Opened 2 years ago

Last modified 41 hours ago

#30564 new defect

Upgrade libpng to 1.6.37 (fixes vulnerability)

Reported by: mkoeppe Owned by:
Priority: critical Milestone:
Component: packages: standard Keywords:
Cc: jpflori, frederichan, tscrim, slelievre, dimpase Merged in:
Authors: Matthias Koeppe Reviewers: Dima Pasechnik
Report Upstream: N/A Work issues:
Branch: d6c59f4 (Commits, GitHub, GitLab) Commit:
Dependencies: Stopgaps:

Status badges

Description (last modified by slelievre)

The libpng homepage warns:

Vulnerability Warning

libpng versions 1.6.36 and earlier have a use-after-free bug in the simplified libpng API png_image_free(). It has been assigned ID CVE-2019-7317. The vulnerability is fixed in version 1.6.37, released on 15 April 2019.

Before this ticket we have libpng 1.6.29 which has the vulnerability. This ticket upgrades to libpng 1.6.37 which fixes it.

Previous update: #22159 (1.6.29)

Tarball: see checksums.ini

Change History (15)

comment:1 Changed 2 years ago by mkoeppe

Branch: u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_

comment:2 Changed 2 years ago by mkoeppe

Authors: Matthias Koeppe
Cc: dimpase added
Commit: d6c59f4c84f886ee39e1e044d0d1095603e9f2c9
Status: newneeds_review

New commits:

5ae93ccbuild/pkgs/libpng: Upgrade to 1.6.37
569050bbuild/pkgs/libpng/ Remove outdated CFLAGS, CPPFLAGS settings
d6c59f4build/pkgs/libpng/ Do not build a static library

comment:3 Changed 2 years ago by slelievre

Description: modified (diff)

comment:4 Changed 2 years ago by dimpase

Reviewers: Dima Pasechnik
Status: needs_reviewpositive_review


comment:5 Changed 2 years ago by mkoeppe


comment:6 Changed 2 years ago by vbraun

Branch: u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_d6c59f4c84f886ee39e1e044d0d1095603e9f2c9
Resolution: fixed
Status: positive_reviewclosed

comment:7 Changed 2 years ago by vbraun

Commit: d6c59f4c84f886ee39e1e044d0d1095603e9f2c9
Resolution: fixed
Status: closednew
Traceback (most recent call last):
  File "", line 48, in <module>
    from sage_setup.command.sage_build_cython import sage_build_cython
  File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/command/", line 19, in <module>
    from sage_setup.library_order import library_order
  File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/", line 35, in <module>
    png_pc = pkgconfig.parse('libpng')
  File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/", line 248, in parse
  File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/", line 103, in _raise_if_not_exists
    raise PackageNotFoundError(package)
pkgconfig.pkgconfig.PackageNotFoundError: libpng not found

comment:8 Changed 2 years ago by dimpase

hmm, libpng installs an unversioned libpng.pc, which is a link to libpng16.pc - could it be that pkgconfig.parse('libpng') does not like it (on macOS - it seems)?

comment:9 Changed 2 years ago by mkoeppe

Milestone: sage-9.2sage-9.3

comment:10 Changed 21 months ago by mkoeppe

Milestone: sage-9.3sage-9.4

Moving to 9.4, as 9.3 has been released.

comment:11 Changed 18 months ago by mkoeppe

Milestone: sage-9.4sage-9.5

comment:12 Changed 14 months ago by mkoeppe

Milestone: sage-9.5sage-9.6

comment:13 Changed 9 months ago by mkoeppe

Milestone: sage-9.6sage-9.7

comment:14 Changed 4 months ago by mkoeppe

Milestone: sage-9.7sage-9.8

comment:15 Changed 41 hours ago by mkoeppe

Milestone: sage-9.8
Note: See TracTickets for help on using tickets.