Faulty image optimization with Pngquant 2.12.5

[TheBnl]

I'm having some issues with the recent Pngquant version 2.12.5.
Previously we've used version 2.7.2 without any issues.

Original Image:

After optimization with Pngquant:

As you can see this results in a bitmap like image.

For now i've bypassed the issue by removing Pngquant.
Optipng works good as it always did.

[langeuh]

I confirm and have the same issue.
An automatic upgrade from pngquant-2.7.2-1.el7.x86_64 @epel --> Update 2.12.5-1.el7.x86_64 @epel causes the above issue.
I've downgraded the pngquant version and it works again.

Images result in a sort of 2 colored gif version

[freekmurze]

If I understand correctly, this is a bug in pngquant, right? Or is there anything we can do in our package to fix the problem?

[langeuh]

Pngquant hasn't updated recently, and no bugs have been reported. It's just that servers recently auto-update to the latest version ( because 2.5 is from 2015)
https://github.com/kornelski/pngquant/blob/master/CHANGELOG

for me it was crucial to rollback (or get rid of the pngquant in the optimizerChainFactory) since images got optimised automatically in an incorrect way.

[freekmurze]

I’ll close this as the fault lies not within this package.

[TheBnl]

Well, i think this package should be made either compatible with the current version of Pngquant or it should not promote it's use. As everyone installing this module on a new server will end up with this issue. Maybe there is a problem with the default settings for Pngquant set by this module, and changing those would provide a solution?

Simply closing this issue would mean to ship a broken system.

The easiest solution would be to add a sentence to the readme about the version of Pngquant to use. "This package only supports Pngquant 2.5 and lower"

[freekmurze]

Added that sentence to the readme.

[joejordanbrown]

@TheBnl
@langeuh
@freekmurze

I just came across this issue when using this package, I think it's the wrong advice to recommend an old package 2.5 and lower due to security reasons.

For example, CVE-2016-5735 affects older versions, the commit Fix integer overflow in rwpng.h (CVE-2016-5735) is here kornelski/pngquant@b7c2176 which is first tagged in version 2.7.2.

Full history regarding the file with the vulnerability can be found here https://github.com/kornelski/pngquant/commits/master/rwpng.c, you can see this vulnerability goes back to all prior versions.

It's patched in 2.12.5 2.12.3 2.12.2 2.12.1 2.12.0 2.11.7 2.11.6 2.11.4 2.11.3 2.11.2 2.11.1 2.11.0 2.10.2 2.10.1 2.10.0 2.9.1 2.9.0 2.8.2 2.8.1 2.8.0 2.7.2.

I'm going to look into what's changed and see if we can get this package working with the latest version of pngquant or at least advise using a version ^2.7.2 that works in the readme.

[joejordanbrown]

Update

There's 100% an issue with the distributed v2.12.5 of pngquant. The problem doesn't affect all png files this may be why it's not been widely reported.

I've created an automated test using docker which compiles all different versions of pngquant from source, and it works perfectly, even with v2.12.5 on the images that are affected by the precompiled v2.12.5.

This makes me think it's a 3rd party lib that it requires during build or an issue with the build process of the distributed package.

I will also create an issue on the pngquant repo, and I'll update you once I know more.

[freekmurze]

Thanks you for your work on this.

[joejordanbrown]

We were able to replicate the issue and trace it back to being compiled with gcc version 4.8.5. It only affects the CentOS 7 package pngquant-2.12.5-1.el7.x86_64.rpm. from what I can tell.

I've submitted a bug report to RedHat for them to update the package, you can see that here https://bugzilla.redhat.com/show_bug.cgi?id=1765388.

I've also published our tests and builds here https://github.com/joejordanbrown/pngquant-epel-package-issue.

[cron13]

you can add --quality=65-80 option and pngquant will work fine

[langeuh]

you can add --quality=65-80 option and pngquant will work fine

I confirm that this resolves the issue

[freekmurze]

Thanks for your work on this. We'll continue this conversation in #99

[joejordanbrown]

@cron13
@langeuh
@freekmurze

This is not a fix, see my comments on #99.

I'm still waiting for the new fixed release to hit the CentOS EPEL repo. I've provided the pull request to fix the issue. Hopefully, it will be published soon.

If you really require the fix now, you can use our RPMs here https://github.com/joejordanbrown/mock-rpm-pngquant/tree/master/result.

yum install https://raw.githubusercontent.com/joejordanbrown/mock-rpm-pngquant/master/result/pngquant-2.12.5-1.el7.x86_64.rpm

The RPM spec file can be found here https://github.com/joejordanbrown/mock-rpm-pngquant/blob/master/data/pngquant.spec which you can use to build PngQuant yourself for sanity.

[ybc37]

Sorry to comment on this closed issue, but I think there's a mismatch between the docs and the actual situation. AFAIU, at the end it wasn't related to the pngquant version. But the readme still states:

This package only supports Pngquant 2.5 and lower.

Even worse, also projects relying on this one, spread this information, see https://github.com/TypistTech/image-optimize-command#optimization-tools

Am I right that the issue was only with packaging on Cent OS/RH? If so, the warning should be removed again. I'm happy to make a pull request (also for TypistTech/image-optimize-command) 😄