New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libpng 1.6.36 build failure on linux arm64 (Debian and Ubuntu) #266
Comments
a git bisect reveals 7734cda as the bad commit |
@richard-townsend-arm do you have any idea for this regression on aarch64? |
Looks like a memory leak in the ARM-specific |
Speculative fix: #268 Caveat: not tested. (No ARM machine available at this moment; see my other comment above.) |
Seems to be not fixing this issue...
btw I use pbuilder-dist to setup an arm64 machine on my amd64 pc |
Hi, thanks for reporting @LocutusOfBorg. The riffled palette is currently allocated lazily, so I think it's just figuring out how to make sure that the test suite cleans it up in an appropriate place, I'll be able to investigate it a bit more once I'm back in the office. |
thanks a lot! |
right now, I'm disabling your arm optimizations on arm64, and this solution is really sub-optimal for Debian and Ubuntu :) |
@LocutusOfBorg do you have a patch for disabling the optimization you want to share? |
yes, reverting the commits on arm64 :) |
Strange, I keep failing with:
Do I need to run any autotools? |
sure, because one patch deletes the file :) |
this is what I do:
|
so, I have to do it before autoreconfing |
magic, thanks @LocutusOfBorg! |
I managed to replicate the issue on an arm64 debian system, @LocutusOfBorg, could you try #272 and see whether it fixes your issue? |
yeah it works! I uploaded in debian, lets see what happens in a few minutes |
Thank you for the patches, @richard-townsend-arm In your two patches, there is the first patch which fixes the core problem as in my original hotfix, and the second one, which fixes the testing issue. I updated my hotfix also, see the new branch As for your 2nd patch, the fix to To illustrate the underlying problem (which is still not fixed, unfortunately), I pushed my draft work to the topic branch Still investigating. |
This has come back on my radar as a few more people try to roll libpng on arm64 platforms. When you say original call, is |
Yes. See my debug experiment: https://github.com/glennrp/libpng/commits/topic/debug-pngstruct-memleak I wanted to investigate it closer last weekend, but something came up and I couldn't. Hope to be able to do it next weekend. For the time being, just by picking up this hotfix: Although I understand that disabling the checks based on For the longer term, I contemplate replacing |
Fixed in master. Also refactored. "Works For Me (tm)." A hotfix for 1.6.36 is also available, see the branch |
@ctruta looks like there is still something wrong. on top of 1.6.36 release, and it failed on arm64 again
|
right now, I uploaded the following three patches on top of clean 1.6.36: cat debian/patches/272.patch (PR #272)
commit: 8439534 and
|
this way looks like everything builds correctly |
I've been finally able to debug what's going on, and I discovered that pngvalid does some funky things that were fine with the old libpng code, but not really fine with the new one. As of commit 70d122a, the memory leak is fixed. The riffled palette buffer is allocated and initialized once, where is should be (i.e. inside When executed with certain parameters, pngvalid is modifying certain An easy fix would have been to leave the riffled palette buffer allocation as it's done in 70d122a, inside Is it a significant issue? I don't know yet. I'm still looking for the better fix. Here is the interim fix, applicable to commit 70d122a: diff --git a/pngrtran.c b/pngrtran.c
index 3294340912..35a867e840 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -1163,14 +1163,11 @@ png_init_palette_transformations(png_structrp png_ptr)
#ifdef PNG_READ_EXPAND_SUPPORTED
#ifdef PNG_ARM_NEON_INTRINSICS_AVAILABLE
- /* Initialize the accelerated palette expansion, if applicable. */
if ((png_ptr->transformations & PNG_EXPAND) != 0)
{
+ /* Allocate the accelerated palette expansion buffer, if applicable. */
if ((png_ptr->num_trans > 0) && (png_ptr->bit_depth == 8))
- {
png_ptr->riffled_palette = (png_bytep)png_malloc(png_ptr, 256 * 4);
- png_riffle_palette_rgba8(png_ptr);
- }
}
#endif /* PNG_ARM_NEON_INTRINSICS_AVAILABLE */
@@ -4785,6 +4782,11 @@ png_do_read_transformations(png_structrp png_ptr, png_row_infop row_info)
{
if (row_info->color_type == PNG_COLOR_TYPE_PALETTE)
{
+#ifdef PNG_ARM_NEON_INTRINSICS_AVAILABLE
+ /* Initialize the accelerated palette expansion buffer. */
+ if (png_ptr->riffled_palette)
+ png_riffle_palette_rgba8(png_ptr);
+#endif
png_do_expand_palette(png_ptr, row_info, png_ptr->row_buf + 1,
png_ptr->palette, png_ptr->trans_alpha, png_ptr->num_trans);
} |
Quick update:
Of course it is significant. The above patch is good enough for a proof-of-concept correctness fix, but otherwise it's unacceptable, because it will ruin the performance. A proper fix is clearly needed. |
I pushed the fix. "It Works For Me." Could you please give it a respin, @LocutusOfBorg? |
it looks like working, thanks! |
libpng1.6 (1.6.37-2) unstable; urgency=medium [ Debian Janitor ] * Set upstream metadata fields: Bug-Database, Repository, Repository- Browse. * Rely on pre-initialized dpkg-architecture variables. * Fix day-of-week for changelog entry 1.0.0-0.1. * Set upstream metadata fields: Bug-Submit. [ Gianfranco Costamagna ] * Bump std-version to 4.5.0, no changes required libpng1.6 (1.6.37-1) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.37-1~exp4) experimental; urgency=medium * debian/patches/72fa126446460347a504f3d9b90f24aed1365595.patch: - cherry-pick upstream possible fix for tests not being parallel-safe (Closes: #920657) libpng1.6 (1.6.37-1~exp3) experimental; urgency=medium * Fix two lintian warnings: - drop upstream signing key, upstream seems to have stopped tarball signatures when moved to github (see upstream issue: #287) - double "version" tag in debian/watch libpng1.6 (1.6.37-1~exp2) experimental; urgency=medium * Simplify tests, by not passing the .libs directory during their execution libpng1.6 (1.6.37-1~exp1) experimental; urgency=medium * New upstream version 1.6.37 - upload to experimental because of freeze * Update watch file for github publish site * Update copyright years and text for pngminus * Drop all upstream patches, patch refresh for apng patch * Bump compat level to 12 libpng1.6 (1.6.36-6) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.36-5exp1) experimental; urgency=medium * Drop Anibal from uploaders list, thank you for your nice work! (Closes: #925014) * Update copyright years. * Drop patch 272.patch, superseeded by upstream commits: 70d122aac42933ab8a708c538f973c3307853212.patch (uncommented) 82ae623ec9bc3cb5c68aad22596a766e86d593b7.patch a627bd26a375f5c41d54f90a47c838157d1bec97.patch libpng1.6 (1.6.36-5) unstable; urgency=medium * Tweak old 272 patch to add the only relevant part of commit 70d122aac42933ab8a708c538f973c3307853212.patch * Drop 70d122aac42933ab8a708c538f973c3307853212.patch, it breaks the testsuite. libpng1.6 (1.6.36-4) unstable; urgency=high * debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch, debian/patches/8439534daa1d3a5705ba92e653eda9251246dd61.patch: - new fixes for arm64 and general test failures (and leaks) * debian/patches/CVE-2019-7317.patch: - fix for CVE 2019-7317 (Closes: #921355) Thanks Salvatore Bonaccorso for your report! libpng1.6 (1.6.36-3) unstable; urgency=medium * debian/patches/272.patch: - upstream fix for arm64 test failures. - drop previous revert-* patches libpng1.6 (1.6.36-2) unstable; urgency=medium * Update watch file for github location * Add apng support, like what is done in arch linux - pnggroup/libpng#267 * d/p/revert-{7734cda20cf1236aef60f3bbd2267c97bbb40869, 1ceaa83a844cd3ecef25279d60720f910b96f297, b66ed711315c46ef6c556c83c0074ecdcbd9937f}.patch: revert on arm64 only the chromebook optimizations, they are making the build fail. - discussion at pnggroup/libpng#266 [ Mattia Rizzolo ] * Fixup std-version numbering libpng1.6 (1.6.36-1) unstable; urgency=medium * New upstream version 1.6.36 * update copyright file * Bump std-version to 4.3.0.1, no changes required * drop patch 8a057: upstream * Add nocheck profile in rules file [ Ondřej Nový <onovy@debian.org> ] * d/changelog: Remove trailing whitespaces libpng1.6 (1.6.34-2) unstable; urgency=medium [ Salvatore Bonaccorso ] * debian/patches/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2.patch: Closes: #903430 CVE-2018-13785 [ Gianfranco Costamagna ] * Upload to unstable * Switch VCS fields to salsa.d.o * Bump std-version to 4.1.5, no changes required * Switch copyright in https mode libpng1.6 (1.6.34-1) unstable; urgency=medium * New upstream version 1.6.34 * Remove files removed upstream (the failing png files) libpng1.6 (1.6.33-1) unstable; urgency=medium * New upstream version 1.6.33 * Drop idat patch: upstream * Update copyright * Bump std-version to 4.1.1 * Remove some new test png files that make testsuite fail (they fail also on older libpng version, just they weren't available status is tracked at https://sourceforge.net/p/libpng/bugs/271/ ) libpng1.6 (1.6.32-3) unstable; urgency=high * Fix invalid IDAT images, thanks Felix Geyer for the debug/bug reassign! (Closes: #876563) libpng1.6 (1.6.32-2) unstable; urgency=medium * Bump std-version to 4.1.0, now priority is extra * Add missing newline on copyright entry, making lintian sad * Move the examples into the main libpng-dev (Closes: #876244) - thanks Helmut Grohne for the useful bug report! libpng1.6 (1.6.32-1) unstable; urgency=medium * New upstream version 1.6.32 * Update copyright file libpng1.6 (1.6.31-1) unstable; urgency=medium * New upstream release. * Update d/watch to point to ftp site and to verify gpg signature. * fix-arm-build.patch removed, fixed upstream. * Update d/copyright (years and add new maintainers) and remove some redudant entries. libpng1.6 (1.6.30-2) unstable; urgency=medium * Fix arm* build failures with upstream patch (Closes: #867670) libpng1.6 (1.6.30-1) unstable; urgency=medium * New upstream release. * Update copyright * Bump std-version to 4.0.0 libpng1.6 (1.6.29-3) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.29-2) experimental; urgency=medium * Enable PIE eveywhere libpng1.6 (1.6.29-1) experimental; urgency=medium * New upstream release. - Drop fix multiarch patch: upstream * Use autoreconf. libpng1.6 (1.6.28-1exp4) experimental; urgency=medium * Override autoreconf due to debhelper bug 844504 libpng1.6 (1.6.28-1exp3) experimental; urgency=medium * No-autoreconf for cmake builds libpng1.6 (1.6.28-1exp2) experimental; urgency=medium * Readd multiarch patch, it was merged by upstream on master but not on 1.6 branch libpng1.6 (1.6.28-1exp1) experimental; urgency=medium * Switch to cmake libpng1.6 (1.6.28-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.27-1) unstable; urgency=medium * New upstream release (Closes: #849799) - Fix for CVE-2016-10087 libpng1.6 (1.6.26-6) unstable; urgency=medium * Enable pie in Debian, disable it in Ubuntu. - thanks pochu :) libpng1.6 (1.6.26-5) unstable; urgency=medium * Revert cmake switch, failing on arm64. libpng1.6 (1.6.26-4) unstable; urgency=low * Upload to unstable. * Disable pie where Ubuntu has not defaulted yet. (armhf, arm64, powerpc) libpng1.6 (1.6.26-3) experimental; urgency=medium * Switch to cmake. libpng1.6 (1.6.26-2) unstable; urgency=medium * Enable full hardening (+pie) (Closes: #844429) libpng1.6 (1.6.26-1) unstable; urgency=low * New upstream release. * Switch to compat level 10 - Drop autoreconf/parallel, automatically injected libpng1.6 (1.6.25-2) unstable; urgency=medium * Mark the -tools package Multi-Arch: foreign. (Closes: #840446). Thanks Francois Gourget for the bug report! libpng1.6 (1.6.25-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.24-2) unstable; urgency=medium * Stop providing pngcp, because a tool with the same name is provided by pngtools (Closes: #834119, #834118). - Consider re-enabling it if ineeded, but for now the tool has no manpage and no help command. - An alternative might be to make pngtools and libpng-tools conflict each others. libpng1.6 (1.6.24-1) unstable; urgency=medium * New upstream release. - install also new pngcp tool in libpng-tools package. libpng1.6 (1.6.23-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.22-1) unstable; urgency=medium * New upstream release. - drop fix_define_PNG_READ_16_TO_8.patch: upstream * Update copyright file. libpng1.6 (1.6.21-5) unstable; urgency=medium * d/control: Add VCS-* to repository on collab-maint. * Add patch to properly define PNG_READ_16_TO_8_SUPPORTED (Closes: #824014) * Add d/gbp.conf to ensure signed tags. libpng1.6 (1.6.21-4) unstable; urgency=medium * add libpng-config.patch from the old src:libpng. - disabling multiarch bits in libpng-config has the "side-effect" to let us have a Multiarch libpng-dev package. Closes: #822297 * Make the libpng-dev package Multiarch ready. libpng1.6 (1.6.21-3) unstable; urgency=medium [ Manuel A. Fernandez Montecelo ] * Add hardening flags (excluding PIE. CLoses: #805822) [ Gianfranco Costamagna ] * Drop useless pre-depends line. [ Bart Martens ] * Fix watch file [ Laurent Bigonville ] * Drop useless packages in Replaces field. (Closes: #820887) libpng1.6 (1.6.21-2) unstable; urgency=medium * Upload to unstable. * Add myself and Tobias to uploaders, as per maintainers suggestion. * Bump std-version to 3.9.8, no changes required. libpng1.6 (1.6.21-1) experimental; urgency=medium * Team upload. * New upstream release. * Add upstream signing key * Fix watch file. * Update copyright file. * Drop libpng16-devtools, useless and merged in libpng-dev. (many packages relies on that script for building correctly) - breaks + replaces accordingly. * Remove multiarch -dev package * Rename libpng16-tools to libpng-tools, there is no need of strict versioning here. * Install upstream changelog. * Run upstream testsuite. * Remove README.* files, useless now. libpng1.6 (1.6.20-3) experimental; urgency=medium * Team upload * Move libpng16-dev to libpng-dev, to ease next transitions. * Drop conflicts against mzscheme, pngcrush, pngmeta, povray-3.5, qemacs, some of them disappeared, some of them have later versions already in old-oldstable. * Simplify even more the packaging, probably fixing #813288 * Fix symlinks, and two lintian errors: - library-in-root-and-usr - old-style-config-script-multiarch-path (multiarch: no for libpng16-devtools) * Update standard-version to 3.9.7, no changes required. * Switch to dh-autoreconf (Closes: #813027) * Remove libpng16-devtools circular dependency, recommend it instead. * Fix duplicate description lintian warning * Fix copyright lintian warnings * Remove copyright.in file * Use new plain dh calls in rules file * Remove some old lintian overrides. libpng1.6 (1.6.20-2) experimental; urgency=medium [ Tobias Frost ] * libpng16-16-udeb should not Conflicts: libpng-12-0. [ Anibal Monsalve Salazar ] * debhelper compat version is 9. * debian/control: libpng16-devtools is "Multi-Arch: same". libpng1.6 (1.6.20-1.1) experimental; urgency=medium * Non-maintainer upload. * Preparation for the transition, going to experimental. * Make libpng16-dev depend on libpng16-devtools to have libpng-config pulled in automatically for reverse dependencies. * Provide a so-name neutral devtools package libpng1.6 (1.6.20-1) experimental; urgency=medium * New upstream release. Fix CVE-2015-8472. Closes: #810074. * Use default options to compress. Remove debian/source/options. libpng1.6 (1.6.19-1) experimental; urgency=medium * New upstream release. * Update lintian-overrides for 1.6.19. libpng1.6 (1.6.16-1) experimental; urgency=medium * New upstream release (Closes: #773823) Fix CVE-2015-8540. * Standards Version is 3.9.6. * Update debian/copyright. Add infomation of license for other all files. * Update lintian-overrides for 1.6.16. libpng1.6 (1.6.10-2) experimental; urgency=low * Add libpng16-devtools package. Move libpng-config to this package. libpng1.6 (1.6.10-1) experimental; urgency=low * New upstream release (Closes: #740585) Fixed CVE-2014-0333. * Update overrides files. libpng1.6 (1.6.8-2) experimental; urgency=low * Update debian/copyright. (Closes: #735737) libpng1.6 (1.6.8-1) experimental; urgency=low * New upstream release. libpng1.6 (1.6.7-1) experimental; urgency=low * New upstream release. libpng (1.5.11-1) experimental; urgency=low * New upstream release. libpng (1.5.10-3) experimental; urgency=low * Remove libpng12-dev binary package. libpng-dev provides and replaces libpng12-dev. libpng (1.5.10-2) experimental; urgency=low * Add transition packages libpng3, libpng12-0 and libpng12-dev libpng (1.5.10-1) experimental; urgency=high * New upstream version 1.5.10 - Fix CVE-2011-3048 (memory corruption flaw) Closes: 667475 * Standards Version is 3.9.3 libpng (1.5.9-1) experimental; urgency=low * New upstream version 1.5.9 The purpose of this release is to fix the dangerous CVE-2011-3026. The libpng patch is different from the one that was distributed earlier by Chromium, in that the libpng user limit feature is not crippled by the patch. Remove 02-660026-CVE-2011-3026.patch libpng (1.5.8-1) experimental; urgency=high * New upstream release. Fix a one-byte (stack) buffer-overrun bug in png_formatted_warning(), which could lead to crashes (denial of service) or, conceivably, execution of hostile code. This vulnerability has been assigned ID CVE-2011-3464. * Check for both truncation (64-bit platforms) and integer overflow Fix CVE-2011-3026 Add 02-660026-CVE-2011-3026.patch Closes: 660026 libpng (1.5.7-2) experimental; urgency=low * Fix typo from PPFLAGS to CPPFLAGS. libpng (1.5.7-1) experimental; urgency=low * New upstream release. * Update debian/rules. Enabled hardened build flags. (Closes: #654149) libpng (1.5.6-1) experimental; urgency=low * New upstream release. libpng (1.5.5-1) experimental; urgency=low * New upstream release. * Fix lintian error: udeb-uses-non-gzip-data-tarball. Changed option of dh_builddeb for every package. * Fix lintian warning: brace-expansion-in-debhelper-config-file. Remove brace-expansion from debian/libpng-dev.install. libpng (1.5.4-2) experimental; urgency=low * Port Steve Langasek's changes for 1.2.46-1 - Build for multiarch. Closes: 634151 - Drop debian/libpng15-15-udeb.dirs, which just adds a pointless empty directory to the udeb * Update debian/docs and debian/libpng15-15.docs * Add debian/libpng15-15.doc-base * Build-Depend on autotools-dev libpng (1.2.46-2) unstable; urgency=low [ Steve Langasek ] * Build for multiarch. Requires converting libpng3 from Arch: all to Arch: any. Closes: 634151 * Drop debian/libpng12-0-udeb.dirs, which just adds a pointless empty directory to the udeb. [ Anibal Monsalve Salazar ] * Fix doc-base file Closes: 633944, 633957, 634120 * Pass "-Zbzip2 -z9" to dpkg-deb libpng (1.5.4-1) experimental; urgency=low * New upstream release (Closes: #633871). - Fix CVE: CVE-2011-2690 Buffer overwrite in png_rgb_to_gray - CVE: CVE-2011-2691 Crash in png_default_error due to use of NULL Pointer - CVE: CVE-2011-2692 Memory corruption when handling empty sCAL chunks - Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream. libpng (1.2.46-1) unstable; urgency=high * New upstream release (Closes: #633871). - Fix CVE: CVE-2011-2690 Buffer overwrite in png_rgb_to_gray - CVE: CVE-2011-2691 Crash in png_default_error due to use of NULL Pointer - CVE: CVE-2011-2692 Memory corruption when handling empty sCAL chunks - Update patches/01-legacy.patch - Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream. libpng (1.5.2-3) experimental; urgency=low * Rename libpng15-dev to libpng-dev libpng (1.5.2-2) experimental; urgency=low * Fix 1-byte uninitialized memory reference in png_format_buffer() Fix CVE-2011-2501 Add debian/patches/02-632786-CVE-2011-2501.patch Closes: 632786 * Pass "-Zbzip2 -z9" to dpkg-deb * Fix xc-package-type-in-debian-control * Fix debian-rules-missing-recommended-target libpng (1.2.44-3) unstable; urgency=high * Fix 1-byte uninitialized memory reference in png_format_buffer() Fix CVE-2011-2501 Add debian/patches/02-632786-CVE-2011-2501.patch Closes: 632786 * Standards version is 3.9.2 * Fix xc-package-type-in-debian-control * Fix debian-rules-missing-recommended-target libpng (1.5.2-1) experimental; urgency=low * New upstream release (Closes: #565821, #574257, #606867). * Remove Sam Hocevar from Uploaders. * Add myself to Uploaders. * Remove libtool, automake and autoconf from Build-depends. * Disable practice of autogen.sh from debian/rules. * Remove support libpng3 package (Closes: #369104, #615558). * Update debian/copyright. - Update copyright holder. - Add new license for contrib/pngsuite (Closes: #615558). * Remove patches directory. * Add libpng15-dev.lintian-overrides. Overrides manpage-has-errors-from-man usr/share/man/man3/libpng.3.gz. libpng (1.2.44-2) unstable; urgency=low * debian/libpng3.links: fix up the compat symlink to point to /lib Patch by Steve Langasek Closes: #579074, LP: #284325 libpng (1.2.44-1) unstable; urgency=low * New upstream release Stop memory leak when reading a malformed sCAL chunk libpng (1.2.43-1) unstable; urgency=high * New upstream release * Fix CVE-2010-0205 and Cert VU#576029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 https://www.kb.cert.org/vuls/id/576029 Do not stall and consume large quantities of memory while processing certain Portable Network Graphics (PNG) files Closes: 572308 libpng (1.2.42-2) unstable; urgency=low * Merge 1.2.42-1ubuntu1 Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. * Fix out-of-date-standards-version libpng (1.2.42-1ubuntu1) lucid; urgency=low * Merge from Debian testing. Remaining changes: - Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. libpng (1.2.42-1) unstable; urgency=low * New upstream release * Remove 02-export-png_set_strip_error_numbers.patch (merged) * Fix debhelper-but-no-misc-depends libpng (1.2.41-1ubuntu1) lucid; urgency=low * Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. libpng (1.2.41-1) unstable; urgency=low * New upstream release * Debian source format is 3.0 (quilt) * Update debian/watch * Add 02-export-png_set_strip_error_numbers.patch Define PNG_ERROR_NUMBERS_SUPPORTED Upstream doesn't define PNG_ERROR_NUMBERS_SUPPORTED since 1.2.41. As a consecuence, the symbol png_set_strip_error_numbe@@PNG12_0 wasn't exported. libpng (1.2.40-1) unstable; urgency=low * New upstream release libpng (1.2.39-1) unstable; urgency=low * New upstream release * Fix out-of-date-standards-version * Fix patch-system-but-no-source-readme libpng (1.2.38-1) unstable; urgency=low * New upstream release * Fix out-of-date-standards-version * Update upstream homepage Closes: 536474 libpng (1.2.37-1) unstable; urgency=low * New upstream release libpng (1.2.36-1) unstable; urgency=low * New upstream release * Standards-Version is 3.8.1 * debhelper compat is 7 * Run dh_prep instead of dh_clean -k libpng (1.2.35-1) unstable; urgency=high * New upstream release - http://secunia.com/advisories/33970/ Fix a vulnerability reported by Tavis Ormandy in which some arrays of pointers are not initialized prior to using "malloc" to define the pointers. Closes: #516256 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907 The png_check_keyword function in pngwutil.c in libpng, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. * Don't build libpng3 when binary-indep target is not called. Closes: #486415 libpng (1.2.33-2) unstable; urgency=low * Fix the following lintian issues: W: libpng12-0: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL libpng (1.2.33-1) experimental; urgency=low * New upstream release - Fix memory leak after reading a malformed tEXt chunk libpng (1.2.32-1) experimental; urgency=low * New upstream release - libpng.pc is configured to do static linking; closes: #483477 - use autoconf variables in .pc and libpng-config; closes: #483478 * Remove debian/patches/02-501109-pngtest.c.diff; it was merged libpng (1.2.27-2) unstable; urgency=medium * Fix CVE-2008-3964: off-by-one error in pngtest.c; closes: #501109 * Standards-Version is 3.8.0 libpng (1.2.27-1) unstable; urgency=low * New upstream release * Patches merged upstream: debian/patches/02-476669-CVE-2008-1382.diff debian/patches/03-404514-png.5.diff * Run ./autogen.sh libpng (1.2.26-1) unstable; urgency=high * New upstream release. Closes: #431202 * Use quilt Add 01-legacy.diff * Fix CVE-2008-1382 denial of service and possibly code execution Add 02-476669-CVE-2008-1382.diff Closes: #476669 * Fix URL in png.5. Closes: #404514 Add 03-404514-png.5.diff * Move examples to libpng12-dev. Closes: #401467 * Fix "libpng (<= 1.2.20) contains grey-licensed code". Closes: #469126 * Fix the following lintian issues: W: libpng source: debian-rules-ignores-make-clean-error line 37 W: libpng source: substvar-source-version-is-deprecated libpng12-dev W: libpng source: out-of-date-standards-version 3.7.2 (current is 3.7.3) W: libpng12-0-udeb udeb: description-contains-homepage W: libpng3: description-contains-homepage W: libpng12-dev: description-contains-homepage W: libpng12-0: package-contains-empty-directory usr/bin/ W: libpng12-0: package-contains-empty-directory usr/sbin/ W: libpng12-0: description-contains-homepage W: libpng12-0: doc-base-unknown-section libpng12:22 Apps/Programming libpng (1.2.15~beta5-3) unstable; urgency=high * ACKed NMU. * Fixed out-of-bounds read operations triggered by crafted png image files (CVE-2007-5269) (Closes: #446308). libpng (1.2.15~beta5-2.1) unstable; urgency=high * Non-maintainer upload by testing security team. * Fixed out-of-bounds read operations triggered by crafted png image files (CVE-2007-5269) (Closes: #446308). libpng (1.2.15~beta5-2) unstable; urgency=high * It seems that a grayscale image with a malformed (bad CRC) tRNS chunk will crash libpng and mozilla. Closes: #424729. - CVE-2007-2445 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2445 - CERT Vulnerability Note VU#684664 http://www.kb.cert.org/vuls/id/684664 libpng (1.2.15~beta5-1) unstable; urgency=low * Applied legacy_symbols.patch. * Changed shlibs dependecy versions to ">= 1.2.13-4". * libpng12-0: Added the following conflicts: mzscheme (<= 1:209-5), pngcrush (<= 1.5.10-2), pngmeta (<= 1.11-3), qemacs (<= 0.3.1-5), povray-3.5 (<= 3.5.0c-10). libpng (1.2.15~beta5-0) unstable; urgency=high * New upstream release. - Fixed asm API functions not exported on amd64. Closes: #401044. - Fixed "libpng hangs when saving profile". Closes: #401423. * Fixed "Incorrect shlibs information". Closes: #401465. * Removed patches for png.h and pngconf.h. * Updated debian/watch. libpng (1.2.13-4) unstable; urgency=low * Removed drop_pass_width patch. Closes: #399499. libpng (1.2.13-3) unstable; urgency=low * libpng12-dev: removed the conflict with libpng3-dev. libpng (1.2.13-2) unstable; urgency=low * Put back binary package libpng3. libpng (1.2.13-1) unstable; urgency=low * Fixed conflict with the new libpng package. Closes: #399296. * Fixed png.5 man page formatting. Closes: #353061. Patch by Kevin Ryde <user42@zip.com.au>. libpng (1.2.13-0) unstable; urgency=high * New upstream release. * CVE-2006-5793: Fixed a new security issue regarding malformed sPLT chunks. Closes: #398706. * Transitional package libpng3 is not shipped anymore. Closes: #369104. libpng (1.2.12-0) unstable; urgency=high * New upstream release. Closes: #366070. * CVE-2006-3334: Fixed Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name". Closes: #397892. * Removed debian/x86_patches/pnggccrd-PIC.patch as it's merged upstream. libpng (1.2.8rel-7) unstable; urgency=low * New maintainer. Closes: #393109. * ACK NMUs. Closes: #378463, #377298, #356252. * debian/control: - set Standards-Version to 3.7.2. - set Priority to extra for libpng12-0-udeb. - added ${misc:Depends} to libpng12-0 and libpng12-0-udeb dependency lists. * Added debian/watch file. libpng (1.2.8rel-6) unstable; urgency=low * Orphaning package. libpng (1.2.8rel-5.2) unstable; urgency=low * Non-maintainer upload. * Backport changes from 1.2.12 to fix a buffer overflow in png_decompress_chunk; patch by Alec Berryman. [CVE-2006-3334] (Closes: #377298) libpng (1.2.8rel-5.1) unstable; urgency=low * Non Maintainer Upload (closes: #356252). * Add support for udeb dependency resolution in shlibs file. * Update debhelper compatibility to level 5. libpng (1.2.8rel-5) unstable; urgency=low * drop_pass_width.patch: don't export png_pass_width, it's absolutely unnecessary. * libpng12-0.shlibs: downgrade the shlibs accordingly (closes: #331383). libpng (1.2.8rel-4) unstable; urgency=low * makefile.patch: + Use PNG_PRIVATE to get the list of private symbols as well. It sucks, but they've been there for too long (closes: #329886). + Use mawk instead of awk (closes: #329812). * control: build-depend on mawk. * rules: + Use -O2, not -O3. + Actually run the tests. + Make use of x86_patches/ on x86 architectures. * x86_patches/mmxbuild.patch: build MMX routines in pnggccrd.c. * x86_patches/pnggccrd-PIC.patch: patch from Christian Aichinger to make the assembly routines PIC-compatible. * libpng12-0.shlibs: bump the shlibs version. libpng (1.2.8rel-3) unstable; urgency=low * Upload to unstable. * Rename the source package to libpng. libpng3 (1.2.8rel-2) experimental; urgency=low * makefile.patch: + now patch makefile.elf, so that only public symbols are truly exported. + shorten the differences as much as possible. * rules: use makefile.elf now. * Move libpng3 to oldlibs. * Entirely remove libpng3-dev, making libpng12-dev provide it (closes: #322051). * poynton.patch: correct Charles Poynton's address (closes: #289437). * Don't run the test when cross-building (closes: #285427). * setjmp_error.patch: don't stop when we are not using _BSD_SOURCE, as in this case this is harmless (closes: #299343). * libpng3.postinst: removed, the fix is in sarge. * Standards-version is 3.6.2. * legacy_symbols.patch: still export png_read_destroy and png_write_destroy, which are deprecated but should nevertheless be accessible. libpng3 (1.2.8rel-1) unstable; urgency=medium * New upstream release. * read_transformations.patch: removed, included upstream. * libpng12-0.shlibs: Update to version 1.2.8rel, new flags seem to have been added. libpng3 (1.2.8beta5-2) unstable; urgency=medium * read_transformations.patch: fix segmentation fault with latex (closes: #281789) and totem (closes: #278618). libpng3 (1.2.8beta5-1) unstable; urgency=medium * New upstream release. + Correct segmentation violation in png_combine_row. Closes: #278526, #278917, #278921, #279258, #281789, #282368. libpng3 (1.2.7-1) unstable; urgency=medium * New upstream release (closes: #278308). * libpng12-0.shlibs: update shlibs to version 1.2.7. * Remove all security fixed, they are included upstream. libpng3 (1.2.5.0-9) unstable; urgency=high * CAN-2004-0954.patch: removed, this is already fixed in CAN-2004-0597_0598_0599.patch. libpng3 (1.2.5.0-8) unstable; urgency=high * Switch to CDBS. + Ship modifications and security fixes in debian/patches. + debian/rules: rewritten. + debian/control: build-depend on cdbs. + debian/libpng12-0.shlibs: new. * setjmp_error.patch: port explanation of the error when including setjmp.h from libpng10, thanks Matijs van Zuijlen <Matijs.van.Zuijlen@xs4all.nl> (closes: #273473). * CAN-2004-0954.patch: fix buffer overflow vulnerability in png_handle_tRNS(). * CAN-2004-0955.patch: fix integer arithmetic overflow vulnerability in png_read_png(). libpng3 (1.2.5.0-7) unstable; urgency=high * pngrtran.c: applied upstream patch 4 to fix incorrect calculation of buffer offsets [CAN-2004-0768]. * png.h, pngpread.c, pngrutil.c: patch from Chris Evans <chris@scary.beasts.org> to fix several vulnerabilities (closes: #263500): + libpng fails to properly check length on PNG data [CAN-2004-0597]. + libpng "png_handle_sBIT" does not perform proper checks to avoid stack buffer overflow [CAN-2004-0597]. + libpng "png_handle_iCCP" possible NULL-pointer crash [CAN-2004-0598]. + libpng "png_handle_sPLT" possible integer overflow [CAN-2004-0599]. + libpng "png_read_png" does not properly handle a PNG with excessive height (integer overflow) [CAN-2004-0599]. + libpng progressive reading integer overflow [CAN-2004-0599]. libpng3 (1.2.5.0-6) unstable; urgency=high * pngerror.c: applied patch by Steve Grubb <linux_4ever@yahoo.com> to fix unintended memory access that could result in a crash of the application linking against libpng [CAN-2004-0421]. libpng3 (1.2.5.0-5) unstable; urgency=low * Use debhelper 4.2, which generates the udeb appropriately. * Update control and rules appropriately. * Don't use ${shlibs:Depends} for the udeb, rather write the dependencies by hand. * Standards-version is 3.6.1. libpng3 (1.2.5.0-4) unstable; urgency=low * scripts/makefile.linux: use versioned dependencies (closes: #155891). * debian/rules: bump dependency for dh_makeshlibs. * add the libpng.a link in libpng12-dev. * Rework scripts/makefile.linux to make it more consistent. * Update stuff in debian/ accordingly. * Updated README.Debian. libpng3 (1.2.5.0-3) unstable; urgency=low * Make libpng3{,-dev} depend on libpng12-{0,dev} >= 1.2.5.0-2 instead of the strict source version. * Move /usr/share/doc/libpng3{,-dev} into symlinks at postinst time when directories already exist. * debian/rules: install correctly doc-base stuff. * debian/libpng12-dev.doc-base: updated URIs. libpng3 (1.2.5.0-2) unstable; urgency=low * scripts/{makefile.linux,libpng-config-body.in}: correct the libpng12-config script. * Install correctly pkg-config stuff (closes: #191081). * Make libpng12-dev conflict explicitly with libpng12-0-dev. * Update README.Debian. libpng3 (1.2.5.0-1) unstable; urgency=low * New maintainer. * Use real upstream tarball from 1.2.5 release. * Use dpkg-source's way instead of dpatch for patching. * A bit of rework in debian/rules, use dh_install and debhelper 4. * Standards-version is 3.5.9. * The -dev package is now named libpng12-dev (stop using the libpkg-guide way). * libpng3 is now arch-independent. * Improved descriptions a bit. * Don't supply libpngpf.3, it is not useful to programmers. libpng3 (1.2.5-11) unstable; urgency=low * Add udeb (closes: #174842) * Add missing section on source files. libpng3 (1.2.5-10) unstable; urgency=low * Rebuild with d-shlibs with fixed "libgcc_s1-dev" handling (for gcc-3.2). (closes: #178070), build-depend on d-shlibs 0.10 or greater. libpng3 (1.2.5-9) unstable; urgency=low * Use dpatch for patch system -- divide Debian patch, and security fix patch. * Standards-Version: 3.5.8 * add manual page libpng-config.1 and libpng12-config.1 libpng3 (1.2.5-8) unstable; urgency=low * Sorry folks, I made a mistake. * Forward-port of patch from the Security Team, really apply what was there. (closes: #172868,#172871) libpng3 (1.2.5-7) unstable; urgency=high * Forward-port of patch from the Security Team * Applied patch to pngrtran.c by Glenn Randers-Pehrson <glennrp@comcast.net> to fix a buffer overrun. libpng3 (1.2.5-6) unstable; urgency=low * Typo in scripts/makefile.linux. Mistake. -lz and -lm weren't happening. * Change LDFLAGS to not list -lz -lm, so that testsuite will catch such error. * set prefix=/usr/ in scripts/makefile.linux, since it was set to usr/local. libpng3 (1.2.5-5) unstable; urgency=low * scripts/makefile.linux: LIBADDFLAGS introduced, for shared library lib additional flags, and use that for shared library. - this should fix build failure (closes: #166704) Thanks Daniel Schepler <schepler@math.berkeley.edu> for reporting. * updated copyright file to note that libpng3 in Debian is patched to link with -lz -lm. libpng3 (1.2.5-4) unstable; urgency=low * Trying to fix the problem that libpng3 seems to be not linked against libz. LDFLAGS was defined but not being used. Thanks Mike Furr <mfurr@debian.org> for reporting (closes: #166489) libpng3 (1.2.5-3) unstable; urgency=low * Fixed description, I mixed up the -devel and non-devel packages. * updated README.Debian. libpng3 (1.2.5-2) unstable; urgency=low * careless mistake :( * reinstall libpng.so symlink in libpng-12-0-dev package. Otherwise other packages won't build ... libpng3 (1.2.5-1) unstable; urgency=low * New upstream version (closes: #163425) * re-patched makefile.linux to work with system zlib, added workaround to set CFLAGS, and remove rpath settings from LDFLAGS * Use debhelper. * No longer create /usr/doc symlinks. * Standards-Version: 3.5.7 libpng3 (1.2.1-5) unstable; urgency=low * Not yet released. * Change priority from standard to optional. libpng3 (1.2.1-4) unstable; urgency=low * change -dev dependency of libc6-dev to libc-dev libpng3 (1.2.1-3) unstable; urgency=low * Security fix backported from 1.2.4. Check bounds of variables. (closes: #155403) libpng3 (1.2.1-2) unstable; urgency=low * New maintainer (closes: #151343) * apply buffer overflow patch for interlaced png files (closes: #150595) * update description for libpng3-dev. * change libpng-dev to libpng3-dev libpng3 (1.2.1-1.1) unstable; urgency=low * NMU * Provides: libpng2-dev has been changed to Provides: libpng3-dev libpng2-dev can be put back in when some kind of sane transition has finished. (closes: #128384, #128871, #129268, #129269) libpng3 (1.2.1-1) unstable; urgency=low * New upstream version; closes: #125679. * New source package name: libpng3. * Renamed libpng<x>-dev to libpng-dev to avoid having to maintain several development packages (the -dev is source compatible). * Moved png.5 into the -dev package. * Added a Replaces: libpng2 to libpng-dev so that we can steal the png.5 manpage without fuss. * Changed debian/shlibs for libpng3. * Compress examples/pngtest.c. libpng (1.0.12-3) unstable; urgency=low * Moved the png.5 manpage to the dev package to allow multiple libpng<n> packages installed at the same time. libpng (1.0.12-2) unstable; urgency=low * Changed libpng2-dev's section to devel to resync with override file. * Fixed upstream version detection in debian/rules; closes: #105931. libpng (1.0.12-1) unstable; urgency=low * New upstream release; closes: #105354. * Bumped dependency information in debian/shlibs to libpng >= 1.0.12 since there were some non-backwards compatible changes to the API. * Added support for DEB_BUILD_OPTIONS and get-orig-source to debian/rules. * Added call to ldconfig on postrm's remove. * Removed INSTALL file from /usr/share/doc/libpng2. * Bumped standards version to 3.5.5.0. libpng (1.0.11-1) unstable; urgency=low * New upstream release. libpng (1.0.10-2) unstable; urgency=low * Force recompile because of bad sparc package. * Libpng2's priority changed to standard to comply with the override file. libpng (1.0.10-1) unstable; urgency=low * New upstream release. * Changed shlib to depend on libpng2 (>= 2.0.10) because of non-backwards compatible changes. libpng (1.0.8-1) unstable; urgency=low * Changed the doc-base type from 'test' to 'text'; closes: #59877. * New upstream relase 1.0.8; closes: #70464. * Updated copyright notice. * Removed Y2kINFO from the doc directory. * Added pngtest.c in examples; closes: #65229. * Updated to standards version 3.2.1.0. * Added build-depends line in control file; closes: #69291. libpng (1.0.5-1) frozen unstable; urgency=low * Maintainer upload (closes: #48244, #48246). * Added some extra explanations for the setjmp.h mess (closes: #56759), see pngconf.h for details. libpng (1.0.5-0.1) unstable; urgency=low * Non-maintainer release. * New upstream release. (closes:Bug#48244). * Remove versioned depend from shlibs (closes:Bug#48246). libpng (1.0.3-1) unstable; urgency=low * New upstream version (1.0.3); Closes: #31870, #46333. * Maintainer upload, closes NMU bugs; Closes: #28412, #31523, #31690. * FHS compliant. * New standard-version 3.0.1. * Lintian clean. * Removed temporary zlib1g line in control file (used to be a bug in zlib1g). * Moved the documentation file to the -dev package. * Register documentation file to doc-base. * Fontified man pages with addformat script; Closes #38680. libpng (1.0.2b-0.1) frozen unstable; urgency=low * New upstream (bug-fix only) version. (Should fix bugs #31690滼, since I can't reproduce them) From the author: "I have recently uploaded libpng-1.0.2b to ftp://swrinde.nde.swri.edu/pub/png-group/src I plan to release it as libpng-1.0.3 in a few days, but would like to hear whether it fixes the problems with GNOME. It restores a few lines of code that were inadvertently deleted from pngread.c, which seems to be the cause of problems with adding an alpha channel (which you fixed by downgrading to libpng-1.0.1's pngread.c)." [Glenn Randers-Pehrson <glennrp@netgsi.com>] * Masquerade version number to 1.0.3 to make Imlib & Co. happy. libpng (1.0.2-1.1) frozen unstable; urgency=low * Fix Important bug #28412 (using pngread.c from libpng-1.0.1 did the trick). libpng (1.0.2-1) unstable; urgency=low * Maintainer release (to change a bit). * Pristine sources. * Libpng2-dev includes example.c (fixes bug #10315). * Changed control file to reflect difference with libpng0g (fixes #23795). * Recompiled (should fix the zlib1g missing symbol, bug #24450). * Added -D_REENTRANT also to static library. * Added a dependency upon zlib1g >= 1.1.2 (otherwise we get a missing symbol) (fixes bug #24450). libpng (1.0.2-0.1) unstable; urgency=low * Non-maintainer release * New upstream version libpng (1.0.1-0.2) unstable; urgency=medium * debian/rules (binary-arch): don't call install with -s as an argument when installing a shared library; it doesn't know to use --strip-unneeded, and we call strip separately later anyway. * scripts/makefile.lnx (CFLAGS): killed i386-isms. * scripts/makefile.lnx: compiled shared libraries with -D_REENTRANT. (The above fixes are from James Troup, who yet again, alerted me to my screwups ;) * debian/postinst: only call ldconfig if $1 = configure. libpng (1.0.1-0.1) unstable; urgency=low * New upstream bug fix release. * Include man pages. libpng (1.0.0-0.1) unstable; urgency=low * Non-maintainer Release. * New Upstream Release. * Changed source package name to `libpng'. * Added `-f makefile.lnx' to make invocations in debian/rules. * Removed `ldconfig' call from postrm. libpng0 (0.96-5) unstable; urgency=low * Removed executable permissions on shared libs (fixes bug #15478). * Updated Standards-Version to 2.3.0.1. libpng0 (0.96-4) unstable; urgency=low * Shared libraries are stripped with --strip-unneeded and static libraries with --strip-debug (fixes bug #15669). * Made the build strip non-i386 specific (patch by James Troup) (fixes bug #13832). * Removed the dependency between the libc5 and libc6 versions. libpng0 (0.96-3) unstable; urgency=low * Libc6 compilation. libpng0 (0.96-2) unstable; urgency=low * Fixed permissions in /usr/doc/libpng0 (fixes bug #10540). libpng0 (0.96-1) unstable; urgency=low * New upstream sources. libpng0 (0.95b-1) unstable; urgency=low * New maintainer. * Upgraded to upstream version 0.95b. * Make debian/rules version independent. * Debian/rules clean now removes substvars. * Bumped the shlibs version to 0.95 as some incompatibilities were introduced between 0.89 and 0.90. * Added the Section: and Priority: fields to the control file (fixes bug #6370). * Now /usr/doc/libpng0 contains various info and the debian change log stuff (fixes bug #7925). * Added -D_REENTRANT compilation flag. libpng (0.89c-6) unstable; urgency=low * Moved shlibs file to correct location libpng (0.89c-5) unstable; urgency=low * Added shlibs file libpng (0.89c-4) unstable; urgency=low * Now stripping shared libraries (Bug#5134) libpng (0.89c-3) unstable; urgency=low * Corrected maintainers address libpng (0.89c-2) unstable; urgency=low * Accommodate the fact that dpkg-source doesn't properly preserve permissions on scripts when extracting package. (Bug#4513) libpng (0.89c-1) unstable; urgency=low * New upstream version. * Moved to new source packaging format.
libpng1.6 (1.6.37-3build5) jammy; urgency=high * No change rebuild for ppc64el baseline bump. libpng1.6 (1.6.37-3build4) impish; urgency=medium * No-change rebuild to build packages with zstd compression. libpng1.6 (1.6.37-3build3) hirsute; urgency=medium * No-change rebuild to build with lto. libpng1.6 (1.6.37-3build2) hirsute; urgency=medium * No-change rebuild to drop the udeb package. libpng1.6 (1.6.37-3build1) hirsute; urgency=medium * No-change rebuild to drop the udeb package. libpng1.6 (1.6.37-3) unstable; urgency=medium [ Debian Janitor ] * Wrap long lines in changelog entries: 1.2.5-5. [ Gianfranco Costamagna ] * debian/patches/326.patch: - add upstream proposed patch to fix a decode fail with invalid eXIf chunks (Closes: #969502) libpng1.6 (1.6.37-2) unstable; urgency=medium [ Debian Janitor ] * Set upstream metadata fields: Bug-Database, Repository, Repository- Browse. * Rely on pre-initialized dpkg-architecture variables. * Fix day-of-week for changelog entry 1.0.0-0.1. * Set upstream metadata fields: Bug-Submit. [ Gianfranco Costamagna ] * Bump std-version to 4.5.0, no changes required libpng1.6 (1.6.37-1) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.37-1~exp4) experimental; urgency=medium * debian/patches/72fa126446460347a504f3d9b90f24aed1365595.patch: - cherry-pick upstream possible fix for tests not being parallel-safe (Closes: #920657) libpng1.6 (1.6.37-1~exp3) experimental; urgency=medium * Fix two lintian warnings: - drop upstream signing key, upstream seems to have stopped tarball signatures when moved to github (see upstream issue: #287) - double "version" tag in debian/watch libpng1.6 (1.6.37-1~exp2) experimental; urgency=medium * Simplify tests, by not passing the .libs directory during their execution libpng1.6 (1.6.37-1~exp1) experimental; urgency=medium * New upstream version 1.6.37 - upload to experimental because of freeze * Update watch file for github publish site * Update copyright years and text for pngminus * Drop all upstream patches, patch refresh for apng patch * Bump compat level to 12 libpng1.6 (1.6.36-6) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.36-5exp1) experimental; urgency=medium * Drop Anibal from uploaders list, thank you for your nice work! (Closes: #925014) * Update copyright years. * Drop patch 272.patch, superseeded by upstream commits: 70d122aac42933ab8a708c538f973c3307853212.patch (uncommented) 82ae623ec9bc3cb5c68aad22596a766e86d593b7.patch a627bd26a375f5c41d54f90a47c838157d1bec97.patch libpng1.6 (1.6.36-5) unstable; urgency=medium * Tweak old 272 patch to add the only relevant part of commit 70d122aac42933ab8a708c538f973c3307853212.patch * Drop 70d122aac42933ab8a708c538f973c3307853212.patch, it breaks the testsuite. libpng1.6 (1.6.36-4) unstable; urgency=high * debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch, debian/patches/8439534daa1d3a5705ba92e653eda9251246dd61.patch: - new fixes for arm64 and general test failures (and leaks) * debian/patches/CVE-2019-7317.patch: - fix for CVE 2019-7317 (Closes: #921355) Thanks Salvatore Bonaccorso for your report! libpng1.6 (1.6.36-3) unstable; urgency=medium * debian/patches/272.patch: - upstream fix for arm64 test failures. - drop previous revert-* patches libpng1.6 (1.6.36-2) unstable; urgency=medium * Update watch file for github location * Add apng support, like what is done in arch linux - pnggroup/libpng#267 * d/p/revert-{7734cda20cf1236aef60f3bbd2267c97bbb40869, 1ceaa83a844cd3ecef25279d60720f910b96f297, b66ed711315c46ef6c556c83c0074ecdcbd9937f}.patch: revert on arm64 only the chromebook optimizations, they are making the build fail. - discussion at pnggroup/libpng#266 [ Mattia Rizzolo ] * Fixup std-version numbering libpng1.6 (1.6.36-1) unstable; urgency=medium * New upstream version 1.6.36 * update copyright file * Bump std-version to 4.3.0.1, no changes required * drop patch 8a057: upstream * Add nocheck profile in rules file [ Ondřej Nový <onovy@debian.org> ] * d/changelog: Remove trailing whitespaces libpng1.6 (1.6.34-2) unstable; urgency=medium [ Salvatore Bonaccorso ] * debian/patches/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2.patch: Closes: #903430 CVE-2018-13785 [ Gianfranco Costamagna ] * Upload to unstable * Switch VCS fields to salsa.d.o * Bump std-version to 4.1.5, no changes required * Switch copyright in https mode libpng1.6 (1.6.34-1) unstable; urgency=medium * New upstream version 1.6.34 * Remove files removed upstream (the failing png files) libpng1.6 (1.6.33-1) unstable; urgency=medium * New upstream version 1.6.33 * Drop idat patch: upstream * Update copyright * Bump std-version to 4.1.1 * Remove some new test png files that make testsuite fail (they fail also on older libpng version, just they weren't available status is tracked at https://sourceforge.net/p/libpng/bugs/271/ ) libpng1.6 (1.6.32-3) unstable; urgency=high * Fix invalid IDAT images, thanks Felix Geyer for the debug/bug reassign! (Closes: #876563) libpng1.6 (1.6.32-2) unstable; urgency=medium * Bump std-version to 4.1.0, now priority is extra * Add missing newline on copyright entry, making lintian sad * Move the examples into the main libpng-dev (Closes: #876244) - thanks Helmut Grohne for the useful bug report! libpng1.6 (1.6.32-1) unstable; urgency=medium * New upstream version 1.6.32 * Update copyright file libpng1.6 (1.6.31-1) unstable; urgency=medium * New upstream release. * Update d/watch to point to ftp site and to verify gpg signature. * fix-arm-build.patch removed, fixed upstream. * Update d/copyright (years and add new maintainers) and remove some redudant entries. libpng1.6 (1.6.30-2) unstable; urgency=medium * Fix arm* build failures with upstream patch (Closes: #867670) libpng1.6 (1.6.30-1) unstable; urgency=medium * New upstream release. * Update copyright * Bump std-version to 4.0.0 libpng1.6 (1.6.29-3) unstable; urgency=medium * Upload to unstable libpng1.6 (1.6.29-2) experimental; urgency=medium * Enable PIE eveywhere libpng1.6 (1.6.29-1) experimental; urgency=medium * New upstream release. - Drop fix multiarch patch: upstream * Use autoreconf. libpng1.6 (1.6.28-1exp4) experimental; urgency=medium * Override autoreconf due to debhelper bug 844504 libpng1.6 (1.6.28-1exp3) experimental; urgency=medium * No-autoreconf for cmake builds libpng1.6 (1.6.28-1exp2) experimental; urgency=medium * Readd multiarch patch, it was merged by upstream on master but not on 1.6 branch libpng1.6 (1.6.28-1exp1) experimental; urgency=medium * Switch to cmake libpng1.6 (1.6.28-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.27-1) unstable; urgency=medium * New upstream release (Closes: #849799) - Fix for CVE-2016-10087 libpng1.6 (1.6.26-6) unstable; urgency=medium * Enable pie in Debian, disable it in Ubuntu. - thanks pochu :) libpng1.6 (1.6.26-5) unstable; urgency=medium * Revert cmake switch, failing on arm64. libpng1.6 (1.6.26-4) unstable; urgency=low * Upload to unstable. * Disable pie where Ubuntu has not defaulted yet. (armhf, arm64, powerpc) libpng1.6 (1.6.26-3) experimental; urgency=medium * Switch to cmake. libpng1.6 (1.6.26-2) unstable; urgency=medium * Enable full hardening (+pie) (Closes: #844429) libpng1.6 (1.6.26-1) unstable; urgency=low * New upstream release. * Switch to compat level 10 - Drop autoreconf/parallel, automatically injected libpng1.6 (1.6.25-2) unstable; urgency=medium * Mark the -tools package Multi-Arch: foreign. (Closes: #840446). Thanks Francois Gourget for the bug report! libpng1.6 (1.6.25-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.24-2) unstable; urgency=medium * Stop providing pngcp, because a tool with the same name is provided by pngtools (Closes: #834119, #834118). - Consider re-enabling it if ineeded, but for now the tool has no manpage and no help command. - An alternative might be to make pngtools and libpng-tools conflict each others. libpng1.6 (1.6.24-1) unstable; urgency=medium * New upstream release. - install also new pngcp tool in libpng-tools package. libpng1.6 (1.6.23-1) unstable; urgency=medium * New upstream release. libpng1.6 (1.6.22-1) unstable; urgency=medium * New upstream release. - drop fix_define_PNG_READ_16_TO_8.patch: upstream * Update copyright file. libpng1.6 (1.6.21-5) unstable; urgency=medium * d/control: Add VCS-* to repository on collab-maint. * Add patch to properly define PNG_READ_16_TO_8_SUPPORTED (Closes: #824014) * Add d/gbp.conf to ensure signed tags. libpng1.6 (1.6.21-4) unstable; urgency=medium * add libpng-config.patch from the old src:libpng. - disabling multiarch bits in libpng-config has the "side-effect" to let us have a Multiarch libpng-dev package. Closes: #822297 * Make the libpng-dev package Multiarch ready. libpng1.6 (1.6.21-3) unstable; urgency=medium [ Manuel A. Fernandez Montecelo ] * Add hardening flags (excluding PIE. CLoses: #805822) [ Gianfranco Costamagna ] * Drop useless pre-depends line. [ Bart Martens ] * Fix watch file [ Laurent Bigonville ] * Drop useless packages in Replaces field. (Closes: #820887) libpng1.6 (1.6.21-2) unstable; urgency=medium * Upload to unstable. * Add myself and Tobias to uploaders, as per maintainers suggestion. * Bump std-version to 3.9.8, no changes required. libpng1.6 (1.6.21-1) experimental; urgency=medium * Team upload. * New upstream release. * Add upstream signing key * Fix watch file. * Update copyright file. * Drop libpng16-devtools, useless and merged in libpng-dev. (many packages relies on that script for building correctly) - breaks + replaces accordingly. * Remove multiarch -dev package * Rename libpng16-tools to libpng-tools, there is no need of strict versioning here. * Install upstream changelog. * Run upstream testsuite. * Remove README.* files, useless now. libpng1.6 (1.6.20-3) experimental; urgency=medium * Team upload * Move libpng16-dev to libpng-dev, to ease next transitions. * Drop conflicts against mzscheme, pngcrush, pngmeta, povray-3.5, qemacs, some of them disappeared, some of them have later versions already in old-oldstable. * Simplify even more the packaging, probably fixing #813288 * Fix symlinks, and two lintian errors: - library-in-root-and-usr - old-style-config-script-multiarch-path (multiarch: no for libpng16-devtools) * Update standard-version to 3.9.7, no changes required. * Switch to dh-autoreconf (Closes: #813027) * Remove libpng16-devtools circular dependency, recommend it instead. * Fix duplicate description lintian warning * Fix copyright lintian warnings * Remove copyright.in file * Use new plain dh calls in rules file * Remove some old lintian overrides. libpng1.6 (1.6.20-2) experimental; urgency=medium [ Tobias Frost ] * libpng16-16-udeb should not Conflicts: libpng-12-0. [ Anibal Monsalve Salazar ] * debhelper compat version is 9. * debian/control: libpng16-devtools is "Multi-Arch: same". libpng1.6 (1.6.20-1.1) experimental; urgency=medium * Non-maintainer upload. * Preparation for the transition, going to experimental. * Make libpng16-dev depend on libpng16-devtools to have libpng-config pulled in automatically for reverse dependencies. * Provide a so-name neutral devtools package libpng1.6 (1.6.20-1) experimental; urgency=medium * New upstream release. Fix CVE-2015-8472. Closes: #810074. * Use default options to compress. Remove debian/source/options. libpng1.6 (1.6.19-1) experimental; urgency=medium * New upstream release. * Update lintian-overrides for 1.6.19. libpng1.6 (1.6.16-1) experimental; urgency=medium * New upstream release (Closes: #773823) Fix CVE-2015-8540. * Standards Version is 3.9.6. * Update debian/copyright. Add infomation of license for other all files. * Update lintian-overrides for 1.6.16. libpng1.6 (1.6.10-2) experimental; urgency=low * Add libpng16-devtools package. Move libpng-config to this package. libpng1.6 (1.6.10-1) experimental; urgency=low * New upstream release (Closes: #740585) Fixed CVE-2014-0333. * Update overrides files. libpng1.6 (1.6.8-2) experimental; urgency=low * Update debian/copyright. (Closes: #735737) libpng1.6 (1.6.8-1) experimental; urgency=low * New upstream release. libpng1.6 (1.6.7-1) experimental; urgency=low * New upstream release. libpng (1.5.11-1) experimental; urgency=low * New upstream release. libpng (1.5.10-3) experimental; urgency=low * Remove libpng12-dev binary package. libpng-dev provides and replaces libpng12-dev. libpng (1.5.10-2) experimental; urgency=low * Add transition packages libpng3, libpng12-0 and libpng12-dev libpng (1.5.10-1) experimental; urgency=high * New upstream version 1.5.10 - Fix CVE-2011-3048 (memory corruption flaw) Closes: 667475 * Standards Version is 3.9.3 libpng (1.5.9-1) experimental; urgency=low * New upstream version 1.5.9 The purpose of this release is to fix the dangerous CVE-2011-3026. The libpng patch is different from the one that was distributed earlier by Chromium, in that the libpng user limit feature is not crippled by the patch. Remove 02-660026-CVE-2011-3026.patch libpng (1.5.8-1) experimental; urgency=high * New upstream release. Fix a one-byte (stack) buffer-overrun bug in png_formatted_warning(), which could lead to crashes (denial of service) or, conceivably, execution of hostile code. This vulnerability has been assigned ID CVE-2011-3464. * Check for both truncation (64-bit platforms) and integer overflow Fix CVE-2011-3026 Add 02-660026-CVE-2011-3026.patch Closes: 660026 libpng (1.5.7-2) experimental; urgency=low * Fix typo from PPFLAGS to CPPFLAGS. libpng (1.5.7-1) experimental; urgency=low * New upstream release. * Update debian/rules. Enabled hardened build flags. (Closes: #654149) libpng (1.5.6-1) experimental; urgency=low * New upstream release. libpng (1.5.5-1) experimental; urgency=low * New upstream release. * Fix lintian error: udeb-uses-non-gzip-data-tarball. Changed option of dh_builddeb for every package. * Fix lintian warning: brace-expansion-in-debhelper-config-file. Remove brace-expansion from debian/libpng-dev.install. libpng (1.5.4-2) experimental; urgency=low * Port Steve Langasek's changes for 1.2.46-1 - Build for multiarch. Closes: 634151 - Drop debian/libpng15-15-udeb.dirs, which just adds a pointless empty directory to the udeb * Update debian/docs and debian/libpng15-15.docs * Add debian/libpng15-15.doc-base * Build-Depend on autotools-dev libpng (1.2.46-2) unstable; urgency=low [ Steve Langasek ] * Build for multiarch. Requires converting libpng3 from Arch: all to Arch: any. Closes: 634151 * Drop debian/libpng12-0-udeb.dirs, which just adds a pointless empty directory to the udeb. [ Anibal Monsalve Salazar ] * Fix doc-base file Closes: 633944, 633957, 634120 * Pass "-Zbzip2 -z9" to dpkg-deb libpng (1.5.4-1) experimental; urgency=low * New upstream release (Closes: #633871). - Fix CVE: CVE-2011-2690 Buffer overwrite in png_rgb_to_gray - CVE: CVE-2011-2691 Crash in png_default_error due to use of NULL Pointer - CVE: CVE-2011-2692 Memory corruption when handling empty sCAL chunks - Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream. libpng (1.2.46-1) unstable; urgency=high * New upstream release (Closes: #633871). - Fix CVE: CVE-2011-2690 Buffer overwrite in png_rgb_to_gray - CVE: CVE-2011-2691 Crash in png_default_error due to use of NULL Pointer - CVE: CVE-2011-2692 Memory corruption when handling empty sCAL chunks - Update patches/01-legacy.patch - Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream. libpng (1.5.2-3) experimental; urgency=low * Rename libpng15-dev to libpng-dev libpng (1.5.2-2) experimental; urgency=low * Fix 1-byte uninitialized memory reference in png_format_buffer() Fix CVE-2011-2501 Add debian/patches/02-632786-CVE-2011-2501.patch Closes: 632786 * Pass "-Zbzip2 -z9" to dpkg-deb * Fix xc-package-type-in-debian-control * Fix debian-rules-missing-recommended-target libpng (1.2.44-3) unstable; urgency=high * Fix 1-byte uninitialized memory reference in png_format_buffer() Fix CVE-2011-2501 Add debian/patches/02-632786-CVE-2011-2501.patch Closes: 632786 * Standards version is 3.9.2 * Fix xc-package-type-in-debian-control * Fix debian-rules-missing-recommended-target libpng (1.5.2-1) experimental; urgency=low * New upstream release (Closes: #565821, #574257, #606867). * Remove Sam Hocevar from Uploaders. * Add myself to Uploaders. * Remove libtool, automake and autoconf from Build-depends. * Disable practice of autogen.sh from debian/rules. * Remove support libpng3 package (Closes: #369104, #615558). * Update debian/copyright. - Update copyright holder. - Add new license for contrib/pngsuite (Closes: #615558). * Remove patches directory. * Add libpng15-dev.lintian-overrides. Overrides manpage-has-errors-from-man usr/share/man/man3/libpng.3.gz. libpng (1.2.44-2) unstable; urgency=low * debian/libpng3.links: fix up the compat symlink to point to /lib Patch by Steve Langasek Closes: #579074, LP: #284325 libpng (1.2.44-1) unstable; urgency=low * New upstream release Stop memory leak when reading a malformed sCAL chunk libpng (1.2.43-1) unstable; urgency=high * New upstream release * Fix CVE-2010-0205 and Cert VU#576029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 https://www.kb.cert.org/vuls/id/576029 Do not stall and consume large quantities of memory while processing certain Portable Network Graphics (PNG) files Closes: 572308 libpng (1.2.42-2) unstable; urgency=low * Merge 1.2.42-1ubuntu1 Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. * Fix out-of-date-standards-version libpng (1.2.42-1ubuntu1) lucid; urgency=low * Merge from Debian testing. Remaining changes: - Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. libpng (1.2.42-1) unstable; urgency=low * New upstream release * Remove 02-export-png_set_strip_error_numbers.patch (merged) * Fix debhelper-but-no-misc-depends libpng (1.2.41-1ubuntu1) lucid; urgency=low * Move libpng from /usr/lib to /lib, so that plymouth is usable on systems with a separate /usr. libpng (1.2.41-1) unstable; urgency=low * New upstream release * Debian source format is 3.0 (quilt) * Update debian/watch * Add 02-export-png_set_strip_error_numbers.patch Define PNG_ERROR_NUMBERS_SUPPORTED Upstream doesn't define PNG_ERROR_NUMBERS_SUPPORTED since 1.2.41. As a consecuence, the symbol png_set_strip_error_numbe@@PNG12_0 wasn't exported. libpng (1.2.40-1) unstable; urgency=low * New upstream release libpng (1.2.39-1) unstable; urgency=low * New upstream release * Fix out-of-date-standards-version * Fix patch-system-but-no-source-readme libpng (1.2.38-1) unstable; urgency=low * New upstream release * Fix out-of-date-standards-version * Update upstream homepage Closes: 536474 libpng (1.2.37-1) unstable; urgency=low * New upstream release libpng (1.2.36-1) unstable; urgency=low * New upstream release * Standards-Version is 3.8.1 * debhelper compat is 7 * Run dh_prep instead of dh_clean -k libpng (1.2.35-1) unstable; urgency=high * New upstream release - http://secunia.com/advisories/33970/ Fix a vulnerability reported by Tavis Ormandy in which some arrays of pointers are not initialized prior to using "malloc" to define the pointers. Closes: #516256 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907 The png_check_keyword function in pngwutil.c in libpng, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. * Don't build libpng3 when binary-indep target is not called. Closes: #486415 libpng (1.2.33-2) unstable; urgency=low * Fix the following lintian issues: W: libpng12-0: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL libpng (1.2.33-1) experimental; urgency=low * New upstream release - Fix memory leak after reading a malformed tEXt chunk libpng (1.2.32-1) experimental; urgency=low * New upstream release - libpng.pc is configured to do static linking; closes: #483477 - use autoconf variables in .pc and libpng-config; closes: #483478 * Remove debian/patches/02-501109-pngtest.c.diff; it was merged libpng (1.2.27-2) unstable; urgency=medium * Fix CVE-2008-3964: off-by-one error in pngtest.c; closes: #501109 * Standards-Version is 3.8.0 libpng (1.2.27-1) unstable; urgency=low * New upstream release * Patches merged upstream: debian/patches/02-476669-CVE-2008-1382.diff debian/patches/03-404514-png.5.diff * Run ./autogen.sh libpng (1.2.26-1) unstable; urgency=high * New upstream release. Closes: #431202 * Use quilt Add 01-legacy.diff * Fix CVE-2008-1382 denial of service and possibly code execution Add 02-476669-CVE-2008-1382.diff Closes: #476669 * Fix URL in png.5. Closes: #404514 Add 03-404514-png.5.diff * Move examples to libpng12-dev. Closes: #401467 * Fix "libpng (<= 1.2.20) contains grey-licensed code". Closes: #469126 * Fix the following lintian issues: W: libpng source: debian-rules-ignores-make-clean-error line 37 W: libpng source: substvar-source-version-is-deprecated libpng12-dev W: libpng source: out-of-date-standards-version 3.7.2 (current is 3.7.3) W: libpng12-0-udeb udeb: description-contains-homepage W: libpng3: description-contains-homepage W: libpng12-dev: description-contains-homepage W: libpng12-0: package-contains-empty-directory usr/bin/ W: libpng12-0: package-contains-empty-directory usr/sbin/ W: libpng12-0: description-contains-homepage W: libpng12-0: doc-base-unknown-section libpng12:22 Apps/Programming libpng (1.2.15~beta5-3) unstable; urgency=high * ACKed NMU. * Fixed out-of-bounds read operations triggered by crafted png image files (CVE-2007-5269) (Closes: #446308). libpng (1.2.15~beta5-2.1) unstable; urgency=high * Non-maintainer upload by testing security team. * Fixed out-of-bounds read operations triggered by crafted png image files (CVE-2007-5269) (Closes: #446308). libpng (1.2.15~beta5-2) unstable; urgency=high * It seems that a grayscale image with a malformed (bad CRC) tRNS chunk will crash libpng and mozilla. Closes: #424729. - CVE-2007-2445 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2445 - CERT Vulnerability Note VU#684664 http://www.kb.cert.org/vuls/id/684664 libpng (1.2.15~beta5-1) unstable; urgency=low * Applied legacy_symbols.patch. * Changed shlibs dependecy versions to ">= 1.2.13-4". * libpng12-0: Added the following conflicts: mzscheme (<= 1:209-5), pngcrush (<= 1.5.10-2), pngmeta (<= 1.11-3), qemacs (<= 0.3.1-5), povray-3.5 (<= 3.5.0c-10). libpng (1.2.15~beta5-0) unstable; urgency=high * New upstream release. - Fixed asm API functions not exported on amd64. Closes: #401044. - Fixed "libpng hangs when saving profile". Closes: #401423. * Fixed "Incorrect shlibs information". Closes: #401465. * Removed patches for png.h and pngconf.h. * Updated debian/watch. libpng (1.2.13-4) unstable; urgency=low * Removed drop_pass_width patch. Closes: #399499. libpng (1.2.13-3) unstable; urgency=low * libpng12-dev: removed the conflict with libpng3-dev. libpng (1.2.13-2) unstable; urgency=low * Put back binary package libpng3. libpng (1.2.13-1) unstable; urgency=low * Fixed conflict with the new libpng package. Closes: #399296. * Fixed png.5 man page formatting. Closes: #353061. Patch by Kevin Ryde <user42@zip.com.au>. libpng (1.2.13-0) unstable; urgency=high * New upstream release. * CVE-2006-5793: Fixed a new security issue regarding malformed sPLT chunks. Closes: #398706. * Transitional package libpng3 is not shipped anymore. Closes: #369104. libpng (1.2.12-0) unstable; urgency=high * New upstream release. Closes: #366070. * CVE-2006-3334: Fixed Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name". Closes: #397892. * Removed debian/x86_patches/pnggccrd-PIC.patch as it's merged upstream. libpng (1.2.8rel-7) unstable; urgency=low * New maintainer. Closes: #393109. * ACK NMUs. Closes: #378463, #377298, #356252. * debian/control: - set Standards-Version to 3.7.2. - set Priority to extra for libpng12-0-udeb. - added ${misc:Depends} to libpng12-0 and libpng12-0-udeb dependency lists. * Added debian/watch file. libpng (1.2.8rel-6) unstable; urgency=low * Orphaning package. libpng (1.2.8rel-5.2) unstable; urgency=low * Non-maintainer upload. * Backport changes from 1.2.12 to fix a buffer overflow in png_decompress_chunk; patch by Alec Berryman. [CVE-2006-3334] (Closes: #377298) libpng (1.2.8rel-5.1) unstable; urgency=low * Non Maintainer Upload (closes: #356252). * Add support for udeb dependency resolution in shlibs file. * Update debhelper compatibility to level 5. libpng (1.2.8rel-5) unstable; urgency=low * drop_pass_width.patch: don't export png_pass_width, it's absolutely unnecessary. * libpng12-0.shlibs: downgrade the shlibs accordingly (closes: #331383). libpng (1.2.8rel-4) unstable; urgency=low * makefile.patch: + Use PNG_PRIVATE to get the list of private symbols as well. It sucks, but they've been there for too long (closes: #329886). + Use mawk instead of awk (closes: #329812). * control: build-depend on mawk. * rules: + Use -O2, not -O3. + Actually run the tests. + Make use of x86_patches/ on x86 architectures. * x86_patches/mmxbuild.patch: build MMX routines in pnggccrd.c. * x86_patches/pnggccrd-PIC.patch: patch from Christian Aichinger to make the assembly routines PIC-compatible. * libpng12-0.shlibs: bump the shlibs version. libpng (1.2.8rel-3) unstable; urgency=low * Upload to unstable. * Rename the source package to libpng. libpng3 (1.2.8rel-2) experimental; urgency=low * makefile.patch: + now patch makefile.elf, so that only public symbols are truly exported. + shorten the differences as much as possible. * rules: use makefile.elf now. * Move libpng3 to oldlibs. * Entirely remove libpng3-dev, making libpng12-dev provide it (closes: #322051). * poynton.patch: correct Charles Poynton's address (closes: #289437). * Don't run the test when cross-building (closes: #285427). * setjmp_error.patch: don't stop when we are not using _BSD_SOURCE, as in this case this is harmless (closes: #299343). * libpng3.postinst: removed, the fix is in sarge. * Standards-version is 3.6.2. * legacy_symbols.patch: still export png_read_destroy and png_write_destroy, which are deprecated but should nevertheless be accessible. libpng3 (1.2.8rel-1) unstable; urgency=medium * New upstream release. * read_transformations.patch: removed, included upstream. * libpng12-0.shlibs: Update to version 1.2.8rel, new flags seem to have been added. libpng3 (1.2.8beta5-2) unstable; urgency=medium * read_transformations.patch: fix segmentation fault with latex (closes: #281789) and totem (closes: #278618). libpng3 (1.2.8beta5-1) unstable; urgency=medium * New upstream release. + Correct segmentation violation in png_combine_row. Closes: #278526, #278917, #278921, #279258, #281789, #282368. libpng3 (1.2.7-1) unstable; urgency=medium * New upstream release (closes: #278308). * libpng12-0.shlibs: update shlibs to version 1.2.7. * Remove all security fixed, they are included upstream. libpng3 (1.2.5.0-9) unstable; urgency=high * CAN-2004-0954.patch: removed, this is already fixed in CAN-2004-0597_0598_0599.patch. libpng3 (1.2.5.0-8) unstable; urgency=high * Switch to CDBS. + Ship modifications and security fixes in debian/patches. + debian/rules: rewritten. + debian/control: build-depend on cdbs. + debian/libpng12-0.shlibs: new. * setjmp_error.patch: port explanation of the error when including setjmp.h from libpng10, thanks Matijs van Zuijlen <Matijs.van.Zuijlen@xs4all.nl> (closes: #273473). * CAN-2004-0954.patch: fix buffer overflow vulnerability in png_handle_tRNS(). * CAN-2004-0955.patch: fix integer arithmetic overflow vulnerability in png_read_png(). libpng3 (1.2.5.0-7) unstable; urgency=high * pngrtran.c: applied upstream patch 4 to fix incorrect calculation of buffer offsets [CAN-2004-0768]. * png.h, pngpread.c, pngrutil.c: patch from Chris Evans <chris@scary.beasts.org> to fix several vulnerabilities (closes: #263500): + libpng fails to properly check length on PNG data [CAN-2004-0597]. + libpng "png_handle_sBIT" does not perform proper checks to avoid stack buffer overflow [CAN-2004-0597]. + libpng "png_handle_iCCP" possible NULL-pointer crash [CAN-2004-0598]. + libpng "png_handle_sPLT" possible integer overflow [CAN-2004-0599]. + libpng "png_read_png" does not properly handle a PNG with excessive height (integer overflow) [CAN-2004-0599]. + libpng progressive reading integer overflow [CAN-2004-0599]. libpng3 (1.2.5.0-6) unstable; urgency=high * pngerror.c: applied patch by Steve Grubb <linux_4ever@yahoo.com> to fix unintended memory access that could result in a crash of the application linking against libpng [CAN-2004-0421]. libpng3 (1.2.5.0-5) unstable; urgency=low * Use debhelper 4.2, which generates the udeb appropriately. * Update control and rules appropriately. * Don't use ${shlibs:Depends} for the udeb, rather write the dependencies by hand. * Standards-version is 3.6.1. libpng3 (1.2.5.0-4) unstable; urgency=low * scripts/makefile.linux: use versioned dependencies (closes: #155891). * debian/rules: bump dependency for dh_makeshlibs. * add the libpng.a link in libpng12-dev. * Rework scripts/makefile.linux to make it more consistent. * Update stuff in debian/ accordingly. * Updated README.Debian. libpng3 (1.2.5.0-3) unstable; urgency=low * Make libpng3{,-dev} depend on libpng12-{0,dev} >= 1.2.5.0-2 instead of the strict source version. * Move /usr/share/doc/libpng3{,-dev} into symlinks at postinst time when directories already exist. * debian/rules: install correctly doc-base stuff. * debian/libpng12-dev.doc-base: updated URIs. libpng3 (1.2.5.0-2) unstable; urgency=low * scripts/{makefile.linux,libpng-config-body.in}: correct the libpng12-config script. * Install correctly pkg-config stuff (closes: #191081). * Make libpng12-dev conflict explicitly with libpng12-0-dev. * Update README.Debian. libpng3 (1.2.5.0-1) unstable; urgency=low * New maintainer. * Use real upstream tarball from 1.2.5 release. * Use dpkg-source's way instead of dpatch for patching. * A bit of rework in debian/rules, use dh_install and debhelper 4. * Standards-version is 3.5.9. * The -dev package is now named libpng12-dev (stop using the libpkg-guide way). * libpng3 is now arch-independent. * Improved descriptions a bit. * Don't supply libpngpf.3, it is not useful to programmers. libpng3 (1.2.5-11) unstable; urgency=low * Add udeb (closes: #174842) * Add missing section on source files. libpng3 (1.2.5-10) unstable; urgency=low * Rebuild with d-shlibs with fixed "libgcc_s1-dev" handling (for gcc-3.2). (closes: #178070), build-depend on d-shlibs 0.10 or greater. libpng3 (1.2.5-9) unstable; urgency=low * Use dpatch for patch system -- divide Debian patch, and security fix patch. * Standards-Version: 3.5.8 * add manual page libpng-config.1 and libpng12-config.1 libpng3 (1.2.5-8) unstable; urgency=low * Sorry folks, I made a mistake. * Forward-port of patch from the Security Team, really apply what was there. (closes: #172868,#172871) libpng3 (1.2.5-7) unstable; urgency=high * Forward-port of patch from the Security Team * Applied patch to pngrtran.c by Glenn Randers-Pehrson <glennrp@comcast.net> to fix a buffer overrun. libpng3 (1.2.5-6) unstable; urgency=low * Typo in scripts/makefile.linux. Mistake. -lz and -lm weren't happening. * Change LDFLAGS to not list -lz -lm, so that testsuite will catch such error. * set prefix=/usr/ in scripts/makefile.linux, since it was set to usr/local. libpng3 (1.2.5-5) unstable; urgency=low * scripts/makefile.linux: LIBADDFLAGS introduced, for shared library lib additional flags, and use that for shared library. - this should fix build failure (closes: #166704) Thanks Daniel Schepler <schepler@math.berkeley.edu> for reporting. * updated copyright file to note that libpng3 in Debian is patched to link with -lz -lm. libpng3 (1.2.5-4) unstable; urgency=low * Trying to fix the problem that libpng3 seems to be not linked against libz. LDFLAGS was defined but not being used. Thanks Mike Furr <mfurr@debian.org> for reporting (closes: #166489) libpng3 (1.2.5-3) unstable; urgency=low * Fixed description, I mixed up the -devel and non-devel packages. * updated README.Debian. libpng3 (1.2.5-2) unstable; urgency=low * careless mistake :( * reinstall libpng.so symlink in libpng-12-0-dev package. Otherwise other packages won't build ... libpng3 (1.2.5-1) unstable; urgency=low * New upstream version (closes: #163425) * re-patched makefile.linux to work with system zlib, added workaround to set CFLAGS, and remove rpath settings from LDFLAGS * Use debhelper. * No longer create /usr/doc symlinks. * Standards-Version: 3.5.7 libpng3 (1.2.1-5) unstable; urgency=low * Not yet released. * Change priority from standard to optional. libpng3 (1.2.1-4) unstable; urgency=low * change -dev dependency of libc6-dev to libc-dev libpng3 (1.2.1-3) unstable; urgency=low * Security fix backported from 1.2.4. Check bounds of variables. (closes: #155403) libpng3 (1.2.1-2) unstable; urgency=low * New maintainer (closes: #151343) * apply buffer overflow patch for interlaced png files (closes: #150595) * update description for libpng3-dev. * change libpng-dev to libpng3-dev libpng3 (1.2.1-1.1) unstable; urgency=low * NMU * Provides: libpng2-dev has been changed to Provides: libpng3-dev libpng2-dev can be put back in when some kind of sane transition has finished. (closes: #128384, #128871, #129268, #129269) libpng3 (1.2.1-1) unstable; urgency=low * New upstream version; closes: #125679. * New source package name: libpng3. * Renamed libpng<x>-dev to libpng-dev to avoid having to maintain several development packages (the -dev is source compatible). * Moved png.5 into the -dev package. * Added a Replaces: libpng2 to libpng-dev so that we can steal the png.5 manpage without fuss. * Changed debian/shlibs for libpng3. * Compress examples/pngtest.c. libpng (1.0.12-3) unstable; urgency=low * Moved the png.5 manpage to the dev package to allow multiple libpng<n> packages installed at the same time. libpng (1.0.12-2) unstable; urgency=low * Changed libpng2-dev's section to devel to resync with override file. * Fixed upstream version detection in debian/rules; closes: #105931. libpng (1.0.12-1) unstable; urgency=low * New upstream release; closes: #105354. * Bumped dependency information in debian/shlibs to libpng >= 1.0.12 since there were some non-backwards compatible changes to the API. * Added support for DEB_BUILD_OPTIONS and get-orig-source to debian/rules. * Added call to ldconfig on postrm's remove. * Removed INSTALL file from /usr/share/doc/libpng2. * Bumped standards version to 3.5.5.0. libpng (1.0.11-1) unstable; urgency=low * New upstream release. libpng (1.0.10-2) unstable; urgency=low * Force recompile because of bad sparc package. * Libpng2's priority changed to standard to comply with the override file. libpng (1.0.10-1) unstable; urgency=low * New upstream release. * Changed shlib to depend on libpng2 (>= 2.0.10) because of non-backwards compatible changes. libpng (1.0.8-1) unstable; urgency=low * Changed the doc-base type from 'test' to 'text'; closes: #59877. * New upstream relase 1.0.8; closes: #70464. * Updated copyright notice. * Removed Y2kINFO from the doc directory. * Added pngtest.c in examples; closes: #65229. * Updated to standards version 3.2.1.0. * Added build-depends line in control file; closes: #69291. libpng (1.0.5-1) frozen unstable; urgency=low * Maintainer upload (closes: #48244, #48246). * Added some extra explanations for the setjmp.h mess (closes: #56759), see pngconf.h for details. libpng (1.0.5-0.1) unstable; urgency=low * Non-maintainer release. * New upstream release. (closes:Bug#48244). * Remove versioned depend from shlibs (closes:Bug#48246). libpng (1.0.3-1) unstable; urgency=low * New upstream version (1.0.3); Closes: #31870, #46333. * Maintainer upload, closes NMU bugs; Closes: #28412, #31523, #31690. * FHS compliant. * New standard-version 3.0.1. * Lintian clean. * Removed temporary zlib1g line in control file (used to be a bug in zlib1g). * Moved the documentation file to the -dev package. * Register documentation file to doc-base. * Fontified man pages with addformat script; Closes #38680. libpng (1.0.2b-0.1) frozen unstable; urgency=low * New upstream (bug-fix only) version. (Should fix bugs #31690滼, since I can't reproduce them) From the author: "I have recently uploaded libpng-1.0.2b to ftp://swrinde.nde.swri.edu/pub/png-group/src I plan to release it as libpng-1.0.3 in a few days, but would like to hear whether it fixes the problems with GNOME. It restores a few lines of code that were inadvertently deleted from pngread.c, which seems to be the cause of problems with adding an alpha channel (which you fixed by downgrading to libpng-1.0.1's pngread.c)." [Glenn Randers-Pehrson <glennrp@netgsi.com>] * Masquerade version number to 1.0.3 to make Imlib & Co. happy. libpng (1.0.2-1.1) frozen unstable; urgency=low * Fix Important bug #28412 (using pngread.c from libpng-1.0.1 did the trick). libpng (1.0.2-1) unstable; urgency=low * Maintainer release (to change a bit). * Pristine sources. * Libpng2-dev includes example.c (fixes bug #10315). * Changed control file to reflect difference with libpng0g (fixes #23795). * Recompiled (should fix the zlib1g missing symbol, bug #24450). * Added -D_REENTRANT also to static library. * Added a dependency upon zlib1g >= 1.1.2 (otherwise we get a missing symbol) (fixes bug #24450). libpng (1.0.2-0.1) unstable; urgency=low * Non-maintainer release * New upstream version libpng (1.0.1-0.2) unstable; urgency=medium * debian/rules (binary-arch): don't call install with -s as an argument when installing a shared library; it doesn't know to use --strip-unneeded, and we call strip separately later anyway. * scripts/makefile.lnx (CFLAGS): killed i386-isms. * scripts/makefile.lnx: compiled shared libraries with -D_REENTRANT. (The above fixes are from James Troup, who yet again, alerted me to my screwups ;) * debian/postinst: only call ldconfig if $1 = configure. libpng (1.0.1-0.1) unstable; urgency=low * New upstream bug fix release. * Include man pages. libpng (1.0.0-0.1) unstable; urgency=low * Non-maintainer Release. * New Upstream Release. * Changed source package name to `libpng'. * Added `-f makefile.lnx' to make invocations in debian/rules. * Removed `ldconfig' call from postrm. libpng0 (0.96-5) unstable; urgency=low * Removed executable permissions on shared libs (fixes bug #15478). * Updated Standards-Version to 2.3.0.1. libpng0 (0.96-4) unstable; urgency=low * Shared libraries are stripped with --strip-unneeded and static libraries with --strip-debug (fixes bug #15669). * Made the build strip non-i386 specific (patch by James Troup) (fixes bug #13832). * Removed the dependency between the libc5 and libc6 versions. libpng0 (0.96-3) unstable; urgency=low * Libc6 compilation. libpng0 (0.96-2) unstable; urgency=low * Fixed permissions in /usr/doc/libpng0 (fixes bug #10540). libpng0 (0.96-1) unstable; urgency=low * New upstream sources. libpng0 (0.95b-1) unstable; urgency=low * New maintainer. * Upgraded to upstream version 0.95b. * Make debian/rules version independent. * Debian/rules clean now removes substvars. * Bumped the shlibs version to 0.95 as some incompatibilities were introduced between 0.89 and 0.90. * Added the Section: and Priority: fields to the control file (fixes bug #6370). * Now /usr/doc/libpng0 contains various info and the debian change log stuff (fixes bug #7925). * Added -D_REENTRANT compilation flag. libpng (0.89c-6) unstable; urgency=low * Moved shlibs file to correct location libpng (0.89c-5) unstable; urgency=low * Added shlibs file libpng (0.89c-4) unstable; urgency=low * Now stripping shared libraries (Bug#5134) libpng (0.89c-3) unstable; urgency=low * Corrected maintainers address libpng (0.89c-2) unstable; urgency=low * Accommodate the fact that dpkg-source doesn't properly preserve permissions on scripts when extracting package. (Bug#4513) libpng (0.89c-1) unstable; urgency=low * New upstream version. * Moved to new source packaging format.
See e.g. https://buildd.debian.org/status/fetch.php?pkg=libpng1.6&arch=arm64&ver=1.6.36-1&stamp=1545917181&raw=0
The text was updated successfully, but these errors were encountered: