* [Buildroot] [PATCH] libpng: security bump to version 1.6.20
@ 2015-12-03 21:48 Gustavo Zacarias
2015-12-04 20:46 ` Peter Korsgaard
0 siblings, 1 reply; 4+ messages in thread
From: Gustavo Zacarias @ 2015-12-03 21:48 UTC (permalink / raw)
To: buildroot
Fixes:
CVE-2015-8126 - incorrect implementation of png_set_PLTE() that uses
png_ptr not info_ptr, that left png_set_PLTE() open to this vuln.
(fix in previous release was incomplete)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
package/libpng/libpng.hash | 6 +++---
package/libpng/libpng.mk | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/libpng/libpng.hash b/package/libpng/libpng.hash
index a26538d..264dd45 100644
--- a/package/libpng/libpng.hash
+++ b/package/libpng/libpng.hash
@@ -1,3 +1,3 @@
-# From http://sourceforge.net/projects/libpng/files/libpng16/1.6.19/
-md5 1e6a458429e850fc93c1f3b6dc00a48f libpng-1.6.19.tar.xz
-sha1 483d72ced11c9258f9d1119105273d9af9ff151c libpng-1.6.19.tar.xz
+# From http://sourceforge.net/projects/libpng/files/libpng16/1.6.20/
+md5 3968acb7c66ef81a9dab867f35d0eb4b libpng-1.6.20.tar.xz
+sha1 c4f02051e0b86613076ce390fd15824f3506a148 libpng-1.6.20.tar.xz
diff --git a/package/libpng/libpng.mk b/package/libpng/libpng.mk
index 649a3e0..36ccf83 100644
--- a/package/libpng/libpng.mk
+++ b/package/libpng/libpng.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBPNG_VERSION = 1.6.19
+LIBPNG_VERSION = 1.6.20
LIBPNG_SERIES = 16
LIBPNG_SOURCE = libpng-$(LIBPNG_VERSION).tar.xz
LIBPNG_SITE = http://downloads.sourceforge.net/project/libpng/libpng${LIBPNG_SERIES}/$(LIBPNG_VERSION)
--
2.4.10
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] libpng: security bump to version 1.6.20
2015-12-03 21:48 [Buildroot] [PATCH] libpng: security bump to version 1.6.20 Gustavo Zacarias
@ 2015-12-04 20:46 ` Peter Korsgaard
2015-12-04 20:55 ` Gustavo Zacarias
0 siblings, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2015-12-04 20:46 UTC (permalink / raw)
To: buildroot
>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:
> Fixes:
> CVE-2015-8126 - incorrect implementation of png_set_PLTE() that uses
> png_ptr not info_ptr, that left png_set_PLTE() open to this vuln.
> (fix in previous release was incomplete)
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Committed, thanks.
Should this also be applied to the 2015.11.x branch?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] libpng: security bump to version 1.6.20
2015-12-04 20:46 ` Peter Korsgaard
@ 2015-12-04 20:55 ` Gustavo Zacarias
2015-12-04 20:59 ` Peter Korsgaard
0 siblings, 1 reply; 4+ messages in thread
From: Gustavo Zacarias @ 2015-12-04 20:55 UTC (permalink / raw)
To: buildroot
On 04/12/15 17:46, Peter Korsgaard wrote:
> Committed, thanks.
>
> Should this also be applied to the 2015.11.x branch?
Hi, yes, recommended if the plan is to throw security updates back at it
as well.
Regards.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] libpng: security bump to version 1.6.20
2015-12-04 20:55 ` Gustavo Zacarias
@ 2015-12-04 20:59 ` Peter Korsgaard
0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2015-12-04 20:59 UTC (permalink / raw)
To: buildroot
>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:
> On 04/12/15 17:46, Peter Korsgaard wrote:
>> Committed, thanks.
>>
>> Should this also be applied to the 2015.11.x branch?
> Hi, yes, recommended if the plan is to throw security updates back at
> it as well.
> Regards.
Well, I would like to keep it to as few patches as possible to keep the
risk of additional breakage low, but if these are really important fixes
then I think we should take them.
I've added it to the branch now, thanks.
--
Venlig hilsen,
Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-12-04 20:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-03 21:48 [Buildroot] [PATCH] libpng: security bump to version 1.6.20 Gustavo Zacarias
2015-12-04 20:46 ` Peter Korsgaard
2015-12-04 20:55 ` Gustavo Zacarias
2015-12-04 20:59 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.