Opened 2 years ago
Last modified 41 hours ago
#30564 new defect
Upgrade libpng to 1.6.37 (fixes vulnerability)
Reported by: | mkoeppe | Owned by: | |
---|---|---|---|
Priority: | critical | Milestone: | |
Component: | packages: standard | Keywords: | |
Cc: | jpflori, frederichan, tscrim, slelievre, dimpase | Merged in: | |
Authors: | Matthias Koeppe | Reviewers: | Dima Pasechnik |
Report Upstream: | N/A | Work issues: | |
Branch: | d6c59f4 (Commits, GitHub, GitLab) | Commit: | |
Dependencies: | Stopgaps: |
Description (last modified by )
The libpng homepage warns:
Vulnerability Warning
libpng versions 1.6.36 and earlier have a use-after-free bug in the simplified libpng API png_image_free(). It has been assigned ID CVE-2019-7317. The vulnerability is fixed in version 1.6.37, released on 15 April 2019.
Before this ticket we have libpng 1.6.29 which has the vulnerability. This ticket upgrades to libpng 1.6.37 which fixes it.
Previous update: #22159 (1.6.29)
Tarball: see checksums.ini
Change History (15)
comment:1 Changed 2 years ago by
Branch: | → u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_ |
---|
comment:2 Changed 2 years ago by
Authors: | → Matthias Koeppe |
---|---|
Cc: | dimpase added |
Commit: | → d6c59f4c84f886ee39e1e044d0d1095603e9f2c9 |
Status: | new → needs_review |
comment:3 Changed 2 years ago by
Description: | modified (diff) |
---|
comment:4 Changed 2 years ago by
Reviewers: | → Dima Pasechnik |
---|---|
Status: | needs_review → positive_review |
lgtm
comment:6 Changed 2 years ago by
Branch: | u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_ → d6c59f4c84f886ee39e1e044d0d1095603e9f2c9 |
---|---|
Resolution: | → fixed |
Status: | positive_review → closed |
comment:7 Changed 2 years ago by
Commit: | d6c59f4c84f886ee39e1e044d0d1095603e9f2c9 |
---|---|
Resolution: | fixed |
Status: | closed → new |
************************************************************************ Traceback (most recent call last): File "setup.py", line 48, in <module> from sage_setup.command.sage_build_cython import sage_build_cython File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/command/sage_build_cython.py", line 19, in <module> from sage_setup.library_order import library_order File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/library_order.py", line 35, in <module> png_pc = pkgconfig.parse('libpng') File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 248, in parse _raise_if_not_exists(package) File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 103, in _raise_if_not_exists raise PackageNotFoundError(package) pkgconfig.pkgconfig.PackageNotFoundError: libpng not found ************************************************************************
comment:8 Changed 2 years ago by
hmm, libpng installs an unversioned libpng.pc
, which is a link to libpng16.pc
- could it be that pkgconfig.parse('libpng')
does not like it (on macOS - it seems)?
comment:9 Changed 2 years ago by
Milestone: | sage-9.2 → sage-9.3 |
---|
comment:10 Changed 21 months ago by
Milestone: | sage-9.3 → sage-9.4 |
---|
Moving to 9.4, as 9.3 has been released.
comment:11 Changed 18 months ago by
Milestone: | sage-9.4 → sage-9.5 |
---|
comment:12 Changed 14 months ago by
Milestone: | sage-9.5 → sage-9.6 |
---|
comment:13 Changed 9 months ago by
Milestone: | sage-9.6 → sage-9.7 |
---|
comment:14 Changed 4 months ago by
Milestone: | sage-9.7 → sage-9.8 |
---|
comment:15 Changed 41 hours ago by
Milestone: | sage-9.8 |
---|
New commits:
build/pkgs/libpng: Upgrade to 1.6.37
build/pkgs/libpng/spkg-install.in: Remove outdated CFLAGS, CPPFLAGS settings
build/pkgs/libpng/spkg-install.in: Do not build a static library