From a40189cf881e9f0db80511c382292a5604c3c3d1 Mon Sep 17 00:00:00 2001 From: Cosmin Truta Date: Sun, 14 Apr 2019 14:10:32 -0400 Subject: [PATCH] Release libpng version 1.6.37 --- ANNOUNCE | 74 +++++++++-------------------------- CHANGES | 41 ++++++++++++------- CMakeLists.txt | 2 +- README | 4 +- configure | 22 +++++------ configure.ac | 4 +- libpng-manual.txt | 8 ++-- libpng.3 | 14 +++---- libpngpf.3 | 4 +- png.5 | 4 +- png.c | 4 +- png.h | 19 ++++----- pngconf.h | 6 +-- pngtest.c | 2 +- scripts/libpng-config-head.in | 2 +- scripts/libpng.pc.in | 2 +- scripts/makefile.netbsd | 2 +- scripts/makefile.openbsd | 2 +- scripts/pnglibconf.h.prebuilt | 2 +- 19 files changed, 95 insertions(+), 123 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 9152691d64..ecf9c7043b 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,13 +1,5 @@ -libpng 1.6.37.git -================= - -This is a development version, not intended to be a public release. -It will be replaced by a public release, or by another development -version, at a later time. - - -libpng 1.6.36 - December 1, 2018 -================================ +libpng 1.6.37 - April 14, 2019 +============================== This is a public release of libpng, intended for use in production code. @@ -17,13 +9,13 @@ Files available for download Source files with LF line endings (for Unix/Linux): - * libpng-1.6.36.tar.xz (LZMA-compressed, recommended) - * libpng-1.6.36.tar.gz + * libpng-1.6.37.tar.xz (LZMA-compressed, recommended) + * libpng-1.6.37.tar.gz Source files with CRLF line endings (for Windows): - * lp1636.7z (LZMA-compressed, recommended) - * lp1636.zip + * lp1637.7z (LZMA-compressed, recommended) + * lp1637.zip Other information: @@ -33,50 +25,20 @@ Other information: * TRADEMARK.md -IMPORTANT licensing update: libpng license v2 ---------------------------------------------- - -The new libpng license comprises the terms and conditions from the zlib -license, and the disclaimer from the Boost license. - -The legacy libpng license, used until libpng-1.6.35, is appended to the -new license, following the precedent established in the Python Software -Foundation License version 2. - -From now on, the list of contributing authors shall be maintained in a -separate AUTHORS file. The lists of previous contributing authors, -mentioned in the legacy libpng license and considered to be an integral -part of that license, are kept intact, with no further updates. - - -Changes since the previous public release (version 1.6.35) +Changes since the previous public release (version 1.6.36) ---------------------------------------------------------- - * Optimized png_do_expand_palette for ARM processors. - Improved performance by around 10-22% on a recent ARM Chromebook. - (Contributed by Richard Townsend, ARM Holdings) - * Fixed manipulation of machine-specific optimization options. - (Contributed by Vicki Pfau) - * Used memcpy instead of manual pointer arithmetic on Intel SSE2. - (Contributed by Samuel Williams) - * Fixed build errors with MSVC on ARM64. - (Contributed by Zhijie Liang) - * Fixed detection of libm in CMakeLists. - (Contributed by Cameron Cawley) - * Fixed incorrect creation of pkg-config file in CMakeLists. - (Contributed by Kyle Bentley) - * Fixed the CMake build on Windows MSYS by avoiding symlinks. - * Fixed a build warning on OpenBSD. - (Contributed by Theo Buehler) - * Fixed various typos in comments. - (Contributed by "luz.paz") - * Raised the minimum required CMake version from 3.0.2 to 3.1. - * Removed yet more of the vestigial support for pre-ANSI C compilers. - * Removed ancient makefiles for ancient systems that have been broken - across all previous libpng-1.6.x versions. - * Removed the Y2K compliance statement and the export control - information. - * Applied various code style and documentation fixes. + * Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free. + * Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette. + * Fixed a memory leak in pngtest.c. + * Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in + contrib/pngminus; refactor. + * Changed the license of contrib/pngminus to MIT; refresh makefile and docs. + (Contributed by Willem van Schaik) + * Fixed a typo in the libpng license v2. + (Contributed by Miguel Ojeda) + * Added makefiles for AddressSanitizer-enabled builds. + * Cleaned up various makefiles. Send comments/corrections/commendations to png-mng-implement at lists.sf.net. diff --git a/CHANGES b/CHANGES index fbb437c5e8..f0b0a9342c 100644 --- a/CHANGES +++ b/CHANGES @@ -6066,33 +6066,44 @@ Version 1.6.35 [July 15, 2018] Version 1.6.36 [December 1, 2018] Optimized png_do_expand_palette for ARM processors. Improved performance by around 10-22% on a recent ARM Chromebook. - (Contributed by Richard Townsend, ARM Holdings) + (Contributed by Richard Townsend, ARM Holdings) Fixed manipulation of machine-specific optimization options. - (Contributed by Vicki Pfau) + (Contributed by Vicki Pfau) Used memcpy instead of manual pointer arithmetic on Intel SSE2. - (Contributed by Samuel Williams) + (Contributed by Samuel Williams) Fixed build errors with MSVC on ARM64. - (Contributed by Zhijie Liang) + (Contributed by Zhijie Liang) Fixed detection of libm in CMakeLists. - (Contributed by Cameron Cawley) + (Contributed by Cameron Cawley) Fixed incorrect creation of pkg-config file in CMakeLists. - (Contributed by Kyle Bentley) + (Contributed by Kyle Bentley) Fixed the CMake build on Windows MSYS by avoiding symlinks. Fixed a build warning on OpenBSD. - (Contributed by Theo Buehler) + (Contributed by Theo Buehler) Fixed various typos in comments. - (Contributed by "luz.paz") + (Contributed by "luz.paz") Raised the minimum required CMake version from 3.0.2 to 3.1. Removed yet more of the vestigial support for pre-ANSI C compilers. Removed ancient makefiles for ancient systems that have been broken - across all previous libpng-1.6.x versions. + across all previous libpng-1.6.x versions. Removed the Y2K compliance statement and the export control - information. + information. Applied various code style and documentation fixes. -Version 1.6.37 [TODO] - -Send comments/corrections/commendations to png-mng-implement at lists.sf.net -(subscription required; visit +Version 1.6.37 [April 14, 2019] + Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free. + Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette. + Fixed a memory leak in pngtest.c. + Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in + contrib/pngminus; refactor. + Changed the license of contrib/pngminus to MIT; refresh makefile and docs. + (Contributed by Willem van Schaik) + Fixed a typo in the libpng license v2. + (Contributed by Miguel Ojeda) + Added makefiles for AddressSanitizer-enabled builds. + Cleaned up various makefiles. + +Send comments/corrections/commendations to png-mng-implement at lists.sf.net. +Subscription is required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement -to subscribe). +to subscribe. diff --git a/CMakeLists.txt b/CMakeLists.txt index ab59eb944b..6451fcf1bc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -838,7 +838,7 @@ endif() # SET UP LINKS if(PNG_SHARED) set_target_properties(png PROPERTIES -# VERSION 16.${PNGLIB_RELEASE}.1.6.37.git +# VERSION 16.${PNGLIB_RELEASE}.1.6.37 VERSION 16.${PNGLIB_RELEASE}.0 SOVERSION 16 CLEAN_DIRECT_OUTPUT 1) diff --git a/README b/README index 2bb741cc1f..cfc1f0e3dc 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ -README for libpng version 1.6.37.git -==================================== +README for libpng version 1.6.37 - April 14, 2019 +================================================= See the note about version numbers near the top of png.h. See INSTALL for instructions on how to install libpng. diff --git a/configure b/configure index 06e0b71609..1b2c46366b 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libpng 1.6.37.git. +# Generated by GNU Autoconf 2.69 for libpng 1.6.37. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='libpng' PACKAGE_TARNAME='libpng' -PACKAGE_VERSION='1.6.37.git' -PACKAGE_STRING='libpng 1.6.37.git' +PACKAGE_VERSION='1.6.37' +PACKAGE_STRING='libpng 1.6.37' PACKAGE_BUGREPORT='png-mng-implement@lists.sourceforge.net' PACKAGE_URL='' @@ -1372,7 +1372,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libpng 1.6.37.git to adapt to many kinds of systems. +\`configure' configures libpng 1.6.37 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1442,7 +1442,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libpng 1.6.37.git:";; + short | recursive ) echo "Configuration of libpng 1.6.37:";; esac cat <<\_ACEOF @@ -1622,7 +1622,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libpng configure 1.6.37.git +libpng configure 1.6.37 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1954,7 +1954,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libpng $as_me 1.6.37.git, which was +It was created by libpng $as_me 1.6.37, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2825,7 +2825,7 @@ fi # Define the identity of the package. PACKAGE='libpng' - VERSION='1.6.37.git' + VERSION='1.6.37' cat >>confdefs.h <<_ACEOF @@ -2946,7 +2946,7 @@ fi -PNGLIB_VERSION=1.6.37.git +PNGLIB_VERSION=1.6.37 PNGLIB_MAJOR=1 PNGLIB_MINOR=6 PNGLIB_RELEASE=37 @@ -14354,7 +14354,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libpng $as_me 1.6.37.git, which was +This file was extended by libpng $as_me 1.6.37, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14420,7 +14420,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libpng config.status 1.6.37.git +libpng config.status 1.6.37 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 86bc0b3764..52dba94b4b 100644 --- a/configure.ac +++ b/configure.ac @@ -25,7 +25,7 @@ AC_PREREQ([2.68]) dnl Version number stuff here: -AC_INIT([libpng],[1.6.37.git],[png-mng-implement@lists.sourceforge.net]) +AC_INIT([libpng],[1.6.37],[png-mng-implement@lists.sourceforge.net]) AC_CONFIG_MACRO_DIR([scripts]) # libpng does not follow GNU file name conventions (hence 'foreign') @@ -46,7 +46,7 @@ dnl automake, so the following is not necessary (and is not defined anyway): dnl AM_PREREQ([1.11.2]) dnl stop configure from automagically running automake -PNGLIB_VERSION=1.6.37.git +PNGLIB_VERSION=1.6.37 PNGLIB_MAJOR=1 PNGLIB_MINOR=6 PNGLIB_RELEASE=37 diff --git a/libpng-manual.txt b/libpng-manual.txt index 19cfed28ad..5dad92fbf7 100644 --- a/libpng-manual.txt +++ b/libpng-manual.txt @@ -1,6 +1,6 @@ libpng-manual.txt - A description on how to use and modify libpng - Copyright (c) 2018 Cosmin Truta + Copyright (c) 2018-2019 Cosmin Truta Copyright (c) 1998-2018 Glenn Randers-Pehrson This document is released under the libpng license. @@ -9,11 +9,11 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng version 1.6.36 - December 1, 2018 + libpng version 1.6.36, December 2018, through 1.6.37 - April 2019 Updated and distributed by Cosmin Truta - Copyright (c) 2018 Cosmin Truta + Copyright (c) 2018-2019 Cosmin Truta - libpng versions 0.97, January 1998, through 1.6.35 - July 15, 2018 + libpng versions 0.97, January 1998, through 1.6.35 - July 2018 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2018 Glenn Randers-Pehrson diff --git a/libpng.3 b/libpng.3 index 9757debccd..f37423540d 100644 --- a/libpng.3 +++ b/libpng.3 @@ -1,6 +1,6 @@ -.TH LIBPNG 3 "December 1, 2018" +.TH LIBPNG 3 "April 14, 2019" .SH NAME -libpng \- Portable Network Graphics (PNG) Reference Library 1.6.36 +libpng \- Portable Network Graphics (PNG) Reference Library 1.6.37 .SH SYNOPSIS \fB#include \fP @@ -519,7 +519,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng. .SH LIBPNG.TXT libpng-manual.txt - A description on how to use and modify libpng - Copyright (c) 2018 Cosmin Truta + Copyright (c) 2018-2019 Cosmin Truta Copyright (c) 1998-2018 Glenn Randers-Pehrson This document is released under the libpng license. @@ -528,11 +528,11 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng version 1.6.36 - December 1, 2018 + libpng version 1.6.36, December 2018, through 1.6.37 - April 2019 Updated and distributed by Cosmin Truta - Copyright (c) 2018 Cosmin Truta + Copyright (c) 2018-2019 Cosmin Truta - libpng versions 0.97, January 1998, through 1.6.35 - July 15, 2018 + libpng versions 0.97, January 1998, through 1.6.35 - July 2018 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2018 Glenn Randers-Pehrson @@ -6045,8 +6045,6 @@ Maintained by Cosmin Truta. Supported by the PNG development group .br -png-mng-implement at lists.sf.net -(subscription required; visit png-mng-implement at lists.sourceforge.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement to subscribe). diff --git a/libpngpf.3 b/libpngpf.3 index b736d82c40..6909c70a3d 100644 --- a/libpngpf.3 +++ b/libpngpf.3 @@ -1,6 +1,6 @@ -.TH LIBPNGPF 3 "December 1, 2018" +.TH LIBPNGPF 3 "April 14, 2019" .SH NAME -libpng \- Portable Network Graphics (PNG) Reference Library 1.6.36 +libpng \- Portable Network Graphics (PNG) Reference Library 1.6.37 (private functions) .SH SYNOPSIS diff --git a/png.5 b/png.5 index 2077d1f2af..c2da95c458 100644 --- a/png.5 +++ b/png.5 @@ -1,4 +1,4 @@ -.TH PNG 5 "December 1, 2018" +.TH PNG 5 "April 14, 2019" .SH NAME png \- Portable Network Graphics (PNG) format @@ -60,7 +60,7 @@ Thomas Boutell and others (png-list). .LP This man page is .br -Copyright (c) 2018 Cosmin Truta. +Copyright (c) 2018-2019 Cosmin Truta. .br Copyright (c) 1998-2006 Glenn Randers-Pehrson. .br diff --git a/png.c b/png.c index efd1aecfbd..757c755f97 100644 --- a/png.c +++ b/png.c @@ -14,7 +14,7 @@ #include "pngpriv.h" /* Generate a compiler error if there is an old png.h in the search path. */ -typedef png_libpng_version_1_6_37_git Your_png_h_is_not_version_1_6_37_git; +typedef png_libpng_version_1_6_37 Your_png_h_is_not_version_1_6_37; #ifdef __GNUC__ /* The version tests may need to be added to, but the problem warning has @@ -815,7 +815,7 @@ png_get_copyright(png_const_structrp png_ptr) return PNG_STRING_COPYRIGHT #else return PNG_STRING_NEWLINE \ - "libpng version 1.6.37.git" PNG_STRING_NEWLINE \ + "libpng version 1.6.37" PNG_STRING_NEWLINE \ "Copyright (c) 2018-2019 Cosmin Truta" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \ PNG_STRING_NEWLINE \ diff --git a/png.h b/png.h index 8361274831..139eb0dc0f 100644 --- a/png.h +++ b/png.h @@ -1,7 +1,7 @@ /* png.h - header file for PNG reference library * - * libpng version 1.6.37.git + * libpng version 1.6.37 - April 14, 2019 * * Copyright (c) 2018-2019 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson @@ -14,8 +14,9 @@ * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger * libpng versions 0.97, January 1998, through 1.6.35, July 2018: - * Glenn Randers-Pehrson. - * libpng version 1.6.36, December 1, 2018: Cosmin Truta + * Glenn Randers-Pehrson + * libpng versions 1.6.36, December 2018, through 1.6.37, April 2019: + * Cosmin Truta * See also "Contributing Authors", below. */ @@ -238,7 +239,7 @@ * ... * 1.5.30 15 10530 15.so.15.30[.0] * ... - * 1.6.36 16 10636 16.so.16.36[.0] + * 1.6.37 16 10637 16.so.16.37[.0] * * Henceforth the source version will match the shared-library major and * minor numbers; the shared-library major version number will be used for @@ -277,8 +278,8 @@ */ /* Version information for png.h - this should match the version in png.c */ -#define PNG_LIBPNG_VER_STRING "1.6.37.git" -#define PNG_HEADER_VERSION_STRING " libpng version 1.6.37.git\n" +#define PNG_LIBPNG_VER_STRING "1.6.37" +#define PNG_HEADER_VERSION_STRING " libpng version 1.6.37 - April 14, 2019\n" #define PNG_LIBPNG_VER_SONUM 16 #define PNG_LIBPNG_VER_DLLNUM 16 @@ -291,7 +292,7 @@ /* This should be zero for a public release, or non-zero for a * development version. [Deprecated] */ -#define PNG_LIBPNG_VER_BUILD 1 +#define PNG_LIBPNG_VER_BUILD 0 /* Release Status */ #define PNG_LIBPNG_BUILD_ALPHA 1 @@ -308,7 +309,7 @@ #define PNG_LIBPNG_BUILD_SPECIAL 32 /* Cannot be OR'ed with PNG_LIBPNG_BUILD_PRIVATE */ -#define PNG_LIBPNG_BUILD_BASE_TYPE PNG_LIBPNG_BUILD_BETA +#define PNG_LIBPNG_BUILD_BASE_TYPE PNG_LIBPNG_BUILD_STABLE /* Careful here. At one time, Guy wanted to use 082, but that * would be octal. We must not include leading zeros. @@ -427,7 +428,7 @@ extern "C" { /* This triggers a compiler error in png.c, if png.c and png.h * do not agree upon the version number. */ -typedef char* png_libpng_version_1_6_37_git; +typedef char* png_libpng_version_1_6_37; /* Basic control structions. Read libpng-manual.txt or libpng.3 for more info. * diff --git a/pngconf.h b/pngconf.h index 35a4ebbd8a..927a769dbe 100644 --- a/pngconf.h +++ b/pngconf.h @@ -1,9 +1,9 @@ -/* pngconf.h - machine configurable file for libpng +/* pngconf.h - machine-configurable file for libpng * - * libpng version 1.6.37.git + * libpng version 1.6.37 * - * Copyright (c) 2018 Cosmin Truta + * Copyright (c) 2018-2019 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. diff --git a/pngtest.c b/pngtest.c index f305d08dc9..a715ae1123 100644 --- a/pngtest.c +++ b/pngtest.c @@ -2155,4 +2155,4 @@ main(void) #endif /* Generate a compiler error if there is an old png.h in the search path. */ -typedef png_libpng_version_1_6_37_git Your_png_h_is_not_version_1_6_37_git; +typedef png_libpng_version_1_6_37 Your_png_h_is_not_version_1_6_37; diff --git a/scripts/libpng-config-head.in b/scripts/libpng-config-head.in index acb8144c27..2a5afb46a2 100644 --- a/scripts/libpng-config-head.in +++ b/scripts/libpng-config-head.in @@ -11,7 +11,7 @@ # Modeled after libxml-config. -version=1.6.37.git +version=1.6.37 prefix="" libdir="" libs="" diff --git a/scripts/libpng.pc.in b/scripts/libpng.pc.in index 81ccdb8450..416fefe86e 100644 --- a/scripts/libpng.pc.in +++ b/scripts/libpng.pc.in @@ -5,6 +5,6 @@ includedir=@includedir@/libpng16 Name: libpng Description: Loads and saves PNG files -Version: 1.6.37.git +Version: 1.6.37 Libs: -L${libdir} -lpng16 Cflags: -I${includedir} diff --git a/scripts/makefile.netbsd b/scripts/makefile.netbsd index 728abaffc4..9a6b04629a 100644 --- a/scripts/makefile.netbsd +++ b/scripts/makefile.netbsd @@ -14,7 +14,7 @@ MANDIR= ${LOCALBASE}/man INCSDIR=${LOCALBASE}/include SHLIB_MAJOR= 16 -SHLIB_MINOR= 1.6.37.git +SHLIB_MINOR= 1.6.37 LIB= png SRCS= png.c pngerror.c pngget.c pngmem.c pngpread.c \ diff --git a/scripts/makefile.openbsd b/scripts/makefile.openbsd index f492aeee41..ad5ffb3a3e 100644 --- a/scripts/makefile.openbsd +++ b/scripts/makefile.openbsd @@ -11,7 +11,7 @@ LIBDIR= ${PREFIX}/lib MANDIR= ${PREFIX}/man/cat SHLIB_MAJOR= 16 -SHLIB_MINOR= 1.6.37.git +SHLIB_MINOR= 1.6.37 LIB= png SRCS= png.c pngerror.c pngget.c pngmem.c pngpread.c \ diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt index 9f83b7eff5..e1e27e957e 100644 --- a/scripts/pnglibconf.h.prebuilt +++ b/scripts/pnglibconf.h.prebuilt @@ -1,6 +1,6 @@ /* pnglibconf.h - library build configuration */ -/* libpng version 1.6.37.git */ +/* libpng version 1.6.37 */ /* Copyright (c) 2018-2019 Cosmin Truta */ /* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson */