OSS-fuzz is a testing framework (not production code) in contrib directory and it not compiled by Yocto (easy to check by removing the directory). So this upgrade should be acceptable for LTS branch backport.
Peter From: [email protected] <[email protected]> On Behalf Of Yoann Congal via lists.openembedded.org Sent: Saturday, January 31, 2026 9:25 To: [email protected] Subject: Re: [OE-core][whinlatter 17/22] libpng: upgrade 1.6.53 -> 1.6.54 Le sam. 31 janv. 2026 à 08:57, Yoann Congal <[email protected]<mailto:[email protected]>> a écrit : From: Peter Marko <[email protected]<mailto:[email protected]>> Handles CVE-2026-22695 and CVE-2026-22801. License-Update: copyright years refreshed Changelog: Version 1.6.54 [January 12, 2026] Fixed CVE-2026-22695 (medium severity): Heap buffer over-read in `png_image_read_direct_scaled. (Reported and fixed by Petr Simecek.) Fixed CVE-2026-22801 (medium severity): Integer truncation causing heap buffer over-read in `png_image_write_*`. Implemented various improvements in oss-fuzz. (Contributed by Philippe Antoine.) Hello, I'm on the fence with this one : The changelog line "Implemented various improvements in oss-fuzz" sounds incompatible with the stable policy but it changes code in the contrib/ directory that we don't use/compile. Files in this directory are used by the oss-fuzz project (https://github.com/google/oss-fuzz/tree/master/projects/libpng). for "fuzzing" libpng. We already upgraded libpng for whinlatter with a similar change "Added allocation failure fuzzing to oss-fuzz." in the -> 1.6.52 upgrade. I'm leaning towards taking it (hence why it is included in testing and in this series) but I wonder what you think. Signed-off-by: Peter Marko <[email protected]<mailto:[email protected]>> Signed-off-by: Antonin Godard <[email protected]<mailto:[email protected]>> Signed-off-by: Richard Purdie <[email protected]<mailto:[email protected]>> (cherry picked from commit 9c18cb1d4dd0edf2e9c638c3c576cb803e1ff4c6) [YC: Added changelog] Signed-off-by: Yoann Congal <[email protected]<mailto:[email protected]>> --- .../libpng/{libpng_1.6.53.bb<http://libpng_1.6.53.bb> => libpng_1.6.54.bb<http://libpng_1.6.54.bb>} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-multimedia/libpng/{libpng_1.6.53.bb<http://libpng_1.6.53.bb> => libpng_1.6.54.bb<http://libpng_1.6.54.bb>} (94%) diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb<http://libpng_1.6.53.bb> b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb<http://libpng_1.6.54.bb> similarity index 94% rename from meta/recipes-multimedia/libpng/libpng_1.6.53.bb<http://libpng_1.6.53.bb> rename to meta/recipes-multimedia/libpng/libpng_1.6.54.bb<http://libpng_1.6.54.bb> index 956cd243b19..3f2b80a060f 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.53.bb<http://libpng_1.6.53.bb> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.54.bb<http://libpng_1.6.54.bb> @@ -5,7 +5,7 @@ library for use in applications that read, create, and manipulate PNG \ HOMEPAGE = "http://www.libpng.org/"; SECTION = "libs" LICENSE = "Libpng" -LIC_FILES_CHKSUM = "file://LICENSE;md5=5516d77a3cf75f55a0d37254e3e65a20" +LIC_FILES_CHKSUM = "file://LICENSE;md5=9dc350edbbbee660c7d9af79487168f2" DEPENDS = "zlib" LIBV = "16" @@ -14,7 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \ file://run-ptest \ " -SRC_URI[sha256sum] = "1d3fb8ccc2932d04aa3663e22ef5ef490244370f4e568d7850165068778d98d4" +SRC_URI[sha256sum] = "01c9d8a303c941ec2c511c14312a3b1d36cedb41e2f5168ccdaa85d53b887805" MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230251): https://lists.openembedded.org/g/openembedded-core/message/230251 Mute This Topic: https://lists.openembedded.org/mt/117558527/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
