Opened 2 years ago
Last modified 41 hours ago
#30564 new defect
Upgrade libpng to 1.6.37 (fixes vulnerability)
| Reported by: | mkoeppe | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | packages: standard | Keywords: | |
| Cc: | jpflori, frederichan, tscrim, slelievre, dimpase | Merged in: | |
| Authors: | Matthias Koeppe | Reviewers: | Dima Pasechnik |
| Report Upstream: | N/A | Work issues: | |
| Branch: | d6c59f4 (Commits, GitHub, GitLab) | Commit: | |
| Dependencies: | Stopgaps: |
Status badges
Description (last modified by )
The libpng homepage warns:
Vulnerability Warning
libpng versions 1.6.36 and earlier have a use-after-free bug in the simplified libpng API png_image_free(). It has been assigned ID CVE-2019-7317. The vulnerability is fixed in version 1.6.37, released on 15 April 2019.
Before this ticket we have libpng 1.6.29 which has the vulnerability. This ticket upgrades to libpng 1.6.37 which fixes it.
Previous update: #22159 (1.6.29)
Tarball: see checksums.ini
Change History (15)
comment:1 Changed 2 years ago by
| Branch: | → u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_ |
|---|
comment:2 Changed 2 years ago by
| Authors: | → Matthias Koeppe |
|---|---|
| Cc: | dimpase added |
| Commit: | → d6c59f4c84f886ee39e1e044d0d1095603e9f2c9 |
| Status: | new → needs_review |
comment:3 Changed 2 years ago by
| Description: | modified (diff) |
|---|
comment:4 Changed 2 years ago by
| Reviewers: | → Dima Pasechnik |
|---|---|
| Status: | needs_review → positive_review |
lgtm
comment:6 Changed 2 years ago by
| Branch: | u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_ → d6c59f4c84f886ee39e1e044d0d1095603e9f2c9 |
|---|---|
| Resolution: | → fixed |
| Status: | positive_review → closed |
comment:7 Changed 2 years ago by
| Commit: | d6c59f4c84f886ee39e1e044d0d1095603e9f2c9 |
|---|---|
| Resolution: | fixed |
| Status: | closed → new |
************************************************************************
Traceback (most recent call last):
File "setup.py", line 48, in <module>
from sage_setup.command.sage_build_cython import sage_build_cython
File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/command/sage_build_cython.py", line 19, in <module>
from sage_setup.library_order import library_order
File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/library_order.py", line 35, in <module>
png_pc = pkgconfig.parse('libpng')
File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 248, in parse
_raise_if_not_exists(package)
File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 103, in _raise_if_not_exists
raise PackageNotFoundError(package)
pkgconfig.pkgconfig.PackageNotFoundError: libpng not found
************************************************************************
comment:8 Changed 2 years ago by
hmm, libpng installs an unversioned libpng.pc, which is a link to libpng16.pc - could it be that pkgconfig.parse('libpng') does not like it (on macOS - it seems)?
comment:9 Changed 2 years ago by
| Milestone: | sage-9.2 → sage-9.3 |
|---|
comment:10 Changed 21 months ago by
| Milestone: | sage-9.3 → sage-9.4 |
|---|
Moving to 9.4, as 9.3 has been released.
comment:11 Changed 18 months ago by
| Milestone: | sage-9.4 → sage-9.5 |
|---|
comment:12 Changed 14 months ago by
| Milestone: | sage-9.5 → sage-9.6 |
|---|
comment:13 Changed 9 months ago by
| Milestone: | sage-9.6 → sage-9.7 |
|---|
comment:14 Changed 4 months ago by
| Milestone: | sage-9.7 → sage-9.8 |
|---|
comment:15 Changed 41 hours ago by
| Milestone: | sage-9.8 |
|---|
Note: See
TracTickets for help on using
tickets.
New commits:
build/pkgs/libpng: Upgrade to 1.6.37build/pkgs/libpng/spkg-install.in: Remove outdated CFLAGS, CPPFLAGS settingsbuild/pkgs/libpng/spkg-install.in: Do not build a static library