[whinlatter,17/22] libpng: upgrade 1.6.53 -> 1.6.54

Message ID	f05ec33d17952009ad6ac272d3aa2183074f1312.1769845858.git.yoann.congal@smile.fr
State	New
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 17/22] libpng: upgrade 1.6.53 -> 1.6.54 Date: Sat, 31 Jan 2026 08:56:28 +0100 Message-ID: <f05ec33d17952009ad6ac272d3aa2183074f1312.1769845858.git.yoann.congal@smile.fr> In-Reply-To: <cover.1769845858.git.yoann.congal@smile.fr> References: <cover.1769845858.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[whinlatter,01/22] oeqa/gitarchive: Fix git push URL parameter \| expand [whinlatter,01/22] oeqa/gitarchive: Fix git push URL parameter [whinlatter,02/22] oeqa/gitarchive: Push tag before copying log files [whinlatter,03/22] scripts/oe-git-archive: Ensure new push parameter is specified [whinlatter,04/22] grub: fix CVE-2025-54770 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-6… [whinlatter,05/22] mesa: fix build error with llvmpipe gallium driver [whinlatter,06/22] go: upgrade 1.25.5 -> 1.25.6 [whinlatter,07/22] zlib: ignore CVE-2026-22184 [whinlatter,08/22] python3-urllib3: patch CVE-2026-21441 [whinlatter,09/22] libtasn1: Fix CVE-2025-13151 [whinlatter,10/22] glibc: stable 2.42 branch updates [whinlatter,11/22] expat: patch CVE-2026-24515 [whinlatter,12/22] pseudo: Update to 1.9.3 release [whinlatter,13/22] dpkg: Fix ADMINDIR [whinlatter,14/22] docbook-xml-dtd4: fix the fetching failure [whinlatter,15/22] dropbear: patch CVE-2025-14282 [whinlatter,16/22] libtheora: set CVE_PRODUCT [whinlatter,17/22] libpng: upgrade 1.6.53 -> 1.6.54 [whinlatter,18/22] glib-2.0: patch CVE-2026-0988 [whinlatter,19/22] libxml2: patch CVE-2026-0989 [whinlatter,20/22] libxml2: patch CVE-2026-0990 [whinlatter,21/22] binutils: Upgrade to 2.45.1 release [whinlatter,22/22] openssl: upgrade 3.5.4 -> 3.5.5

Message ID

f05ec33d17952009ad6ac272d3aa2183074f1312.1769845858.git.yoann.congal@smile.fr

State

New

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter 17/22] libpng: upgrade 1.6.53 -> 1.6.54
Date: Sat, 31 Jan 2026 08:56:28 +0100
Message-ID: 
 <f05ec33d17952009ad6ac272d3aa2183074f1312.1769845858.git.yoann.congal@smile.fr>
In-Reply-To: <cover.1769845858.git.yoann.congal@smile.fr>
References: <cover.1769845858.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[whinlatter,01/22] oeqa/gitarchive: Fix git push URL parameter | expand

Commit Message

Yoann Congal Jan. 31, 2026, 7:56 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Handles CVE-2026-22695 and CVE-2026-22801.

License-Update: copyright years refreshed

Changelog:
Version 1.6.54 [January 12, 2026]
  Fixed CVE-2026-22695 (medium severity):
    Heap buffer over-read in `png_image_read_direct_scaled.
    (Reported and fixed by Petr Simecek.)
  Fixed CVE-2026-22801 (medium severity):
    Integer truncation causing heap buffer over-read in `png_image_write_*`.
  Implemented various improvements in oss-fuzz.
    (Contributed by Philippe Antoine.)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9c18cb1d4dd0edf2e9c638c3c576cb803e1ff4c6)
[YC: Added changelog]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../libpng/{libpng_1.6.53.bb => libpng_1.6.54.bb}             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-multimedia/libpng/{libpng_1.6.53.bb => libpng_1.6.54.bb} (94%)

Comments

Yoann Congal Jan. 31, 2026, 8:25 a.m. UTC | #1

Le sam. 31 janv. 2026 à 08:57, Yoann Congal <yoann.congal@smile.fr> a
écrit :

> From: Peter Marko <peter.marko@siemens.com>
>
> Handles CVE-2026-22695 and CVE-2026-22801.
>
> License-Update: copyright years refreshed
>
> Changelog:
> Version 1.6.54 [January 12, 2026]
>   Fixed CVE-2026-22695 (medium severity):
>     Heap buffer over-read in `png_image_read_direct_scaled.
>     (Reported and fixed by Petr Simecek.)
>   Fixed CVE-2026-22801 (medium severity):
>     Integer truncation causing heap buffer over-read in
> `png_image_write_*`.
>   Implemented various improvements in oss-fuzz.
>     (Contributed by Philippe Antoine.)
>

Hello,

I'm on the fence with this one :
The changelog line "Implemented various improvements in oss-fuzz" sounds
incompatible with the stable policy but it changes code in the contrib/
directory that we don't use/compile.

> Files in this directory are used by the oss-fuzz project
> (https://github.com/google/oss-fuzz/tree/master/projects/libpng).
> for "fuzzing" libpng.
>

We already upgraded libpng for whinlatter with a similar change "Added
allocation failure fuzzing to oss-fuzz." in the -> 1.6.52 upgrade.

I'm leaning towards taking it (hence why it is included in testing and in
this series) but I wonder what you think.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 9c18cb1d4dd0edf2e9c638c3c576cb803e1ff4c6)
> [YC: Added changelog]
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---
>  .../libpng/{libpng_1.6.53.bb => libpng_1.6.54.bb}             | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>  rename meta/recipes-multimedia/libpng/{libpng_1.6.53.bb =>
> libpng_1.6.54.bb} (94%)
>
> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb
> b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb
> similarity index 94%
> rename from meta/recipes-multimedia/libpng/libpng_1.6.53.bb
> rename to meta/recipes-multimedia/libpng/libpng_1.6.54.bb
> index 956cd243b19..3f2b80a060f 100644
> --- a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb
> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb
> @@ -5,7 +5,7 @@ library for use in applications that read, create, and
> manipulate PNG \
>  HOMEPAGE = "http://www.libpng.org/"
>  SECTION = "libs"
>  LICENSE = "Libpng"
> -LIC_FILES_CHKSUM = "file://LICENSE;md5=5516d77a3cf75f55a0d37254e3e65a20"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=9dc350edbbbee660c7d9af79487168f2"
>  DEPENDS = "zlib"
>
>  LIBV = "16"
> @@ -14,7 +14,7 @@ SRC_URI =
> "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
>             file://run-ptest \
>  "
>
> -SRC_URI[sha256sum] =
> "1d3fb8ccc2932d04aa3663e22ef5ef490244370f4e568d7850165068778d98d4"
> +SRC_URI[sha256sum] =
> "01c9d8a303c941ec2c511c14312a3b1d36cedb41e2f5168ccdaa85d53b887805"
>
>  MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/
> ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/"
>
>

diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb
similarity index 94%
rename from meta/recipes-multimedia/libpng/libpng_1.6.53.bb
rename to meta/recipes-multimedia/libpng/libpng_1.6.54.bb
index 956cd243b19..3f2b80a060f 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb
@@ -5,7 +5,7 @@  library for use in applications that read, create, and manipulate PNG \
 HOMEPAGE = "http://www.libpng.org/"
 SECTION = "libs"
 LICENSE = "Libpng"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=5516d77a3cf75f55a0d37254e3e65a20"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=9dc350edbbbee660c7d9af79487168f2"
 DEPENDS = "zlib"
 
 LIBV = "16"
@@ -14,7 +14,7 @@  SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
            file://run-ptest \
 "
 
-SRC_URI[sha256sum] = "1d3fb8ccc2932d04aa3663e22ef5ef490244370f4e568d7850165068778d98d4"
+SRC_URI[sha256sum] = "01c9d8a303c941ec2c511c14312a3b1d36cedb41e2f5168ccdaa85d53b887805"
 
 MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/"

[whinlatter,17/22] libpng: upgrade 1.6.53 -> 1.6.54

Commit Message

Comments

Patch