Upgrade libpng to 1.6.37 (fixes vulnerability)

Question

Upgrade libpng to 1.6.37 (fixes vulnerability)

mkoeppe opened this issue 5 years ago · 14 comments

Vulnerability Warning

libpng versions 1.6.36 and earlier have a use-after-free bug in
the simplified libpng API png_image_free(). It has been assigned
ID CVE-2019-7317.
The vulnerability is fixed in version 1.6.37,
released on 15 April 2019.

Before this ticket we have libpng 1.6.29 which
has the vulnerability. This ticket upgrades to
libpng 1.6.37 which fixes it.

Previous update: #22159 (1.6.29)

Tarball: see checksums.ini

CC: @jpflori @frederichan-IMJPRG @tscrim @slel @dimpase

Component: packages: standard

Author: Matthias Koeppe

Reviewer: Dima Pasechnik

Issue created by migration from https://trac.sagemath.org/ticket/30564

Answer 1 · 2020-09-12T19:36:48.000Z

Branch: u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_

Answer 2 · 2020-09-12T19:37:19.000Z

New commits:

`5ae93cc`	`build/pkgs/libpng: Upgrade to 1.6.37`
`569050b`	`build/pkgs/libpng/spkg-install.in: Remove outdated CFLAGS, CPPFLAGS settings`
`d6c59f4`	`build/pkgs/libpng/spkg-install.in: Do not build a static library`

Answer 3 · 2020-09-12T19:37:19.000Z

Author: Matthias Koeppe

Answer 4 · 2020-09-12T19:37:19.000Z

Commit: d6c59f4

Answer 5 · 2020-09-12T19:43:58.000Z

Description changed:

--- 
+++ 
@@ -1,4 +1,17 @@
-http://www.libpng.org/pub/png/libpng.html
+The [libpng homepage](http://www.libpng.org/pub/png/libpng.html) warns:
+
+> Vulnerability Warning
+>
+>
+> libpng versions 1.6.36 and earlier have a use-after-free bug in
+> the simplified libpng API png_image_free(). It has been assigned
+> ID [CVE-2019-7317](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317).
+> The vulnerability is fixed in version 1.6.37,
+> released on 15 April 2019.
+
+Before this ticket we have libpng 1.6.29 which
+has the vulnerability. This ticket upgrades to
+libpng 1.6.37 which fixes it.
 
 Previous update: #22159 (1.6.29)

Answer 6 · 2020-09-13T09:38:20.000Z

comment:4

lgtm

Answer 7 · 2020-09-13T09:38:20.000Z

Reviewer: Dima Pasechnik

Answer 8 · 2020-09-13T15:46:45.000Z

comment:5

Thanks!

Answer 9 · 2020-09-18T20:23:05.000Z

Changed branch from u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_ to d6c59f4

Answer 10 · 2020-09-20T22:41:47.000Z

comment:7

************************************************************************
Traceback (most recent call last):
  File "setup.py", line 48, in <module>
    from sage_setup.command.sage_build_cython import sage_build_cython
  File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/command/sage_build_cython.py", line 19, in <module>
    from sage_setup.library_order import library_order
  File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/library_order.py", line 35, in <module>
    png_pc = pkgconfig.parse('libpng')
  File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 248, in parse
    _raise_if_not_exists(package)
  File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 103, in _raise_if_not_exists
    raise PackageNotFoundError(package)
pkgconfig.pkgconfig.PackageNotFoundError: libpng not found
************************************************************************

Answer 11 · 2020-09-20T22:41:47.000Z

Changed commit from d6c59f4 to none

Answer 12 · 2020-09-27T22:02:44.000Z

comment:8

hmm, libpng installs an unversioned libpng.pc, which is a link to libpng16.pc - could it be that pkgconfig.parse('libpng') does not like it (on macOS - it seems)?

Answer 13 · 2021-05-10T17:42:09.000Z

comment:10

Moving to 9.4, as 9.3 has been released.

Answer 14 · 2024-08-18T02:18:10.000Z

Removed branch from ticket description; replaced by PR #38522.