From: Gustavo Zacarias <gustavo@zacarias.com.ar>
Date: Tue, 25 Nov 2014 18:52:23 +0000 (-0300)
Subject: libpng: security bump to version 1.6.15
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=b89ce67523b6c18ded565b36fcc09876434cd026;p=buildroot.git

libpng: security bump to version 1.6.15

Fixes an out-of-bounds memory access in png_user_version_check().

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---

diff --git a/package/libpng/0001-disable-tools.patch b/package/libpng/0001-disable-tools.patch
new file mode 100644
index 0000000000..e30eca9ffc
--- /dev/null
+++ b/package/libpng/0001-disable-tools.patch
@@ -0,0 +1,30 @@
+Disable the new pngfix and png-fix-itxt tools: they take up space, fail to
+build on some oddball toolchain configurations and aren't expected/needed
+in a non-interactive embedded system.
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff -Nura libpng-1.6.10.orig/Makefile.am libpng-1.6.10/Makefile.am
+--- libpng-1.6.10.orig/Makefile.am	2014-03-17 08:51:25.812005079 -0300
++++ libpng-1.6.10/Makefile.am	2014-03-17 09:14:28.807586433 -0300
+@@ -10,7 +10,7 @@
+ check_PROGRAMS= pngtest pngunknown pngstest pngvalid pngimage
+ 
+ # Utilities - installed
+-bin_PROGRAMS= pngfix png-fix-itxt
++bin_PROGRAMS=
+ 
+ # This ensures that pnglibconf.h gets built at the start of 'make all' or
+ # 'make check', but it does not add dependencies to the individual programs,
+diff -Nura libpng-1.6.10.orig/Makefile.in libpng-1.6.10/Makefile.in
+--- libpng-1.6.10.orig/Makefile.in	2014-03-17 08:51:25.807005070 -0300
++++ libpng-1.6.10/Makefile.in	2014-03-17 09:14:44.846617623 -0300
+@@ -87,7 +87,7 @@
+ host_triplet = @host@
+ check_PROGRAMS = pngtest$(EXEEXT) pngunknown$(EXEEXT) \
+ 	pngstest$(EXEEXT) pngvalid$(EXEEXT) pngimage$(EXEEXT)
+-bin_PROGRAMS = pngfix$(EXEEXT) png-fix-itxt$(EXEEXT)
++bin_PROGRAMS =
+ @PNG_ARM_NEON_TRUE@am__append_1 = arm/arm_init.c\
+ @PNG_ARM_NEON_TRUE@	arm/filter_neon.S arm/filter_neon_intrinsics.c
+ 
diff --git a/package/libpng/0002-ignore-symbol-prefix.patch b/package/libpng/0002-ignore-symbol-prefix.patch
new file mode 100644
index 0000000000..7f2cfff248
--- /dev/null
+++ b/package/libpng/0002-ignore-symbol-prefix.patch
@@ -0,0 +1,26 @@
+Even if Blackfin GNU toolchain add prefix '_' to all symbols,
+symbol prefix is not accepted in the link flag --version-script.
+Don't append prefix in the symbols in the version script file.
+
+--- libpng-1.6.8/Makefile.am	2013-12-30 18:23:08.261797417 +0800
++++ libpng-1.6.8.bak/Makefile.am	2013-12-30 18:22:15.565795726 +0800
+@@ -225,7 +225,7 @@
+ # interfering with the symbol file format.
+ SYMBOL_CFLAGS = -DPNGLIB_LIBNAME='PNG@PNGLIB_MAJOR@@PNGLIB_MINOR@_0'\
+ 		-DPNGLIB_VERSION='@PNGLIB_VERSION@'\
+-		-DSYMBOL_PREFIX='$(SYMBOL_PREFIX)'\
++		-DSYMBOL_PREFIX=''\
+ 		-DPNG_NO_USE_READ_MACROS -DPNG_BUILDING_SYMBOL_TABLE
+ 
+ if DO_PNG_PREFIX
+--- libpng-1.6.8/Makefile.in	2013-12-30 18:23:08.261797417 +0800
++++ libpng-1.6.8.bak/Makefile.in	2013-12-30 18:22:09.853794547 +0800
+@@ -698,7 +698,7 @@
+ # interfering with the symbol file format.
+ SYMBOL_CFLAGS = -DPNGLIB_LIBNAME='PNG@PNGLIB_MAJOR@@PNGLIB_MINOR@_0' \
+ 	-DPNGLIB_VERSION='@PNGLIB_VERSION@' \
+-	-DSYMBOL_PREFIX='$(SYMBOL_PREFIX)' -DPNG_NO_USE_READ_MACROS \
++	-DSYMBOL_PREFIX='' -DPNG_NO_USE_READ_MACROS \
+ 	-DPNG_BUILDING_SYMBOL_TABLE $(am__append_5)
+ all: $(BUILT_SOURCES) config.h
+ 	$(MAKE) $(AM_MAKEFLAGS) all-am
diff --git a/package/libpng/libpng-01-disable-tools.patch b/package/libpng/libpng-01-disable-tools.patch
deleted file mode 100644
index e30eca9ffc..0000000000
--- a/package/libpng/libpng-01-disable-tools.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Disable the new pngfix and png-fix-itxt tools: they take up space, fail to
-build on some oddball toolchain configurations and aren't expected/needed
-in a non-interactive embedded system.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff -Nura libpng-1.6.10.orig/Makefile.am libpng-1.6.10/Makefile.am
---- libpng-1.6.10.orig/Makefile.am	2014-03-17 08:51:25.812005079 -0300
-+++ libpng-1.6.10/Makefile.am	2014-03-17 09:14:28.807586433 -0300
-@@ -10,7 +10,7 @@
- check_PROGRAMS= pngtest pngunknown pngstest pngvalid pngimage
- 
- # Utilities - installed
--bin_PROGRAMS= pngfix png-fix-itxt
-+bin_PROGRAMS=
- 
- # This ensures that pnglibconf.h gets built at the start of 'make all' or
- # 'make check', but it does not add dependencies to the individual programs,
-diff -Nura libpng-1.6.10.orig/Makefile.in libpng-1.6.10/Makefile.in
---- libpng-1.6.10.orig/Makefile.in	2014-03-17 08:51:25.807005070 -0300
-+++ libpng-1.6.10/Makefile.in	2014-03-17 09:14:44.846617623 -0300
-@@ -87,7 +87,7 @@
- host_triplet = @host@
- check_PROGRAMS = pngtest$(EXEEXT) pngunknown$(EXEEXT) \
- 	pngstest$(EXEEXT) pngvalid$(EXEEXT) pngimage$(EXEEXT)
--bin_PROGRAMS = pngfix$(EXEEXT) png-fix-itxt$(EXEEXT)
-+bin_PROGRAMS =
- @PNG_ARM_NEON_TRUE@am__append_1 = arm/arm_init.c\
- @PNG_ARM_NEON_TRUE@	arm/filter_neon.S arm/filter_neon_intrinsics.c
- 
diff --git a/package/libpng/libpng-02-ignore-symbol-prefix.patch b/package/libpng/libpng-02-ignore-symbol-prefix.patch
deleted file mode 100644
index 7f2cfff248..0000000000
--- a/package/libpng/libpng-02-ignore-symbol-prefix.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Even if Blackfin GNU toolchain add prefix '_' to all symbols,
-symbol prefix is not accepted in the link flag --version-script.
-Don't append prefix in the symbols in the version script file.
-
---- libpng-1.6.8/Makefile.am	2013-12-30 18:23:08.261797417 +0800
-+++ libpng-1.6.8.bak/Makefile.am	2013-12-30 18:22:15.565795726 +0800
-@@ -225,7 +225,7 @@
- # interfering with the symbol file format.
- SYMBOL_CFLAGS = -DPNGLIB_LIBNAME='PNG@PNGLIB_MAJOR@@PNGLIB_MINOR@_0'\
- 		-DPNGLIB_VERSION='@PNGLIB_VERSION@'\
--		-DSYMBOL_PREFIX='$(SYMBOL_PREFIX)'\
-+		-DSYMBOL_PREFIX=''\
- 		-DPNG_NO_USE_READ_MACROS -DPNG_BUILDING_SYMBOL_TABLE
- 
- if DO_PNG_PREFIX
---- libpng-1.6.8/Makefile.in	2013-12-30 18:23:08.261797417 +0800
-+++ libpng-1.6.8.bak/Makefile.in	2013-12-30 18:22:09.853794547 +0800
-@@ -698,7 +698,7 @@
- # interfering with the symbol file format.
- SYMBOL_CFLAGS = -DPNGLIB_LIBNAME='PNG@PNGLIB_MAJOR@@PNGLIB_MINOR@_0' \
- 	-DPNGLIB_VERSION='@PNGLIB_VERSION@' \
--	-DSYMBOL_PREFIX='$(SYMBOL_PREFIX)' -DPNG_NO_USE_READ_MACROS \
-+	-DSYMBOL_PREFIX='' -DPNG_NO_USE_READ_MACROS \
- 	-DPNG_BUILDING_SYMBOL_TABLE $(am__append_5)
- all: $(BUILT_SOURCES) config.h
- 	$(MAKE) $(AM_MAKEFLAGS) all-am
diff --git a/package/libpng/libpng.hash b/package/libpng/libpng.hash
new file mode 100644
index 0000000000..37f60679c3
--- /dev/null
+++ b/package/libpng/libpng.hash
@@ -0,0 +1,3 @@
+# From http://sourceforge.net/projects/libpng/files/libpng16/1.6.15/
+md5	a95cb387c53215b034203b41ec57c7e5	libpng-1.6.15.tar.xz
+sha1	bddeac8ca97fbcf54d6d32c6eefed5d94b49df88	libpng-1.6.15.tar.xz
diff --git a/package/libpng/libpng.mk b/package/libpng/libpng.mk
index 99510ca074..67bf14196a 100644
--- a/package/libpng/libpng.mk
+++ b/package/libpng/libpng.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBPNG_VERSION = 1.6.12
+LIBPNG_VERSION = 1.6.15
 LIBPNG_SERIES = 16
 LIBPNG_SOURCE = libpng-$(LIBPNG_VERSION).tar.xz
 LIBPNG_SITE = http://downloads.sourceforge.net/project/libpng/libpng${LIBPNG_SERIES}/$(LIBPNG_VERSION)