgency=low * New upstream release * Fix out-of-date-standards-version * Update upstream homepage Closes: 536474 libpng (1.2.37-1) unstable; urgency=low * New upstream release libpng (1.2.36-1) unstable; urgency=low * New upstream release * Standards-Version is 3.8.1 * debhelper compat is 7 * Run dh_prep instead of dh_clean -k libpng (1.2.35-1) unstable; urgency=high * New upstream release - http://secunia.com/advisories/33970/ Fix a vulnerability reported by Tavis Ormandy in which some arrays of pointers are not initialized prior to using "malloc" to define the pointers. Closes: #516256 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907 The png_check_keyword function in pngwutil.c in libpng, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. * Don't build libpng3 when binary-indep target is not called. Closes: #486415 libpng (1.2.33-2) unstable; urgency=low * Fix the following lintian issues: W: libpng12-0: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL libpng (1.2.33-1) experimental; urgency=low * New upstream release - Fix memory leak after reading a malformed tEXt chunk libpng (1.2.32-1) experimental; urgency=low * New upstream release - libpng.pc is configured to do static linking; closes: #483477 - use autoconf variables in .pc and libpng-config; closes: #483478 * Remove debian/patches/02-501109-pngtest.c.diff; it was merged libpng (1.2.27-2) unstable; urgency=medium * Fix CVE-2008-3964: off-by-one error in pngtest.c; closes: #501109 * Standards-Version is 3.8.0 libpng (1.2.27-1) unstable; urgency=low * New upstream release * Patches merged upstream: debian/patches/02-476669-CVE-2008-1382.diff debian/patches/03-404514-png.5.diff * Run ./autogen.sh libpng (1.2.26-1) unstable; urgency=high * New upstream release. Closes: #431202 * Use quilt Add 01-legacy.diff * Fix CVE-2008-1382 denial of service and possibly code execution Add 02-476669-CVE-2008-1382.diff Closes: #476669 * Fix URL in png.5. Closes: #404514 Add 03-404514-png.5.diff * Move examples to libpng12-dev. Closes: #401467 * Fix "libpng (<= 1.2.20) contains grey-licensed code". Closes: #469126 * Fix the following lintian issues: W: libpng source: debian-rules-ignores-make-clean-error line 37 W: libpng source: substvar-source-version-is-deprecated libpng12-dev W: libpng source: out-of-date-standards-version 3.7.2 (current is 3.7.3) W: libpng12-0-udeb udeb: description-contains-homepage W: libpng3: description-contains-homepage W: libpng12-dev: description-contains-homepage W: libpng12-0: package-contains-empty-directory usr/bin/ W: libpng12-0: package-contains-empty-directory usr/sbin/ W: libpng12-0: description-contains-homepage W: libpng12-0: doc-base-unknown-section libpng12:22 Apps/Programming libpng (1.2.15~beta5-3) unstable; urgency=high * ACKed NMU. * Fixed out-of-bounds read operations triggered by crafted png image files (CVE-2007-5269) (Closes: #446308). libpng (1.2.15~beta5-2.1) unstable; urgency=high * Non-maintainer upload by testing security team. * Fixed out-of-bounds read operations triggered by crafted png image files (CVE-2007-5269) (Closes: #446308). libpng (1.2.15~beta5-2) unstable; urgency=high * It seems that a grayscale image with a malformed (bad CRC) tRNS chunk will crash libpng and mozilla. Closes: #424729. - CVE-2007-2445 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2445 - CERT Vulnerability Note VU#684664 http://www.kb.cert.org/vuls/id/684664 libpng (1.2.15~beta5-1) unstable; urgency=low * Applied legacy_symbols.patch. * Changed shlibs dependecy versions to ">= 1.2.13-4". * libpng12-0: Added the following conflicts: mzscheme (<= 1:209-5), pngcrush (<= 1.5.10-2), pngmeta (<= 1.11-3), qemacs (<= 0.3.1-5), povray-3.5 (<= 3.5.0c-10). libpng (1.2.15~beta5-0) unstable; urgency=high * New upstream release. - Fixed asm API functions not exported on amd64. Closes: #401044. - Fixed "libpng hangs when saving profile". Closes: #401423. * Fixed "Incorrect shlibs information". Closes: #401465. * Removed patches for png.h and pngconf.h. * Updated debian/watch. libpng (1.2.13-4) unstable; urgency=low * Removed drop_pass_width patch. Closes: #399499. libpng (1.2.13-3) unstable; urgency=low * libpng12-dev: removed the conflict with libpng3-dev. libpng (1.2.13-2) unstable; urgency=low * Put back binary package libpng3. libpng (1.2.13-1) unstable; urgency=low * Fixed conflict with the new libpng package. Closes: #399296. * Fixed png.5 man page formatting. Closes: #353061. Patch by Kevin Ryde <user42@zip.com.au>. libpng (1.2.13-0) unstable; urgency=high * New upstream release. * CVE-2006-5793: Fixed a new security issue regarding malformed sPLT chunks. Closes: #398706. * Transitional package libpng3 is not shipped anymore. Closes: #369104. libpng (1.2.12-0) unstable; urgency=high * New upstream release. Closes: #366070. * CVE-2006-3334: Fixed Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name". Closes: #397892. * Removed debian/x86_patches/pnggccrd-PIC.patch as it's merged upstream. libpng (1.2.8rel-7) unstable; urgency=low * New maintainer. Closes: #393109. * ACK NMUs. Closes: #378463, #377298, #356252. * debian/control: - set Standards-Version to 3.7.2. - set Priority to extra for libpng12-0-udeb. - added ${misc:Depends} to libpng12-0 and libpng12-0-udeb dependency lists. * Added debian/watch file. libpng (1.2.8rel-6) unstable; urgency=low * Orphaning package. libpng (1.2.8rel-5.2) unstable; urgency=low * Non-maintainer upload. * Backport changes from 1.2.12 to fix a buffer overflow in png_decompress_chunk; patch by Alec Berryman. [CVE-2006-3334] (Closes: #377298) libpng (1.2.8rel-5.1) unstable; urgency=low * Non Maintainer Upload (closes: #356252). * Add support for udeb dependency resolution in shlibs file. * Update debhelper compatibility to level 5. libpng (1.2.8rel-5) unstable; urgency=low * drop_pass_width.patch: don't export png_pass_width, it's absolutely unnecessary. * libpng12-0.shlibs: downgrade the shlibs accordingly (closes: #331383). libpng (1.2.8rel-4) unstable; urgency=low * makefile.patch: + Use PNG_PRIVATE to get the list of private symbols as well. It sucks, but they've been there for too long (closes: #329886). + Use mawk instead of awk (closes: #329812). * control: build-depend on mawk. * rules: + Use -O2, not -O3. + Actually run the tests. + Make use of x86_patches/ on x86 architectures. * x86_patches/mmxbuild.patch: build MMX routines in pnggccrd.c. * x86_patches/pnggccrd-PIC.patch: patch from Christian Aichinger to make the assembly routines PIC-compatible. * libpng12-0.shlibs: bump the shlibs version. libpng (1.2.8rel-3) unstable; urgency=low * Upload to unstable. * Rename the source package to libpng. libpng3 (1.2.8rel-2) experimental; urgency=low * makefile.patch: + now patch makefile.elf, so that only public symbols are truly exported. + shorten the differences as much as possible. * rules: use makefile.elf now. * Move libpng3 to oldlibs. * Entirely remove libpng3-dev, making libpng12-dev provide it (closes: #322051). * poynton.patch: correct Charles Poynton's address (closes: #289437). * Don't run the test when cross-building (closes: #285427). * setjmp_error.patch: don't stop when we are not using _BSD_SOURCE, as in this case this is harmless (closes: #299343). * libpng3.postinst: removed, the fix is in sarge. * Standards-version is 3.6.2. * legacy_symbols.patch: still export png_read_destroy and png_write_destroy, which are deprecated but should nevertheless be accessible. libpng3 (1.2.8rel-1) unstable; urgency=medium * New upstream release. * read_transformations.patch: removed, included upstream. * libpng12-0.shlibs: Update to version 1.2.8rel, new flags seem to have been added. libpng3 (1.2.8beta5-2) unstable; urgency=medium * read_transformations.patch: fix segmentation fault with latex (closes: #281789) and totem (closes: #278618). libpng3 (1.2.8beta5-1) unstable; urgency=medium * New upstream release. + Correct segmentation violation in png_combine_row. Closes: #278526, #278917, #278921, #279258, #281789, #282368. libpng3 (1.2.7-1) unstable; urgency=medium * New upstream release (closes: #278308). * libpng12-0.shlibs: update shlibs to version 1.2.7. * Remove all security fixed, they are included upstream. libpng3 (1.2.5.0-9) unstable; urgency=high * CAN-2004-0954.patch: removed, this is already fixed in CAN-2004-0597_0598_0599.patch. libpng3 (1.2.5.0-8) unstable; urgency=high * Switch to CDBS. + Ship modifications and security fixes in debian/patches. + debian/rules: rewritten. + debian/control: build-depend on cdbs. + debian/libpng12-0.shlibs: new. * setjmp_error.patch: port explanation of the error when including setjmp.h from libpng10, thanks Matijs van Zuijlen <Matijs.van.Zuijlen@xs4all.nl> (closes: #273473). * CAN-2004-0954.patch: fix buffer overflow vulnerability in png_handle_tRNS(). * CAN-2004-0955.patch: fix integer arithmetic overflow vulnerability in png_read_png(). libpng3 (1.2.5.0-7) unstable; urgency=high * pngrtran.c: applied upstream patch 4 to fix incorrect calculation of buffer offsets [CAN-2004-0768]. * png.h, pngpread.c, pngrutil.c: patch from Chris Evans <chris@scary.beasts.org> to fix several vulnerabilities (closes: #263500): + libpng fails to properly check length on PNG data [CAN-2004-0597]. + libpng "png_handle_sBIT" does not perform proper checks to avoid stack buffer overflow [CAN-2004-0597]. + libpng "png_handle_iCCP" possible NULL-pointer crash [CAN-2004-0598]. + libpng "png_handle_sPLT" possible integer overflow [CAN-2004-0599]. + libpng "png_read_png" does not properly handle a PNG with excessive height (integer overflow) [CAN-2004-0599]. + libpng progressive reading integer overflow [CAN-2004-0599]. libpng3 (1.2.5.0-6) unstable; urgency=high * pngerror.c: applied patch by Steve Grubb <linux_4ever@yahoo.com> to fix unintended memory access that could result in a crash of the application linking against libpng [CAN-2004-0421]. libpng3 (1.2.5.0-5) unstable; urgency=low * Use debhelper 4.2, which generates the udeb appropriately. * Update control and rules appropriately. * Don't use ${shlibs:Depends} for the udeb, rather write the dependencies by hand. * Standards-version is 3.6.1. libpng3 (1.2.5.0-4) unstable; urgency=low * scripts/makefile.linux: use versioned dependencies (closes: #155891). * debian/rules: bump dependency for dh_makeshlibs. * add the libpng.a link in libpng12-dev. * Rework scripts/makefile.linux to make it more consistent. * Update stuff in debian/ accordingly. * Updated README.Debian. libpng3 (1.2.5.0-3) unstable; urgency=low * Make libpng3{,-dev} depend on libpng12-{0,dev} >= 1.2.5.0-2 instead of the strict source version. * Move /usr/share/doc/libpng3{,-dev} into symlinks at postinst time when directories already exist. * debian/rules: install correctly doc-base stuff. * debian/libpng12-dev.doc-base: updated URIs. libpng3 (1.2.5.0-2) unstable; urgency=low * scripts/{makefile.linux,libpng-config-body.in}: correct the libpng12-config script. * Install correctly pkg-config stuff (closes: #191081). * Make libpng12-dev conflict explicitly with libpng12-0-dev. * Update README.Debian. libpng3 (1.2.5.0-1) unstable; urgency=low * New maintainer. * Use real upstream tarball from 1.2.5 release. * Use dpkg-source's way instead of dpatch for patching. * A bit of rework in debian/rules, use dh_install and debhelper 4. * Standards-version is 3.5.9. * The -dev package is now named libpng12-dev (stop using the libpkg-guide way). * libpng3 is now arch-independent. * Improved descriptions a bit. * Don't supply libpngpf.3, it is not useful to programmers. libpng3 (1.2.5-11) unstable; urgency=low * Add udeb (closes: #174842) * Add missing section on source files. libpng3 (1.2.5-10) unstable; urgency=low * Rebuild with d-shlibs with fixed "libgcc_s1-dev" handling (for gcc-3.2). (closes: #178070), build-depend on d-shlibs 0.10 or greater. libpng3 (1.2.5-9) unstable; urgency=low * Use dpatch for patch system -- divide Debian patch, and security fix patch. * Standards-Version: 3.5.8 * add manual page libpng-config.1 and libpng12-config.1 libpng3 (1.2.5-8) unstable; urgency=low * Sorry folks, I made a mistake. * Forward-port of patch from the Security Team, really apply what was there. (closes: #172868,#172871) libpng3 (1.2.5-7) unstable; urgency=high * Forward-port of patch from the Security Team * Applied patch to pngrtran.c by Glenn Randers-Pehrson <glennrp@comcast.net> to fix a buffer overrun. libpng3 (1.2.5-6) unstable; urgency=low * Typo in scripts/makefile.linux. Mistake. -lz and -lm weren't happening. * Change LDFLAGS to not list -lz -lm, so that testsuite will catch such error. * set prefix=/usr/ in scripts/makefile.linux, since it was set to usr/local. libpng3 (1.2.5-5) unstable; urgency=low * scripts/makefile.linux: LIBADDFLAGS introduced, for shared library lib additional flags, and use that for shared library. - this should fix build failure (closes: #166704) Thanks Daniel Schepler <schepler@math.berkeley.edu> for reporting. * updated copyright file to note that libpng3 in Debian is patched to link with -lz -lm. libpng3 (1.2.5-4) unstable; urgency=low * Trying to fix the problem that libpng3 seems to be not linked against libz. LDFLAGS was defined but not being used. Thanks Mike Furr <mfurr@debian.org> for reporting (closes: #166489) libpng3 (1.2.5-3) unstable; urgency=low * Fixed description, I mixed up the -devel and non-devel packages. * updated README.Debian. libpng3 (1.2.5-2) unstable; urgency=low * careless mistake :( * reinstall libpng.so symlink in libpng-12-0-dev package. Otherwise other packages won't build ... libpng3 (1.2.5-1) unstable; urgency=low * New upstream version (closes: #163425) * re-patched makefile.linux to work with system zlib, added workaround to set CFLAGS, and remove rpath settings from LDFLAGS * Use debhelper. * No longer create /usr/doc symlinks. * Standards-Version: 3.5.7 libpng3 (1.2.1-5) unstable; urgency=low * Not yet released. * Change priority from standard to optional. libpng3 (1.2.1-4) unstable; urgency=low * change -dev dependency of libc6-dev to libc-dev libpng3 (1.2.1-3) unstable; urgency=low * Security fix backported from 1.2.4. Check bounds of variables. (closes: #155403) libpng3 (1.2.1-2) unstable; urgency=low * New maintainer (closes: #151343) * apply buffer overflow patch for interlaced png files (closes: #150595) * update description for libpng3-dev. * change libpng-dev to libpng3-dev libpng3 (1.2.1-1.1) unstable; urgency=low * NMU * Provides: libpng2-dev has been changed to Provides: libpng3-dev libpng2-dev can be put back in when some kind of sane transition has finished. (closes: #128384, #128871, #129268, #129269) libpng3 (1.2.1-1) unstable; urgency=low * New upstream version; closes: #125679. * New source package name: libpng3. * Renamed libpng<x>-dev to libpng-dev to avoid having to maintain several development packages (the -dev is source compatible). * Moved png.5 into the -dev package. * Added a Replaces: libpng2 to libpng-dev so that we can steal the png.5 manpage without fuss. * Changed debian/shlibs for libpng3. * Compress examples/pngtest.c. libpng (1.0.12-3) unstable; urgency=low * Moved the png.5 manpage to the dev package to allow multiple libpng<n> packages installed at the same time. libpng (1.0.12-2) unstable; urgency=low * Changed libpng2-dev's section to devel to resync with override file. * Fixed upstream version detection in debian/rules; closes: #105931. libpng (1.0.12-1) unstable; urgency=low * New upstream release; closes: #105354. * Bumped dependency information in debian/shlibs to libpng >= 1.0.12 since there were some non-backwards compatible changes to the API. * Added support for DEB_BUILD_OPTIONS and get-orig-source to debian/rules. * Added call to ldconfig on postrm's remove. * Removed INSTALL file from /usr/share/doc/libpng2. * Bumped standards version to 3.5.5.0. libpng (1.0.11-1) unstable; urgency=low * New upstream release. libpng (1.0.10-2) unstable; urgency=low * Force recompile because of bad sparc package. * Libpng2's priority changed to standard to comply with the override file. libpng (1.0.10-1) unstable; urgency=low * New upstream release. * Changed shlib to depend on libpng2 (>= 2.0.10) because of non-backwards compatible changes. libpng (1.0.8-1) unstable; urgency=low * Changed the doc-base type from 'test' to 'text'; closes: #59877. * New upstream relase 1.0.8; closes: #70464. * Updated copyright notice. * Removed Y2kINFO from the doc directory. * Added pngtest.c in examples; closes: #65229. * Updated to standards version 3.2.1.0. * Added build-depends line in control file; closes: #69291. libpng (1.0.5-1) frozen unstable; urgency=low * Maintainer upload (closes: #48244, #48246). * Added some extra explanations for the setjmp.h mess (closes: #56759), see pngconf.h for details. libpng (1.0.5-0.1) unstable; urgency=low * Non-maintainer release. * New upstream release. (closes:Bug#48244). * Remove versioned depend from shlibs (closes:Bug#48246). libpng (1.0.3-1) unstable; urgency=low * New upstream version (1.0.3); Closes: #31870, #46333. * Maintainer upload, closes NMU bugs; Closes: #28412, #31523, #31690. * FHS compliant. * New standard-version 3.0.1. * Lintian clean. * Removed temporary zlib1g line in control file (used to be a bug in zlib1g). * Moved the documentation file to the -dev package. * Register documentation file to doc-base. * Fontified man pages with addformat script; Closes #38680. libpng (1.0.2b-0.1) frozen unstable; urgency=low * New upstream (bug-fix only) version. (Should fix bugs #31690&#28412, since I can't reproduce them) From the author: "I have recently uploaded libpng-1.0.2b to ftp://swrinde.nde.swri.edu/pub/png-group/src I plan to release it as libpng-1.0.3 in a few days, but would like to hear whether it fixes the problems with GNOME. It restores a few lines of code that were inadvertently deleted from pngread.c, which seems to be the cause of problems with adding an alpha channel (which you fixed by downgrading to libpng-1.0.1's pngread.c)." [Glenn Randers-Pehrson <glennrp@netgsi.com>] * Masquerade version number to 1.0.3 to make Imlib & Co. happy. libpng (1.0.2-1.1) frozen unstable; urgency=low * Fix Important bug #28412 (using pngread.c from libpng-1.0.1 did the trick). libpng (1.0.2-1) unstable; urgency=low * Maintainer release (to change a bit). * Pristine sources. * Libpng2-dev includes example.c (fixes bug #10315). * Changed control file to reflect difference with libpng0g (fixes #23795). * Recompiled (should fix the zlib1g missing symbol, bug #24450). * Added -D_REENTRANT also to static library. * Added a dependency upon zlib1g >= 1.1.2 (otherwise we get a missing symbol) (fixes bug #24450). libpng (1.0.2-0.1) unstable; urgency=low * Non-maintainer release * New upstream version libpng (1.0.1-0.2) unstable; urgency=medium * debian/rules (binary-arch): don't call install with -s as an argument when installing a shared library; it doesn't know to use --strip-unneeded, and we call strip separately later anyway. * scripts/makefile.lnx (CFLAGS): killed i386-isms. * scripts/makefile.lnx: compiled shared libraries with -D_REENTRANT. (The above fixes are from James Troup, who yet again, alerted me to my screwups ;) * debian/postinst: only call ldconfig if $1 = configure. libpng (1.0.1-0.1) unstable; urgency=low * New upstream bug fix release. * Include man pages. libpng (1.0.0-0.1) unstable; urgency=low * Non-maintainer Release. * New Upstream Release. * Changed source package name to `libpng'. * Added `-f makefile.lnx' to make invocations in debian/rules. * Removed `ldconfig' call from postrm. libpng0 (0.96-5) unstable; urgency=low * Removed executable permissions on shared libs (fixes bug #15478). * Updated Standards-Version to 2.3.0.1. libpng0 (0.96-4) unstable; urgency=low * Shared libraries are stripped with --strip-unneeded and static libraries with --strip-debug (fixes bug #15669). * Made the build strip non-i386 specific (patch by James Troup) (fixes bug #13832). * Removed the dependency between the libc5 and libc6 versions. libpng0 (0.96-3) unstable; urgency=low * Libc6 compilation. libpng0 (0.96-2) unstable; urgency=low * Fixed permissions in /usr/doc/libpng0 (fixes bug #10540). libpng0 (0.96-1) unstable; urgency=low * New upstream sources. libpng0 (0.95b-1) unstable; urgency=low * New maintainer. * Upgraded to upstream version 0.95b. * Make debian/rules version independent. * Debian/rules clean now removes substvars. * Bumped the shlibs version to 0.95 as some incompatibilities were introduced between 0.89 and 0.90. * Added the Section: and Priority: fields to the control file (fixes bug #6370). * Now /usr/doc/libpng0 contains various info and the debian change log stuff (fixes bug #7925). * Added -D_REENTRANT compilation flag. libpng (0.89c-6) unstable; urgency=low * Moved shlibs file to correct location libpng (0.89c-5) unstable; urgency=low * Added shlibs file libpng (0.89c-4) unstable; urgency=low * Now stripping shared libraries (Bug#5134) libpng (0.89c-3) unstable; urgency=low * Corrected maintainers address libpng (0.89c-2) unstable; urgency=low * Accommodate the fact that dpkg-source doesn't properly preserve permissions on scripts when extracting package. (Bug#4513) libpng (0.89c-1) unstable; urgency=low * New upstream version. * Moved to new source packaging format.

hmaarrfk mentioned this issue Jan 8, 2019

scientific stack Archiconda/build-tools#18

Open

richard-townsend-arm mentioned this issue Jan 11, 2019

Clean up riffled palette in more places, fix tests #272

Closed

richard-townsend-arm added a commit to richard-townsend-arm/libpng that referenced this issue Jan 11, 2019

Free png_structp members after use in gamma_test

d0c0f5f

Fixes pnggroup#266

vcunat mentioned this issue Feb 19, 2019

libpng: 1.6.35 -> 1.6.36, license v2 NixOS/nixpkgs#51447

Merged

10 tasks

LocutusOfBorg closed this as completed Apr 8, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

libpng 1.6.36 build failure on linux arm64 (Debian and Ubuntu) #266

libpng 1.6.36 build failure on linux arm64 (Debian and Ubuntu) #266

LocutusOfBorg commented Dec 28, 2018

LocutusOfBorg commented Dec 28, 2018

LocutusOfBorg commented Dec 28, 2018

ctruta commented Dec 31, 2018

ctruta commented Dec 31, 2018

LocutusOfBorg commented Dec 31, 2018

richard-townsend-arm commented Dec 31, 2018

LocutusOfBorg commented Dec 31, 2018

LocutusOfBorg commented Dec 31, 2018

hmaarrfk commented Jan 8, 2019

LocutusOfBorg commented Jan 8, 2019

hmaarrfk commented Jan 8, 2019

LocutusOfBorg commented Jan 8, 2019

LocutusOfBorg commented Jan 8, 2019

LocutusOfBorg commented Jan 8, 2019 •

edited

hmaarrfk commented Jan 8, 2019

richard-townsend-arm commented Jan 11, 2019

LocutusOfBorg commented Jan 13, 2019

ctruta commented Jan 21, 2019

Sentimentron commented Jan 29, 2019

ctruta commented Jan 30, 2019

ctruta commented Feb 4, 2019

LocutusOfBorg commented Feb 5, 2019 •

edited

LocutusOfBorg commented Feb 5, 2019

LocutusOfBorg commented Feb 5, 2019

ctruta commented Mar 25, 2019 •

edited

ctruta commented Mar 25, 2019 •

edited

ctruta commented Apr 8, 2019

LocutusOfBorg commented Apr 8, 2019

libpng 1.6.36 build failure on linux arm64 (Debian and Ubuntu) #266

libpng 1.6.36 build failure on linux arm64 (Debian and Ubuntu) #266

Comments

LocutusOfBorg commented Dec 28, 2018

LocutusOfBorg commented Dec 28, 2018

LocutusOfBorg commented Dec 28, 2018

ctruta commented Dec 31, 2018

ctruta commented Dec 31, 2018

LocutusOfBorg commented Dec 31, 2018

richard-townsend-arm commented Dec 31, 2018

LocutusOfBorg commented Dec 31, 2018

LocutusOfBorg commented Dec 31, 2018

hmaarrfk commented Jan 8, 2019

LocutusOfBorg commented Jan 8, 2019

hmaarrfk commented Jan 8, 2019

LocutusOfBorg commented Jan 8, 2019

LocutusOfBorg commented Jan 8, 2019

LocutusOfBorg commented Jan 8, 2019 • edited

hmaarrfk commented Jan 8, 2019

richard-townsend-arm commented Jan 11, 2019

LocutusOfBorg commented Jan 13, 2019

ctruta commented Jan 21, 2019

Sentimentron commented Jan 29, 2019

ctruta commented Jan 30, 2019

ctruta commented Feb 4, 2019

LocutusOfBorg commented Feb 5, 2019 • edited

LocutusOfBorg commented Feb 5, 2019

LocutusOfBorg commented Feb 5, 2019

ctruta commented Mar 25, 2019 • edited

ctruta commented Mar 25, 2019 • edited

ctruta commented Apr 8, 2019

LocutusOfBorg commented Apr 8, 2019

LocutusOfBorg commented Jan 8, 2019 •

edited

LocutusOfBorg commented Feb 5, 2019 •

edited

ctruta commented Mar 25, 2019 •

edited

ctruta commented Mar 25, 2019 •

edited