[whinlatter,v2,15/22] libpng: upgrade 1.6.53 -> 1.6.54

Message ID	0d7e8b4fdc95ddd9a32603f2f692e0a1e7f510d5.1770109549.git.yoann.congal@smile.fr
State	New
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.221.52, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter v2 15/22] libpng: upgrade 1.6.53 -> 1.6.54 Date: Tue, 3 Feb 2026 11:16:44 +0100 Message-ID: <0d7e8b4fdc95ddd9a32603f2f692e0a1e7f510d5.1770109549.git.yoann.congal@smile.fr> In-Reply-To: <cover.1770109549.git.yoann.congal@smile.fr> References: <cover.1770109549.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[whinlatter,v2,01/22] oeqa/gitarchive: Fix git push URL parameter \| expand [whinlatter,v2,01/22] oeqa/gitarchive: Fix git push URL parameter [whinlatter,v2,02/22] oeqa/gitarchive: Push tag before copying log files [whinlatter,v2,03/22] scripts/oe-git-archive: Ensure new push parameter is specified [whinlatter,v2,04/22] grub: fix CVE-2025-54770 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-202… [whinlatter,v2,05/22] go: upgrade 1.25.5 -> 1.25.6 [whinlatter,v2,06/22] zlib: ignore CVE-2026-22184 [whinlatter,v2,07/22] python3-urllib3: patch CVE-2026-21441 [whinlatter,v2,08/22] libtasn1: Fix CVE-2025-13151 [whinlatter,v2,09/22] glibc: stable 2.42 branch updates [whinlatter,v2,10/22] pseudo: Update to 1.9.3 release [whinlatter,v2,11/22] dpkg: Fix ADMINDIR [whinlatter,v2,12/22] docbook-xml-dtd4: fix the fetching failure [whinlatter,v2,13/22] dropbear: patch CVE-2025-14282 [whinlatter,v2,14/22] libtheora: set CVE_PRODUCT [whinlatter,v2,15/22] libpng: upgrade 1.6.53 -> 1.6.54 [whinlatter,v2,16/22] glib-2.0: patch CVE-2026-0988 [whinlatter,v2,17/22] libxml2: patch CVE-2026-0989 [whinlatter,v2,18/22] libxml2: patch CVE-2026-0990 [whinlatter,v2,19/22] libxml2: patch CVE-2026-0992 [whinlatter,v2,20/22] libxml2: add follow-up patch for CVE-2026-0992 [whinlatter,v2,21/22] expat: upgrade 2.7.3 -> 2.7.4 [whinlatter,v2,22/22] inetutils: patch CVE-2026-24061

Message ID

0d7e8b4fdc95ddd9a32603f2f692e0a1e7f510d5.1770109549.git.yoann.congal@smile.fr

State

New

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter v2 15/22] libpng: upgrade 1.6.53 -> 1.6.54
Date: Tue,  3 Feb 2026 11:16:44 +0100
Message-ID: 
 <0d7e8b4fdc95ddd9a32603f2f692e0a1e7f510d5.1770109549.git.yoann.congal@smile.fr>
In-Reply-To: <cover.1770109549.git.yoann.congal@smile.fr>
References: <cover.1770109549.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[whinlatter,v2,01/22] oeqa/gitarchive: Fix git push URL parameter | expand

Commit Message

Yoann Congal Feb. 3, 2026, 10:16 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Handles CVE-2026-22695 and CVE-2026-22801.

License-Update: copyright years refreshed

Changelog:
Version 1.6.54 [January 12, 2026]
  Fixed CVE-2026-22695 (medium severity):
    Heap buffer over-read in `png_image_read_direct_scaled.
    (Reported and fixed by Petr Simecek.)
  Fixed CVE-2026-22801 (medium severity):
    Integer truncation causing heap buffer over-read in `png_image_write_*`.
  Implemented various improvements in oss-fuzz.
    (Contributed by Philippe Antoine.)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9c18cb1d4dd0edf2e9c638c3c576cb803e1ff4c6)
[YC: Added changelog]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../libpng/{libpng_1.6.53.bb => libpng_1.6.54.bb}             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-multimedia/libpng/{libpng_1.6.53.bb => libpng_1.6.54.bb} (94%)

diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb
similarity index 94%
rename from meta/recipes-multimedia/libpng/libpng_1.6.53.bb
rename to meta/recipes-multimedia/libpng/libpng_1.6.54.bb
index 956cd243b19..3f2b80a060f 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb
@@ -5,7 +5,7 @@  library for use in applications that read, create, and manipulate PNG \
 HOMEPAGE = "http://www.libpng.org/"
 SECTION = "libs"
 LICENSE = "Libpng"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=5516d77a3cf75f55a0d37254e3e65a20"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=9dc350edbbbee660c7d9af79487168f2"
 DEPENDS = "zlib"
 
 LIBV = "16"
@@ -14,7 +14,7 @@  SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
            file://run-ptest \
 "
 
-SRC_URI[sha256sum] = "1d3fb8ccc2932d04aa3663e22ef5ef490244370f4e568d7850165068778d98d4"
+SRC_URI[sha256sum] = "01c9d8a303c941ec2c511c14312a3b1d36cedb41e2f5168ccdaa85d53b887805"
 
 MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/"

[whinlatter,v2,15/22] libpng: upgrade 1.6.53 -> 1.6.54

Commit Message

Patch