Your message dated Wed, 16 Sep 2020 06:18:29 +0000 with message-id <[email protected]> and subject line Bug#969502: fixed in libpng1.6 1.6.37-3 has caused the Debian Bug report #969502, regarding libpng16-16: fails decoding PNGs with invalid eXIf chunk to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 969502: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969502 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libpng16-16 Version: 1.6.36-6 Severity: normal Dear Maintainer, Please note that while report is generated from Debian Stretch host, it's for the Debian Buster package. *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? When trying to decode the image with an invalid eXIf chunk, i.e. the one lacking byte order marker ("II", or "MM") in the first 2 bytes[1], it fails by misreading the rest of the chunk. * What exactly did you do (or not do) that was effective (or ineffective)? Tried to decode malformed image[2] using one of the libpng consumer, e.g. gmagick display image.png * What was the outcome of this action? It failed to decode the image complaining * What outcome did you expect instead? I was hoping for image to be successfully decoded To resolve this on our side, we are using following diff, which fixes the misreading of header by correcting the length of the rest of the chunk: -------------------------------------------------------------------------------------- --- pngrutil.c.orig +++ pngrutil.c @@ -2079,7 +2079,7 @@ if (i == 1 && buf[0] != 'M' && buf[0] != 'I' && info_ptr->eXIf_buf[0] != buf[0]) { - png_crc_finish(png_ptr, length); + png_crc_finish(png_ptr, length - 2); png_chunk_benign_error(png_ptr, "incorrect byte-order specifier"); png_free(png_ptr, info_ptr->eXIf_buf); info_ptr->eXIf_buf = NULL; -------------------------------------------------------------------------------------- A similar diff is also present in this pull request[3]. Thanks in advance References: [1] http://ftp-osl.osuosl.org/pub/libpng/documents/pngext-1.5.0.html#C.eXIf [2] http://www.lostca.se/~abbe/test1.png [3] https://github.com/glennrp/libpng/pull/326/commits/f8c13f61fb4a302a046c2dff46bccd64838a53b3 *** End of the template - remove these template lines *** -- System Information: Debian Release: 9.4 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpng16-16 depends on: ii libc6 2.24-11+deb9u3 ii zlib1g 1:1.2.8.dfsg-5 libpng16-16 recommends no packages. libpng16-16 suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libpng1.6 Source-Version: 1.6.37-3 Done: Gianfranco Costamagna <[email protected]> We believe that the bug you reported is fixed in the latest version of libpng1.6, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gianfranco Costamagna <[email protected]> (supplier of updated libpng1.6 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 16 Sep 2020 08:02:32 +0200 Source: libpng1.6 Binary: libpng16-16 libpng-dev libpng-tools libpng16-16-udeb Architecture: source Version: 1.6.37-3 Distribution: unstable Urgency: medium Maintainer: Maintainers of libpng1.6 packages <[email protected]> Changed-By: Gianfranco Costamagna <[email protected]> Description: libpng-dev - PNG library - development (version 1.6) libpng-tools - PNG library - tools (version 1.6) libpng16-16 - PNG library - runtime (version 1.6) libpng16-16-udeb - PNG library - minimal runtime library (version 1.6) (udeb) Closes: 969502 Changes: libpng1.6 (1.6.37-3) unstable; urgency=medium . [ Debian Janitor ] * Wrap long lines in changelog entries: 1.2.5-5. . [ Gianfranco Costamagna ] * debian/patches/326.patch: - add upstream proposed patch to fix a decode fail with invalid eXIf chunks (Closes: #969502) Checksums-Sha1: c208a3b396f206945d04833c5f759c23087c4974 2225 libpng1.6_1.6.37-3.dsc 59e412ee2ada1085171ab95bc8f871c3d0490e68 32272 libpng1.6_1.6.37-3.debian.tar.xz f941fe3b34ac15be6e7335e5efbaf8e16ca6f5e3 7304 libpng1.6_1.6.37-3_source.buildinfo Checksums-Sha256: d6fac534b155e680849e700e4d2c87314e0ff20ab1b89fc22f1dfd2c24c1727b 2225 libpng1.6_1.6.37-3.dsc d28b11e41dba39c53d8d87be5f70cc96a246f296307855f55d86db03b24680d4 32272 libpng1.6_1.6.37-3.debian.tar.xz 73d05bc0264554f7bf55e5f69dc8d134559fc265cd1b738f0f62ea5e376e9a57 7304 libpng1.6_1.6.37-3_source.buildinfo Files: 131055e9acf50b5f99868fb1e48f629c 2225 libs optional libpng1.6_1.6.37-3.dsc 13f60915136613ff717e21673c142d8b 32272 libs optional libpng1.6_1.6.37-3.debian.tar.xz fb7a7b2bb1302500032716386f7b2667 7304 libs optional libpng1.6_1.6.37-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAl9hqsAACgkQ808JdE6f Xdl+4w//SmzKYbJC6SXeC5WNZGKd4w+hSnW89Re52ACjPrqW8y3NnUGYYkx74tY5 9+8Kh7A08JJXrDEjA3o8RXH554VgWN8v2VctNO/G+hEXySkFUjcTidiIGNms1E14 KuYOhwkeJhritsOT1cwGWqq/QYcLKWk7zuaPb/c942vab7p2HJHnGP+5QRVscCAC wCcmP7SSOluK38eXYPnbfgJhBzfJ2vL1aUJTJuBHegaCyM++89lEvhKUP2RRC3d+ mYMmT/i3J9v+LXn3aWQfvN1V31UlJ5d8CuWN7yBRF9n2GztsrayXE6hgrkEYEuKY 6qlxD3TkTXEmvSRttmBgc4NDt9sFu+KAIh1np0EJnitupg81UoFvF5xh2qaZnD1G Wu9hHFenJnie3mZCpBcU2BhEiqt2TOIN38UPSzgadGM8ejgQLlK+J0bj6bxhECcB kMV2PUHRj/EooFt8OzJh3a5XMKQGVj9LFqOtQ5V6uJDOa8VgDyTvY0EcODlPxtym 9/VaPp0Cu6qHRbxYF4daryWqaCUyTFCrKOA3Z/iZT17jtXGSxkUjZ27S1SIl4InL m2FGuE+Dn517oDdjeqNqmGKc6+ZCUm/VIkSDohAT3jfd7vLn0+M8ntDIywmnUFGe iDbRH8zVT+g8x3g6Awo5dPoTok4N7C6lFksWNxbIEXXOEmUzfww= =51kK -----END PGP SIGNATURE-----
--- End Message ---

