Le sam. 31 janv. 2026 à 08:57, Yoann Congal <[email protected]> a écrit :
> From: Peter Marko <[email protected]> > > Handles CVE-2026-22695 and CVE-2026-22801. > > License-Update: copyright years refreshed > > Changelog: > Version 1.6.54 [January 12, 2026] > Fixed CVE-2026-22695 (medium severity): > Heap buffer over-read in `png_image_read_direct_scaled. > (Reported and fixed by Petr Simecek.) > Fixed CVE-2026-22801 (medium severity): > Integer truncation causing heap buffer over-read in > `png_image_write_*`. > Implemented various improvements in oss-fuzz. > (Contributed by Philippe Antoine.) > Hello, I'm on the fence with this one : The changelog line "Implemented various improvements in oss-fuzz" sounds incompatible with the stable policy but it changes code in the contrib/ directory that we don't use/compile. > Files in this directory are used by the oss-fuzz project > (https://github.com/google/oss-fuzz/tree/master/projects/libpng). > for "fuzzing" libpng. > We already upgraded libpng for whinlatter with a similar change "Added allocation failure fuzzing to oss-fuzz." in the -> 1.6.52 upgrade. I'm leaning towards taking it (hence why it is included in testing and in this series) but I wonder what you think. Signed-off-by: Peter Marko <[email protected]> > Signed-off-by: Antonin Godard <[email protected]> > Signed-off-by: Richard Purdie <[email protected]> > (cherry picked from commit 9c18cb1d4dd0edf2e9c638c3c576cb803e1ff4c6) > [YC: Added changelog] > Signed-off-by: Yoann Congal <[email protected]> > --- > .../libpng/{libpng_1.6.53.bb => libpng_1.6.54.bb} | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > rename meta/recipes-multimedia/libpng/{libpng_1.6.53.bb => > libpng_1.6.54.bb} (94%) > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb > b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb > similarity index 94% > rename from meta/recipes-multimedia/libpng/libpng_1.6.53.bb > rename to meta/recipes-multimedia/libpng/libpng_1.6.54.bb > index 956cd243b19..3f2b80a060f 100644 > --- a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb > @@ -5,7 +5,7 @@ library for use in applications that read, create, and > manipulate PNG \ > HOMEPAGE = "http://www.libpng.org/"; > SECTION = "libs" > LICENSE = "Libpng" > -LIC_FILES_CHKSUM = "file://LICENSE;md5=5516d77a3cf75f55a0d37254e3e65a20" > +LIC_FILES_CHKSUM = "file://LICENSE;md5=9dc350edbbbee660c7d9af79487168f2" > DEPENDS = "zlib" > > LIBV = "16" > @@ -14,7 +14,7 @@ SRC_URI = > "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \ > file://run-ptest \ > " > > -SRC_URI[sha256sum] = > "1d3fb8ccc2932d04aa3663e22ef5ef490244370f4e568d7850165068778d98d4" > +SRC_URI[sha256sum] = > "01c9d8a303c941ec2c511c14312a3b1d36cedb41e2f5168ccdaa85d53b887805" > > MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ > ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/" > > -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230232): https://lists.openembedded.org/g/openembedded-core/message/230232 Mute This Topic: https://lists.openembedded.org/mt/117558527/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
