| Message ID | 20251127180259.3347636-1-peter.marko@siemens.com |
|---|---|
| State | Accepted, archived |
| Commit | df0121211dca11df8a495d23ff5ac6d3d820a0a6 |
| Headers | show |
| Series | libpng: upgrade 1.6.50 -> 1.6.51 | expand |
Hi Peter, The URLs all change, can you explain what happened? Cheers, Ross > On 27 Nov 2025, at 18:02, Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote: > > From: Peter Marko <peter.marko@siemens.com> > > Handles CVE-2025-64505, CVE-2025-64506, CVE-2025-64720 and CVE-2025-65018 > > Relase notes [1]: > Version 1.6.51 [November 21, 2025] > Fixed CVE-2025-64505 (moderate severity): > Heap buffer overflow in `png_do_quantize` via malformed palette index. > (Reported by Samsung; analyzed by Fabio Gritti.) > Fixed CVE-2025-64506 (moderate severity): > Heap buffer over-read in `png_write_image_8bit` with 8-bit input and > `convert_to_8bit` enabled. > (Reported by Samsung and <weijinjinnihao@users.noreply.github.com>; > analyzed by Fabio Gritti.) > Fixed CVE-2025-64720 (high severity): > Buffer overflow in `png_image_read_composite` via incorrect palette > premultiplication. > (Reported by Samsung; analyzed by John Bowler.) > Fixed CVE-2025-65018 (high severity): > Heap buffer overflow in `png_combine_row` triggered via > `png_image_finish_read`. > (Reported by <yosiimich@users.noreply.github.com>.) > Fixed a memory leak in `png_set_quantize`. > (Reported by Samsung; analyzed by Fabio Gritti.) > Removed the experimental and incomplete ERROR_NUMBERS code. > (Contributed by Tobias Stoeckmann.) > Improved the RISC-V vector extension support; required RVV 1.0 or newer. > (Contributed by Filip Wasil.) > Added GitHub Actions workflows for automated testing. > Performed various refactorings and cleanups. > > [1] https://github.com/pnggroup/libpng/blob/v1.6.51/CHANGES#L6281C1-L6305C47 > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > .../libpng/{libpng_1.6.50.bb => libpng_1.6.51.bb} | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > rename meta/recipes-multimedia/libpng/{libpng_1.6.50.bb => libpng_1.6.51.bb} (89%) > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.50.bb b/meta/recipes-multimedia/libpng/libpng_1.6.51.bb > similarity index 89% > rename from meta/recipes-multimedia/libpng/libpng_1.6.50.bb > rename to meta/recipes-multimedia/libpng/libpng_1.6.51.bb > index aa2dc99f10..8cfb914917 100644 > --- a/meta/recipes-multimedia/libpng/libpng_1.6.50.bb > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.51.bb > @@ -10,13 +10,13 @@ DEPENDS = "zlib" > > LIBV = "16" > > -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \ > +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \ > file://run-ptest \ > " > > -SRC_URI[sha256sum] = "4df396518620a7aa3651443e87d1b2862e4e88cad135a8b93423e01706232307" > +SRC_URI[sha256sum] = "a050a892d3b4a7bb010c3a95c7301e49656d72a64f1fc709a90b8aded192bed2" > > -MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/" > +MIRRORS += "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/" > > UPSTREAM_CHECK_URI = "http://libpng.org/pub/png/libpng.html" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#226855): https://lists.openembedded.org/g/openembedded-core/message/226855 > Mute This Topic: https://lists.openembedded.org/mt/116504477/6875888 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross.burton@arm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hmmm... Did I forget to put it to commit message? Well, OK. Basically, the original URL was not valid for new release, so I put it to mirrors and added new working one. I'll check download urls again and send v2 with updated commit message and or url changes. Peter > -----Original Message----- > From: Ross Burton <Ross.Burton@arm.com> > Sent: Thursday, December 4, 2025 18:06 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][PATCH] libpng: upgrade 1.6.50 -> 1.6.51 > > Hi Peter, > > The URLs all change, can you explain what happened? > > Cheers, > Ross > > > On 27 Nov 2025, at 18:02, Peter Marko via lists.openembedded.org > <peter.marko=siemens.com@lists.openembedded.org> wrote: > > > > From: Peter Marko <peter.marko@siemens.com> > > > > Handles CVE-2025-64505, CVE-2025-64506, CVE-2025-64720 and CVE-2025- > 65018 > > > > Relase notes [1]: > > Version 1.6.51 [November 21, 2025] > > Fixed CVE-2025-64505 (moderate severity): > > Heap buffer overflow in `png_do_quantize` via malformed palette index. > > (Reported by Samsung; analyzed by Fabio Gritti.) > > Fixed CVE-2025-64506 (moderate severity): > > Heap buffer over-read in `png_write_image_8bit` with 8-bit input and > > `convert_to_8bit` enabled. > > (Reported by Samsung and <weijinjinnihao@users.noreply.github.com>; > > analyzed by Fabio Gritti.) > > Fixed CVE-2025-64720 (high severity): > > Buffer overflow in `png_image_read_composite` via incorrect palette > > premultiplication. > > (Reported by Samsung; analyzed by John Bowler.) > > Fixed CVE-2025-65018 (high severity): > > Heap buffer overflow in `png_combine_row` triggered via > > `png_image_finish_read`. > > (Reported by <yosiimich@users.noreply.github.com>.) > > Fixed a memory leak in `png_set_quantize`. > > (Reported by Samsung; analyzed by Fabio Gritti.) > > Removed the experimental and incomplete ERROR_NUMBERS code. > > (Contributed by Tobias Stoeckmann.) > > Improved the RISC-V vector extension support; required RVV 1.0 or newer. > > (Contributed by Filip Wasil.) > > Added GitHub Actions workflows for automated testing. > > Performed various refactorings and cleanups. > > > > [1] https://github.com/pnggroup/libpng/blob/v1.6.51/CHANGES#L6281C1- > L6305C47 > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > .../libpng/{libpng_1.6.50.bb => libpng_1.6.51.bb} | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > rename meta/recipes-multimedia/libpng/{libpng_1.6.50.bb => libpng_1.6.51.bb} > (89%) > > > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.50.bb b/meta/recipes- > multimedia/libpng/libpng_1.6.51.bb > > similarity index 89% > > rename from meta/recipes-multimedia/libpng/libpng_1.6.50.bb > > rename to meta/recipes-multimedia/libpng/libpng_1.6.51.bb > > index aa2dc99f10..8cfb914917 100644 > > --- a/meta/recipes-multimedia/libpng/libpng_1.6.50.bb > > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.51.bb > > @@ -10,13 +10,13 @@ DEPENDS = "zlib" > > > > LIBV = "16" > > > > -SRC_URI = > "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \ > > +SRC_URI = > "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \ > > file://run-ptest \ > > " > > > > -SRC_URI[sha256sum] = > "4df396518620a7aa3651443e87d1b2862e4e88cad135a8b93423e01706232307" > > +SRC_URI[sha256sum] = > "a050a892d3b4a7bb010c3a95c7301e49656d72a64f1fc709a90b8aded192bed2" > > > > -MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ > ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/" > > +MIRRORS += "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/ > ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ > ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/" > > > > UPSTREAM_CHECK_URI = "http://libpng.org/pub/png/libpng.html" > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#226855): https://lists.openembedded.org/g/openembedded- > core/message/226855 > > Mute This Topic: https://lists.openembedded.org/mt/116504477/6875888 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > [ross.burton@arm.com] > > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.50.bb b/meta/recipes-multimedia/libpng/libpng_1.6.51.bb similarity index 89% rename from meta/recipes-multimedia/libpng/libpng_1.6.50.bb rename to meta/recipes-multimedia/libpng/libpng_1.6.51.bb index aa2dc99f10..8cfb914917 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.50.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.51.bb @@ -10,13 +10,13 @@ DEPENDS = "zlib" LIBV = "16" -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \ +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \ file://run-ptest \ " -SRC_URI[sha256sum] = "4df396518620a7aa3651443e87d1b2862e4e88cad135a8b93423e01706232307" +SRC_URI[sha256sum] = "a050a892d3b4a7bb010c3a95c7301e49656d72a64f1fc709a90b8aded192bed2" -MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/" +MIRRORS += "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/" UPSTREAM_CHECK_URI = "http://libpng.org/pub/png/libpng.html"