APNG support on main libpng library? #267
Comments
|
Hello, ping? |
|
Indeed, it is suboptimal to keep PNG and APNG separate. The original reason was that APNG failed the vote at the PNG group. Since then, though, APNG has become widely supported so in my opinion it makes sense to add to the main PNG specification and also to roll in the patches to libpng. I did suggest discussion and a re-vote, in Sept 2017 but there was little response. |
|
I guess it could work, if somebody would bring it to our lists and drive the Call For Discussion / Call For Vote, and also advocate it if necessary. If implementation and maintenance of a libpng patch is the only problem, then the necessity of a patch (as opposed to a properly-implemented set of callbacks) is a libpng design problem that needs fixing. If that's indeed the case, then I guess I can say it's the biggest libpng design problem. Then it is libpng (not PNG) that truly needs fixing. |
|
@ctruta can you please do it? I admit I didn't even understand your last comment... |
|
@ctruta wrote:
I tried that some years ago, but there was no real discussion and, like most proposals over the last few years, nothing happened. Meanwhile the PNG specification is badly needing maintenance. There are many errata reported since 2003. To help with that, I forked the W3C PNG specification to make an Editors Draft. Each reported erratum is raised as a GitHub issue and the clear and obvious ones I have rolled into the Editors Draft so the changes can be viewed in place. The others need to be discussed. I don't think the original PNG mailing list is the right way to handle specification maintenance anymore. The discussion procedure is baroque, there is a poor record of discussing or adopting proposals, and momentum has ground to a halt. I think an open W3C Working Group is the better way to handle this. Beyond just maintenance though, there is a clear need to re-align the PNG specification with widely-implemented reality, especially as regards APNG. An updated PNG Specification which incorporates APNG would then allow libpng to incorporate support directly, rather than a plethora of ad-hoc patches, forks, or other means to support it. Cosmin, I would really value your comments on this path forwards. Continued alignment between the PNG specification and libpng is very important. libpng is being held back by the brokenness of the current PNG spec maintenance process. |
|
The PNG mailing list is the sourceforge libpng mailing list? It seems very inactive but it might be a good idea to at least post this here. In a recent discussion one or two members of that mailing list did not know/were surprised that development of libpng is continuing under the late Glenn Randers-Pehrson's github account. Also Cosmin Truta seems not to have very much time to devote at the moment, so it might be good if there was at least one other member with ability to commit here. |
|
Do you have a pointer to the recent discussion? Last relevant mail about libpng which I see in the PNG Group archives is 2019-06-18 05:21:38 from Cosmin. Ah! You mean png-mng-implement (at) lists.sourceforge.net. I'm not subscribed but sure, it makes sense to post there too. |
Good idea, done. |
balabit-sync
pushed a commit
to balabit-deps/balabit-os-8-libpng1.6
that referenced
this issue
Nov 14, 2022
libpng1.6 (1.6.37-2) unstable; urgency=medium
[ Debian Janitor ]
* Set upstream metadata fields: Bug-Database, Repository, Repository-
Browse.
* Rely on pre-initialized dpkg-architecture variables.
* Fix day-of-week for changelog entry 1.0.0-0.1.
* Set upstream metadata fields: Bug-Submit.
[ Gianfranco Costamagna ]
* Bump std-version to 4.5.0, no changes required
libpng1.6 (1.6.37-1) unstable; urgency=medium
* Upload to unstable
libpng1.6 (1.6.37-1~exp4) experimental; urgency=medium
* debian/patches/72fa126446460347a504f3d9b90f24aed1365595.patch:
- cherry-pick upstream possible fix for tests not being parallel-safe
(Closes: #920657)
libpng1.6 (1.6.37-1~exp3) experimental; urgency=medium
* Fix two lintian warnings:
- drop upstream signing key, upstream seems to have stopped tarball
signatures when moved to github (see upstream issue: #287)
- double "version" tag in debian/watch
libpng1.6 (1.6.37-1~exp2) experimental; urgency=medium
* Simplify tests, by not passing the .libs directory during their
execution
libpng1.6 (1.6.37-1~exp1) experimental; urgency=medium
* New upstream version 1.6.37
- upload to experimental because of freeze
* Update watch file for github publish site
* Update copyright years and text for pngminus
* Drop all upstream patches, patch refresh for apng patch
* Bump compat level to 12
libpng1.6 (1.6.36-6) unstable; urgency=medium
* Upload to unstable
libpng1.6 (1.6.36-5exp1) experimental; urgency=medium
* Drop Anibal from uploaders list,
thank you for your nice work! (Closes: #925014)
* Update copyright years.
* Drop patch 272.patch, superseeded by upstream commits:
70d122aac42933ab8a708c538f973c3307853212.patch (uncommented)
82ae623ec9bc3cb5c68aad22596a766e86d593b7.patch
a627bd26a375f5c41d54f90a47c838157d1bec97.patch
libpng1.6 (1.6.36-5) unstable; urgency=medium
* Tweak old 272 patch to add the only relevant part of commit
70d122aac42933ab8a708c538f973c3307853212.patch
* Drop 70d122aac42933ab8a708c538f973c3307853212.patch, it breaks the
testsuite.
libpng1.6 (1.6.36-4) unstable; urgency=high
* debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch,
debian/patches/8439534daa1d3a5705ba92e653eda9251246dd61.patch:
- new fixes for arm64 and general test failures (and leaks)
* debian/patches/CVE-2019-7317.patch:
- fix for CVE 2019-7317 (Closes: #921355)
Thanks Salvatore Bonaccorso for your report!
libpng1.6 (1.6.36-3) unstable; urgency=medium
* debian/patches/272.patch:
- upstream fix for arm64 test failures.
- drop previous revert-* patches
libpng1.6 (1.6.36-2) unstable; urgency=medium
* Update watch file for github location
* Add apng support, like what is done in arch linux
- pnggroup/libpng#267
* d/p/revert-{7734cda20cf1236aef60f3bbd2267c97bbb40869,
1ceaa83a844cd3ecef25279d60720f910b96f297,
b66ed711315c46ef6c556c83c0074ecdcbd9937f}.patch:
revert on arm64 only the chromebook optimizations, they are
making the build fail.
- discussion at pnggroup/libpng#266
[ Mattia Rizzolo ]
* Fixup std-version numbering
libpng1.6 (1.6.36-1) unstable; urgency=medium
* New upstream version 1.6.36
* update copyright file
* Bump std-version to 4.3.0.1, no changes required
* drop patch 8a057: upstream
* Add nocheck profile in rules file
[ Ondřej Nový <[email protected]> ]
* d/changelog: Remove trailing whitespaces
libpng1.6 (1.6.34-2) unstable; urgency=medium
[ Salvatore Bonaccorso ]
* debian/patches/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2.patch:
Closes: #903430
CVE-2018-13785
[ Gianfranco Costamagna ]
* Upload to unstable
* Switch VCS fields to salsa.d.o
* Bump std-version to 4.1.5, no changes required
* Switch copyright in https mode
libpng1.6 (1.6.34-1) unstable; urgency=medium
* New upstream version 1.6.34
* Remove files removed upstream (the failing png files)
libpng1.6 (1.6.33-1) unstable; urgency=medium
* New upstream version 1.6.33
* Drop idat patch: upstream
* Update copyright
* Bump std-version to 4.1.1
* Remove some new test png files that make testsuite fail
(they fail also on older libpng version, just they weren't available
status is tracked at https://sourceforge.net/p/libpng/bugs/271/ )
libpng1.6 (1.6.32-3) unstable; urgency=high
* Fix invalid IDAT images, thanks Felix Geyer for the debug/bug reassign!
(Closes: #876563)
libpng1.6 (1.6.32-2) unstable; urgency=medium
* Bump std-version to 4.1.0, now priority is extra
* Add missing newline on copyright entry, making lintian sad
* Move the examples into the main libpng-dev (Closes: #876244)
- thanks Helmut Grohne for the useful bug report!
libpng1.6 (1.6.32-1) unstable; urgency=medium
* New upstream version 1.6.32
* Update copyright file
libpng1.6 (1.6.31-1) unstable; urgency=medium
* New upstream release.
* Update d/watch to point to ftp site and to verify gpg signature.
* fix-arm-build.patch removed, fixed upstream.
* Update d/copyright (years and add new maintainers) and remove some
redudant entries.
libpng1.6 (1.6.30-2) unstable; urgency=medium
* Fix arm* build failures with upstream patch
(Closes: #867670)
libpng1.6 (1.6.30-1) unstable; urgency=medium
* New upstream release.
* Update copyright
* Bump std-version to 4.0.0
libpng1.6 (1.6.29-3) unstable; urgency=medium
* Upload to unstable
libpng1.6 (1.6.29-2) experimental; urgency=medium
* Enable PIE eveywhere
libpng1.6 (1.6.29-1) experimental; urgency=medium
* New upstream release.
- Drop fix multiarch patch: upstream
* Use autoreconf.
libpng1.6 (1.6.28-1exp4) experimental; urgency=medium
* Override autoreconf due to debhelper bug 844504
libpng1.6 (1.6.28-1exp3) experimental; urgency=medium
* No-autoreconf for cmake builds
libpng1.6 (1.6.28-1exp2) experimental; urgency=medium
* Readd multiarch patch, it was merged by
upstream on master but not on 1.6 branch
libpng1.6 (1.6.28-1exp1) experimental; urgency=medium
* Switch to cmake
libpng1.6 (1.6.28-1) unstable; urgency=medium
* New upstream release.
libpng1.6 (1.6.27-1) unstable; urgency=medium
* New upstream release (Closes: #849799)
- Fix for CVE-2016-10087
libpng1.6 (1.6.26-6) unstable; urgency=medium
* Enable pie in Debian, disable it in Ubuntu.
- thanks pochu :)
libpng1.6 (1.6.26-5) unstable; urgency=medium
* Revert cmake switch, failing on arm64.
libpng1.6 (1.6.26-4) unstable; urgency=low
* Upload to unstable.
* Disable pie where Ubuntu has not defaulted yet.
(armhf, arm64, powerpc)
libpng1.6 (1.6.26-3) experimental; urgency=medium
* Switch to cmake.
libpng1.6 (1.6.26-2) unstable; urgency=medium
* Enable full hardening (+pie) (Closes: #844429)
libpng1.6 (1.6.26-1) unstable; urgency=low
* New upstream release.
* Switch to compat level 10
- Drop autoreconf/parallel, automatically injected
libpng1.6 (1.6.25-2) unstable; urgency=medium
* Mark the -tools package Multi-Arch: foreign.
(Closes: #840446).
Thanks Francois Gourget for the bug report!
libpng1.6 (1.6.25-1) unstable; urgency=medium
* New upstream release.
libpng1.6 (1.6.24-2) unstable; urgency=medium
* Stop providing pngcp, because a tool with the same
name is provided by pngtools (Closes: #834119, #834118).
- Consider re-enabling it if ineeded, but for now the
tool has no manpage and no help command.
- An alternative might be to make pngtools and libpng-tools
conflict each others.
libpng1.6 (1.6.24-1) unstable; urgency=medium
* New upstream release.
- install also new pngcp tool in libpng-tools package.
libpng1.6 (1.6.23-1) unstable; urgency=medium
* New upstream release.
libpng1.6 (1.6.22-1) unstable; urgency=medium
* New upstream release.
- drop fix_define_PNG_READ_16_TO_8.patch: upstream
* Update copyright file.
libpng1.6 (1.6.21-5) unstable; urgency=medium
* d/control: Add VCS-* to repository on collab-maint.
* Add patch to properly define PNG_READ_16_TO_8_SUPPORTED (Closes: #824014)
* Add d/gbp.conf to ensure signed tags.
libpng1.6 (1.6.21-4) unstable; urgency=medium
* add libpng-config.patch from the old
src:libpng.
- disabling multiarch bits in libpng-config has
the "side-effect" to let us have a Multiarch libpng-dev package.
Closes: #822297
* Make the libpng-dev package Multiarch ready.
libpng1.6 (1.6.21-3) unstable; urgency=medium
[ Manuel A. Fernandez Montecelo ]
* Add hardening flags (excluding PIE. CLoses: #805822)
[ Gianfranco Costamagna ]
* Drop useless pre-depends line.
[ Bart Martens ]
* Fix watch file
[ Laurent Bigonville ]
* Drop useless packages in Replaces field. (Closes: #820887)
libpng1.6 (1.6.21-2) unstable; urgency=medium
* Upload to unstable.
* Add myself and Tobias to uploaders, as per maintainers
suggestion.
* Bump std-version to 3.9.8, no changes required.
libpng1.6 (1.6.21-1) experimental; urgency=medium
* Team upload.
* New upstream release.
* Add upstream signing key
* Fix watch file.
* Update copyright file.
* Drop libpng16-devtools, useless and merged in libpng-dev.
(many packages relies on that script for building correctly)
- breaks + replaces accordingly.
* Remove multiarch -dev package
* Rename libpng16-tools to libpng-tools, there is no need of
strict versioning here.
* Install upstream changelog.
* Run upstream testsuite.
* Remove README.* files, useless now.
libpng1.6 (1.6.20-3) experimental; urgency=medium
* Team upload
* Move libpng16-dev to libpng-dev, to ease next transitions.
* Drop conflicts against mzscheme, pngcrush, pngmeta,
povray-3.5, qemacs, some of them disappeared, some of
them have later versions already in old-oldstable.
* Simplify even more the packaging, probably fixing #813288
* Fix symlinks, and two lintian errors:
- library-in-root-and-usr
- old-style-config-script-multiarch-path
(multiarch: no for libpng16-devtools)
* Update standard-version to 3.9.7, no changes required.
* Switch to dh-autoreconf (Closes: #813027)
* Remove libpng16-devtools circular dependency, recommend it instead.
* Fix duplicate description lintian warning
* Fix copyright lintian warnings
* Remove copyright.in file
* Use new plain dh calls in rules file
* Remove some old lintian overrides.
libpng1.6 (1.6.20-2) experimental; urgency=medium
[ Tobias Frost ]
* libpng16-16-udeb should not Conflicts: libpng-12-0.
[ Anibal Monsalve Salazar ]
* debhelper compat version is 9.
* debian/control: libpng16-devtools is "Multi-Arch: same".
libpng1.6 (1.6.20-1.1) experimental; urgency=medium
* Non-maintainer upload.
* Preparation for the transition, going to experimental.
* Make libpng16-dev depend on libpng16-devtools to have libpng-config
pulled in automatically for reverse dependencies.
* Provide a so-name neutral devtools package
libpng1.6 (1.6.20-1) experimental; urgency=medium
* New upstream release.
Fix CVE-2015-8472.
Closes: #810074.
* Use default options to compress.
Remove debian/source/options.
libpng1.6 (1.6.19-1) experimental; urgency=medium
* New upstream release.
* Update lintian-overrides for 1.6.19.
libpng1.6 (1.6.16-1) experimental; urgency=medium
* New upstream release (Closes: #773823)
Fix CVE-2015-8540.
* Standards Version is 3.9.6.
* Update debian/copyright.
Add infomation of license for other all files.
* Update lintian-overrides for 1.6.16.
libpng1.6 (1.6.10-2) experimental; urgency=low
* Add libpng16-devtools package.
Move libpng-config to this package.
libpng1.6 (1.6.10-1) experimental; urgency=low
* New upstream release (Closes: #740585)
Fixed CVE-2014-0333.
* Update overrides files.
libpng1.6 (1.6.8-2) experimental; urgency=low
* Update debian/copyright. (Closes: #735737)
libpng1.6 (1.6.8-1) experimental; urgency=low
* New upstream release.
libpng1.6 (1.6.7-1) experimental; urgency=low
* New upstream release.
libpng (1.5.11-1) experimental; urgency=low
* New upstream release.
libpng (1.5.10-3) experimental; urgency=low
* Remove libpng12-dev binary package. libpng-dev provides and replaces
libpng12-dev.
libpng (1.5.10-2) experimental; urgency=low
* Add transition packages libpng3, libpng12-0 and libpng12-dev
libpng (1.5.10-1) experimental; urgency=high
* New upstream version 1.5.10
- Fix CVE-2011-3048 (memory corruption flaw)
Closes: 667475
* Standards Version is 3.9.3
libpng (1.5.9-1) experimental; urgency=low
* New upstream version 1.5.9
The purpose of this release is to fix the dangerous CVE-2011-3026.
The libpng patch is different from the one that was distributed
earlier by Chromium, in that the libpng user limit feature is not
crippled by the patch.
Remove 02-660026-CVE-2011-3026.patch
libpng (1.5.8-1) experimental; urgency=high
* New upstream release.
Fix a one-byte (stack) buffer-overrun bug in
png_formatted_warning(), which could lead to crashes (denial of
service) or, conceivably, execution of hostile code.
This vulnerability has been assigned ID CVE-2011-3464.
* Check for both truncation (64-bit platforms) and integer overflow
Fix CVE-2011-3026
Add 02-660026-CVE-2011-3026.patch
Closes: 660026
libpng (1.5.7-2) experimental; urgency=low
* Fix typo from PPFLAGS to CPPFLAGS.
libpng (1.5.7-1) experimental; urgency=low
* New upstream release.
* Update debian/rules.
Enabled hardened build flags. (Closes: #654149)
libpng (1.5.6-1) experimental; urgency=low
* New upstream release.
libpng (1.5.5-1) experimental; urgency=low
* New upstream release.
* Fix lintian error: udeb-uses-non-gzip-data-tarball.
Changed option of dh_builddeb for every package.
* Fix lintian warning: brace-expansion-in-debhelper-config-file.
Remove brace-expansion from debian/libpng-dev.install.
libpng (1.5.4-2) experimental; urgency=low
* Port Steve Langasek's changes for 1.2.46-1
- Build for multiarch. Closes: 634151
- Drop debian/libpng15-15-udeb.dirs, which just adds a pointless empty
directory to the udeb
* Update debian/docs and debian/libpng15-15.docs
* Add debian/libpng15-15.doc-base
* Build-Depend on autotools-dev
libpng (1.2.46-2) unstable; urgency=low
[ Steve Langasek ]
* Build for multiarch. Requires converting libpng3 from Arch: all to
Arch: any. Closes: 634151
* Drop debian/libpng12-0-udeb.dirs, which just adds a pointless empty
directory to the udeb.
[ Anibal Monsalve Salazar ]
* Fix doc-base file
Closes: 633944, 633957, 634120
* Pass "-Zbzip2 -z9" to dpkg-deb
libpng (1.5.4-1) experimental; urgency=low
* New upstream release (Closes: #633871).
- Fix CVE: CVE-2011-2690
Buffer overwrite in png_rgb_to_gray
- CVE: CVE-2011-2691
Crash in png_default_error due to use of NULL Pointer
- CVE: CVE-2011-2692
Memory corruption when handling empty sCAL chunks
- Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream.
libpng (1.2.46-1) unstable; urgency=high
* New upstream release (Closes: #633871).
- Fix CVE: CVE-2011-2690
Buffer overwrite in png_rgb_to_gray
- CVE: CVE-2011-2691
Crash in png_default_error due to use of NULL Pointer
- CVE: CVE-2011-2692
Memory corruption when handling empty sCAL chunks
- Update patches/01-legacy.patch
- Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream.
libpng (1.5.2-3) experimental; urgency=low
* Rename libpng15-dev to libpng-dev
libpng (1.5.2-2) experimental; urgency=low
* Fix 1-byte uninitialized memory reference in png_format_buffer()
Fix CVE-2011-2501
Add debian/patches/02-632786-CVE-2011-2501.patch
Closes: 632786
* Pass "-Zbzip2 -z9" to dpkg-deb
* Fix xc-package-type-in-debian-control
* Fix debian-rules-missing-recommended-target
libpng (1.2.44-3) unstable; urgency=high
* Fix 1-byte uninitialized memory reference in png_format_buffer()
Fix CVE-2011-2501
Add debian/patches/02-632786-CVE-2011-2501.patch
Closes: 632786
* Standards version is 3.9.2
* Fix xc-package-type-in-debian-control
* Fix debian-rules-missing-recommended-target
libpng (1.5.2-1) experimental; urgency=low
* New upstream release (Closes: #565821, #574257, #606867).
* Remove Sam Hocevar from Uploaders.
* Add myself to Uploaders.
* Remove libtool, automake and autoconf from Build-depends.
* Disable practice of autogen.sh from debian/rules.
* Remove support libpng3 package (Closes: #369104, #615558).
* Update debian/copyright.
- Update copyright holder.
- Add new license for contrib/pngsuite (Closes: #615558).
* Remove patches directory.
* Add libpng15-dev.lintian-overrides.
Overrides manpage-has-errors-from-man usr/share/man/man3/libpng.3.gz.
libpng (1.2.44-2) unstable; urgency=low
* debian/libpng3.links: fix up the compat symlink to point to /lib
Patch by Steve Langasek
Closes: #579074, LP: #284325
libpng (1.2.44-1) unstable; urgency=low
* New upstream release
Stop memory leak when reading a malformed sCAL chunk
libpng (1.2.43-1) unstable; urgency=high
* New upstream release
* Fix CVE-2010-0205 and Cert VU#576029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
https://www.kb.cert.org/vuls/id/576029
Do not stall and consume large quantities of memory while processing
certain Portable Network Graphics (PNG) files
Closes: 572308
libpng (1.2.42-2) unstable; urgency=low
* Merge 1.2.42-1ubuntu1
Move libpng from /usr/lib to /lib, so that plymouth is usable on
systems with a separate /usr.
* Fix out-of-date-standards-version
libpng (1.2.42-1ubuntu1) lucid; urgency=low
* Merge from Debian testing. Remaining changes:
- Move libpng from /usr/lib to /lib, so that plymouth is usable on
systems with a separate /usr.
libpng (1.2.42-1) unstable; urgency=low
* New upstream release
* Remove 02-export-png_set_strip_error_numbers.patch (merged)
* Fix debhelper-but-no-misc-depends
libpng (1.2.41-1ubuntu1) lucid; urgency=low
* Move libpng from /usr/lib to /lib, so that plymouth is usable on systems
with a separate /usr.
libpng (1.2.41-1) unstable; urgency=low
* New upstream release
* Debian source format is 3.0 (quilt)
* Update debian/watch
* Add 02-export-png_set_strip_error_numbers.patch
Define PNG_ERROR_NUMBERS_SUPPORTED
Upstream doesn't define PNG_ERROR_NUMBERS_SUPPORTED since 1.2.41. As
a consecuence, the symbol png_set_strip_error_numbe@@PNG12_0 wasn't
exported.
libpng (1.2.40-1) unstable; urgency=low
* New upstream release
libpng (1.2.39-1) unstable; urgency=low
* New upstream release
* Fix out-of-date-standards-version
* Fix patch-system-but-no-source-readme
libpng (1.2.38-1) unstable; urgency=low
* New upstream release
* Fix out-of-date-standards-version
* Update upstream homepage
Closes: 536474
libpng (1.2.37-1) unstable; urgency=low
* New upstream release
libpng (1.2.36-1) unstable; urgency=low
* New upstream release
* Standards-Version is 3.8.1
* debhelper compat is 7
* Run dh_prep instead of dh_clean -k
libpng (1.2.35-1) unstable; urgency=high
* New upstream release
- http://secunia.com/advisories/33970/
Fix a vulnerability reported by Tavis Ormandy in which
some arrays of pointers are not initialized prior to using
"malloc" to define the pointers.
Closes: #516256
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907
The png_check_keyword function in pngwutil.c in libpng, might
allow context-dependent attackers to set the value of an
arbitrary memory location to zero via vectors involving
creation of crafted PNG files with keywords, related to an
implicit cast of the '\0' character constant to a NULL pointer.
* Don't build libpng3 when binary-indep target is not called.
Closes: #486415
libpng (1.2.33-2) unstable; urgency=low
* Fix the following lintian issues:
W: libpng12-0: copyright-refers-to-versionless-license-file
usr/share/common-licenses/GPL
libpng (1.2.33-1) experimental; urgency=low
* New upstream release
- Fix memory leak after reading a malformed tEXt chunk
libpng (1.2.32-1) experimental; urgency=low
* New upstream release
- libpng.pc is configured to do static linking; closes: #483477
- use autoconf variables in .pc and libpng-config; closes: #483478
* Remove debian/patches/02-501109-pngtest.c.diff; it was merged
libpng (1.2.27-2) unstable; urgency=medium
* Fix CVE-2008-3964: off-by-one error in pngtest.c; closes: #501109
* Standards-Version is 3.8.0
libpng (1.2.27-1) unstable; urgency=low
* New upstream release
* Patches merged upstream:
debian/patches/02-476669-CVE-2008-1382.diff
debian/patches/03-404514-png.5.diff
* Run ./autogen.sh
libpng (1.2.26-1) unstable; urgency=high
* New upstream release. Closes: #431202
* Use quilt
Add 01-legacy.diff
* Fix CVE-2008-1382 denial of service and possibly code execution
Add 02-476669-CVE-2008-1382.diff
Closes: #476669
* Fix URL in png.5. Closes: #404514
Add 03-404514-png.5.diff
* Move examples to libpng12-dev. Closes: #401467
* Fix "libpng (<= 1.2.20) contains grey-licensed code". Closes: #469126
* Fix the following lintian issues:
W: libpng source: debian-rules-ignores-make-clean-error line 37
W: libpng source: substvar-source-version-is-deprecated libpng12-dev
W: libpng source: out-of-date-standards-version 3.7.2 (current is 3.7.3)
W: libpng12-0-udeb udeb: description-contains-homepage
W: libpng3: description-contains-homepage
W: libpng12-dev: description-contains-homepage
W: libpng12-0: package-contains-empty-directory usr/bin/
W: libpng12-0: package-contains-empty-directory usr/sbin/
W: libpng12-0: description-contains-homepage
W: libpng12-0: doc-base-unknown-section libpng12:22 Apps/Programming
libpng (1.2.15~beta5-3) unstable; urgency=high
* ACKed NMU.
* Fixed out-of-bounds read operations triggered by crafted
png image files (CVE-2007-5269) (Closes: #446308).
libpng (1.2.15~beta5-2.1) unstable; urgency=high
* Non-maintainer upload by testing security team.
* Fixed out-of-bounds read operations triggered by crafted
png image files (CVE-2007-5269) (Closes: #446308).
libpng (1.2.15~beta5-2) unstable; urgency=high
* It seems that a grayscale image with a malformed (bad CRC) tRNS
chunk will crash libpng and mozilla. Closes: #424729.
- CVE-2007-2445
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2445
- CERT Vulnerability Note VU#684664
http://www.kb.cert.org/vuls/id/684664
libpng (1.2.15~beta5-1) unstable; urgency=low
* Applied legacy_symbols.patch.
* Changed shlibs dependecy versions to ">= 1.2.13-4".
* libpng12-0: Added the following conflicts: mzscheme (<= 1:209-5),
pngcrush (<= 1.5.10-2), pngmeta (<= 1.11-3), qemacs (<= 0.3.1-5),
povray-3.5 (<= 3.5.0c-10).
libpng (1.2.15~beta5-0) unstable; urgency=high
* New upstream release.
- Fixed asm API functions not exported on amd64. Closes: #401044.
- Fixed "libpng hangs when saving profile". Closes: #401423.
* Fixed "Incorrect shlibs information". Closes: #401465.
* Removed patches for png.h and pngconf.h.
* Updated debian/watch.
libpng (1.2.13-4) unstable; urgency=low
* Removed drop_pass_width patch. Closes: #399499.
libpng (1.2.13-3) unstable; urgency=low
* libpng12-dev: removed the conflict with libpng3-dev.
libpng (1.2.13-2) unstable; urgency=low
* Put back binary package libpng3.
libpng (1.2.13-1) unstable; urgency=low
* Fixed conflict with the new libpng package. Closes: #399296.
* Fixed png.5 man page formatting. Closes: #353061.
Patch by Kevin Ryde <[email protected]>.
libpng (1.2.13-0) unstable; urgency=high
* New upstream release.
* CVE-2006-5793: Fixed a new security issue regarding malformed
sPLT chunks. Closes: #398706.
* Transitional package libpng3 is not shipped anymore.
Closes: #369104.
libpng (1.2.12-0) unstable; urgency=high
* New upstream release. Closes: #366070.
* CVE-2006-3334: Fixed Buffer overflow in the png_decompress_chunk
function in pngrutil.c in libpng before 1.2.12 allows
context-dependent attackers to cause a denial of service and
possibly execute arbitrary code via unspecified vectors related
to "chunk error processing," possibly involving the "chunk_name".
Closes: #397892.
* Removed debian/x86_patches/pnggccrd-PIC.patch as it's merged
upstream.
libpng (1.2.8rel-7) unstable; urgency=low
* New maintainer. Closes: #393109.
* ACK NMUs. Closes: #378463, #377298, #356252.
* debian/control:
- set Standards-Version to 3.7.2.
- set Priority to extra for libpng12-0-udeb.
- added ${misc:Depends} to libpng12-0 and libpng12-0-udeb
dependency lists.
* Added debian/watch file.
libpng (1.2.8rel-6) unstable; urgency=low
* Orphaning package.
libpng (1.2.8rel-5.2) unstable; urgency=low
* Non-maintainer upload.
* Backport changes from 1.2.12 to fix a buffer overflow in
png_decompress_chunk; patch by Alec Berryman. [CVE-2006-3334]
(Closes: #377298)
libpng (1.2.8rel-5.1) unstable; urgency=low
* Non Maintainer Upload (closes: #356252).
* Add support for udeb dependency resolution in shlibs file.
* Update debhelper compatibility to level 5.
libpng (1.2.8rel-5) unstable; urgency=low
* drop_pass_width.patch: don't export png_pass_width, it's absolutely
unnecessary.
* libpng12-0.shlibs: downgrade the shlibs accordingly
(closes: #331383).
libpng (1.2.8rel-4) unstable; urgency=low
* makefile.patch:
+ Use PNG_PRIVATE to get the list of private symbols as well. It
sucks, but they've been there for too long (closes: #329886).
+ Use mawk instead of awk (closes: #329812).
* control: build-depend on mawk.
* rules:
+ Use -O2, not -O3.
+ Actually run the tests.
+ Make use of x86_patches/ on x86 architectures.
* x86_patches/mmxbuild.patch: build MMX routines in pnggccrd.c.
* x86_patches/pnggccrd-PIC.patch: patch from Christian Aichinger
to make the assembly routines PIC-compatible.
* libpng12-0.shlibs: bump the shlibs version.
libpng (1.2.8rel-3) unstable; urgency=low
* Upload to unstable.
* Rename the source package to libpng.
libpng3 (1.2.8rel-2) experimental; urgency=low
* makefile.patch:
+ now patch makefile.elf, so that only public symbols are truly
exported.
+ shorten the differences as much as possible.
* rules: use makefile.elf now.
* Move libpng3 to oldlibs.
* Entirely remove libpng3-dev, making libpng12-dev provide it
(closes: #322051).
* poynton.patch: correct Charles Poynton's address (closes: #289437).
* Don't run the test when cross-building (closes: #285427).
* setjmp_error.patch: don't stop when we are not using _BSD_SOURCE, as
in this case this is harmless (closes: #299343).
* libpng3.postinst: removed, the fix is in sarge.
* Standards-version is 3.6.2.
* legacy_symbols.patch: still export png_read_destroy and
png_write_destroy, which are deprecated but should nevertheless be
accessible.
libpng3 (1.2.8rel-1) unstable; urgency=medium
* New upstream release.
* read_transformations.patch: removed, included upstream.
* libpng12-0.shlibs: Update to version 1.2.8rel, new flags seem to have been
added.
libpng3 (1.2.8beta5-2) unstable; urgency=medium
* read_transformations.patch: fix segmentation fault with latex
(closes: #281789) and totem (closes: #278618).
libpng3 (1.2.8beta5-1) unstable; urgency=medium
* New upstream release.
+ Correct segmentation violation in png_combine_row.
Closes: #278526, #278917, #278921, #279258, #281789, #282368.
libpng3 (1.2.7-1) unstable; urgency=medium
* New upstream release (closes: #278308).
* libpng12-0.shlibs: update shlibs to version 1.2.7.
* Remove all security fixed, they are included upstream.
libpng3 (1.2.5.0-9) unstable; urgency=high
* CAN-2004-0954.patch: removed, this is already fixed in
CAN-2004-0597_0598_0599.patch.
libpng3 (1.2.5.0-8) unstable; urgency=high
* Switch to CDBS.
+ Ship modifications and security fixes in debian/patches.
+ debian/rules: rewritten.
+ debian/control: build-depend on cdbs.
+ debian/libpng12-0.shlibs: new.
* setjmp_error.patch: port explanation of the error when including setjmp.h
from libpng10, thanks Matijs van Zuijlen <[email protected]>
(closes: #273473).
* CAN-2004-0954.patch: fix buffer overflow vulnerability in
png_handle_tRNS().
* CAN-2004-0955.patch: fix integer arithmetic overflow vulnerability in
png_read_png().
libpng3 (1.2.5.0-7) unstable; urgency=high
* pngrtran.c: applied upstream patch 4 to fix incorrect calculation of
buffer offsets [CAN-2004-0768].
* png.h, pngpread.c, pngrutil.c: patch from Chris Evans
<[email protected]> to fix several vulnerabilities (closes: #263500):
+ libpng fails to properly check length on PNG data [CAN-2004-0597].
+ libpng "png_handle_sBIT" does not perform proper checks to avoid stack
buffer overflow [CAN-2004-0597].
+ libpng "png_handle_iCCP" possible NULL-pointer crash
[CAN-2004-0598].
+ libpng "png_handle_sPLT" possible integer overflow
[CAN-2004-0599].
+ libpng "png_read_png" does not properly handle a PNG with excessive
height (integer overflow) [CAN-2004-0599].
+ libpng progressive reading integer overflow [CAN-2004-0599].
libpng3 (1.2.5.0-6) unstable; urgency=high
* pngerror.c: applied patch by Steve Grubb <[email protected]> to
fix unintended memory access that could result in a crash of the
application linking against libpng [CAN-2004-0421].
libpng3 (1.2.5.0-5) unstable; urgency=low
* Use debhelper 4.2, which generates the udeb appropriately.
* Update control and rules appropriately.
* Don't use ${shlibs:Depends} for the udeb, rather write the
dependencies by hand.
* Standards-version is 3.6.1.
libpng3 (1.2.5.0-4) unstable; urgency=low
* scripts/makefile.linux: use versioned dependencies
(closes: #155891).
* debian/rules: bump dependency for dh_makeshlibs.
* add the libpng.a link in libpng12-dev.
* Rework scripts/makefile.linux to make it more consistent.
* Update stuff in debian/ accordingly.
* Updated README.Debian.
libpng3 (1.2.5.0-3) unstable; urgency=low
* Make libpng3{,-dev} depend on libpng12-{0,dev} >= 1.2.5.0-2 instead
of the strict source version.
* Move /usr/share/doc/libpng3{,-dev} into symlinks at postinst time
when directories already exist.
* debian/rules: install correctly doc-base stuff.
* debian/libpng12-dev.doc-base: updated URIs.
libpng3 (1.2.5.0-2) unstable; urgency=low
* scripts/{makefile.linux,libpng-config-body.in}: correct the
libpng12-config script.
* Install correctly pkg-config stuff (closes: #191081).
* Make libpng12-dev conflict explicitly with libpng12-0-dev.
* Update README.Debian.
libpng3 (1.2.5.0-1) unstable; urgency=low
* New maintainer.
* Use real upstream tarball from 1.2.5 release.
* Use dpkg-source's way instead of dpatch for patching.
* A bit of rework in debian/rules, use dh_install and debhelper 4.
* Standards-version is 3.5.9.
* The -dev package is now named libpng12-dev (stop using the
libpkg-guide way).
* libpng3 is now arch-independent.
* Improved descriptions a bit.
* Don't supply libpngpf.3, it is not useful to programmers.
libpng3 (1.2.5-11) unstable; urgency=low
* Add udeb (closes: #174842)
* Add missing section on source files.
libpng3 (1.2.5-10) unstable; urgency=low
* Rebuild with d-shlibs with fixed "libgcc_s1-dev" handling (for gcc-3.2).
(closes: #178070), build-depend on d-shlibs 0.10 or greater.
libpng3 (1.2.5-9) unstable; urgency=low
* Use dpatch for patch system -- divide Debian patch, and security fix patch.
* Standards-Version: 3.5.8
* add manual page libpng-config.1 and libpng12-config.1
libpng3 (1.2.5-8) unstable; urgency=low
* Sorry folks, I made a mistake.
* Forward-port of patch from the Security Team,
really apply what was there. (closes: #172868,#172871)
libpng3 (1.2.5-7) unstable; urgency=high
* Forward-port of patch from the Security Team
* Applied patch to pngrtran.c by Glenn Randers-Pehrson
<[email protected]> to fix a buffer overrun.
libpng3 (1.2.5-6) unstable; urgency=low
* Typo in scripts/makefile.linux.
Mistake. -lz and -lm weren't happening.
* Change LDFLAGS to not list -lz -lm, so that testsuite will catch such error.
* set prefix=/usr/ in scripts/makefile.linux, since it was set to usr/local.
libpng3 (1.2.5-5) unstable; urgency=low
* scripts/makefile.linux: LIBADDFLAGS introduced, for shared library lib additional
flags, and use that for shared library.
- this should fix build failure (closes: #166704)
Thanks Daniel Schepler <[email protected]> for reporting.
* updated copyright file to note that libpng3 in Debian is patched to
link with -lz -lm.
libpng3 (1.2.5-4) unstable; urgency=low
* Trying to fix the problem that libpng3 seems to be not linked against libz.
LDFLAGS was defined but not being used.
Thanks Mike Furr <[email protected]> for reporting (closes: #166489)
libpng3 (1.2.5-3) unstable; urgency=low
* Fixed description, I mixed up the -devel and non-devel
packages.
* updated README.Debian.
libpng3 (1.2.5-2) unstable; urgency=low
* careless mistake :(
* reinstall libpng.so symlink in libpng-12-0-dev package.
Otherwise other packages won't build ...
libpng3 (1.2.5-1) unstable; urgency=low
* New upstream version (closes: #163425)
* re-patched makefile.linux to work with system zlib,
added workaround to set CFLAGS, and remove rpath settings from LDFLAGS
* Use debhelper.
* No longer create /usr/doc symlinks.
* Standards-Version: 3.5.7
libpng3 (1.2.1-5) unstable; urgency=low
* Not yet released.
* Change priority from standard to optional.
libpng3 (1.2.1-4) unstable; urgency=low
* change -dev dependency of libc6-dev to libc-dev
libpng3 (1.2.1-3) unstable; urgency=low
* Security fix backported from 1.2.4. Check bounds of variables.
(closes: #155403)
libpng3 (1.2.1-2) unstable; urgency=low
* New maintainer (closes: #151343)
* apply buffer overflow patch for interlaced png files (closes: #150595)
* update description for libpng3-dev.
* change libpng-dev to libpng3-dev
libpng3 (1.2.1-1.1) unstable; urgency=low
* NMU
* Provides: libpng2-dev has been changed to Provides: libpng3-dev
libpng2-dev can be put back in when some kind of sane transition has
finished.
(closes: #128384, #128871, #129268, #129269)
libpng3 (1.2.1-1) unstable; urgency=low
* New upstream version; closes: #125679.
* New source package name: libpng3.
* Renamed libpng<x>-dev to libpng-dev to avoid having to maintain several
development packages (the -dev is source compatible).
* Moved png.5 into the -dev package.
* Added a Replaces: libpng2 to libpng-dev so that we can steal the png.5
manpage without fuss.
* Changed debian/shlibs for libpng3.
* Compress examples/pngtest.c.
libpng (1.0.12-3) unstable; urgency=low
* Moved the png.5 manpage to the dev package to allow multiple libpng<n>
packages installed at the same time.
libpng (1.0.12-2) unstable; urgency=low
* Changed libpng2-dev's section to devel to resync with override file.
* Fixed upstream version detection in debian/rules; closes: #105931.
libpng (1.0.12-1) unstable; urgency=low
* New upstream release; closes: #105354.
* Bumped dependency information in debian/shlibs to libpng >= 1.0.12
since there were some non-backwards compatible changes to the API.
* Added support for DEB_BUILD_OPTIONS and get-orig-source to debian/rules.
* Added call to ldconfig on postrm's remove.
* Removed INSTALL file from /usr/share/doc/libpng2.
* Bumped standards version to 3.5.5.0.
libpng (1.0.11-1) unstable; urgency=low
* New upstream release.
libpng (1.0.10-2) unstable; urgency=low
* Force recompile because of bad sparc package.
* Libpng2's priority changed to standard to comply with the override file.
libpng (1.0.10-1) unstable; urgency=low
* New upstream release.
* Changed shlib to depend on libpng2 (>= 2.0.10) because of
non-backwards compatible changes.
libpng (1.0.8-1) unstable; urgency=low
* Changed the doc-base type from 'test' to 'text'; closes: #59877.
* New upstream relase 1.0.8; closes: #70464.
* Updated copyright notice.
* Removed Y2kINFO from the doc directory.
* Added pngtest.c in examples; closes: #65229.
* Updated to standards version 3.2.1.0.
* Added build-depends line in control file; closes: #69291.
libpng (1.0.5-1) frozen unstable; urgency=low
* Maintainer upload (closes: #48244, #48246).
* Added some extra explanations for the setjmp.h mess (closes: #56759),
see pngconf.h for details.
libpng (1.0.5-0.1) unstable; urgency=low
* Non-maintainer release.
* New upstream release. (closes:Bug#48244).
* Remove versioned depend from shlibs (closes:Bug#48246).
libpng (1.0.3-1) unstable; urgency=low
* New upstream version (1.0.3); Closes: #31870, #46333.
* Maintainer upload, closes NMU bugs; Closes: #28412, #31523, #31690.
* FHS compliant.
* New standard-version 3.0.1.
* Lintian clean.
* Removed temporary zlib1g line in control file (used to be a bug in
zlib1g).
* Moved the documentation file to the -dev package.
* Register documentation file to doc-base.
* Fontified man pages with addformat script; Closes #38680.
libpng (1.0.2b-0.1) frozen unstable; urgency=low
* New upstream (bug-fix only) version.
(Should fix bugs #31690滼, since I can't reproduce them)
From the author:
"I have recently uploaded libpng-1.0.2b to
ftp://swrinde.nde.swri.edu/pub/png-group/src
I plan to release it as libpng-1.0.3 in a
few days, but would like to hear whether it
fixes the problems with GNOME.
It restores a few lines of code that were
inadvertently deleted from pngread.c, which
seems to be the cause of problems with adding
an alpha channel (which you fixed by downgrading
to libpng-1.0.1's pngread.c)."
[Glenn Randers-Pehrson <[email protected]>]
* Masquerade version number to 1.0.3 to make Imlib & Co. happy.
libpng (1.0.2-1.1) frozen unstable; urgency=low
* Fix Important bug #28412
(using pngread.c from libpng-1.0.1 did the trick).
libpng (1.0.2-1) unstable; urgency=low
* Maintainer release (to change a bit).
* Pristine sources.
* Libpng2-dev includes example.c (fixes bug #10315).
* Changed control file to reflect difference with libpng0g (fixes #23795).
* Recompiled (should fix the zlib1g missing symbol, bug #24450).
* Added -D_REENTRANT also to static library.
* Added a dependency upon zlib1g >= 1.1.2 (otherwise we get a missing
symbol) (fixes bug #24450).
libpng (1.0.2-0.1) unstable; urgency=low
* Non-maintainer release
* New upstream version
libpng (1.0.1-0.2) unstable; urgency=medium
* debian/rules (binary-arch): don't call install with -s as an
argument when installing a shared library; it doesn't know to use
--strip-unneeded, and we call strip separately later anyway.
* scripts/makefile.lnx (CFLAGS): killed i386-isms.
* scripts/makefile.lnx: compiled shared libraries with -D_REENTRANT.
(The above fixes are from James Troup, who yet again, alerted me to
my screwups ;)
* debian/postinst: only call ldconfig if $1 = configure.
libpng (1.0.1-0.1) unstable; urgency=low
* New upstream bug fix release.
* Include man pages.
libpng (1.0.0-0.1) unstable; urgency=low
* Non-maintainer Release.
* New Upstream Release.
* Changed source package name to `libpng'.
* Added `-f makefile.lnx' to make invocations in debian/rules.
* Removed `ldconfig' call from postrm.
libpng0 (0.96-5) unstable; urgency=low
* Removed executable permissions on shared libs (fixes bug #15478).
* Updated Standards-Version to 2.3.0.1.
libpng0 (0.96-4) unstable; urgency=low
* Shared libraries are stripped with --strip-unneeded and static
libraries with --strip-debug (fixes bug #15669).
* Made the build strip non-i386 specific (patch by James Troup) (fixes
bug #13832).
* Removed the dependency between the libc5 and libc6 versions.
libpng0 (0.96-3) unstable; urgency=low
* Libc6 compilation.
libpng0 (0.96-2) unstable; urgency=low
* Fixed permissions in /usr/doc/libpng0 (fixes bug #10540).
libpng0 (0.96-1) unstable; urgency=low
* New upstream sources.
libpng0 (0.95b-1) unstable; urgency=low
* New maintainer.
* Upgraded to upstream version 0.95b.
* Make debian/rules version independent.
* Debian/rules clean now removes substvars.
* Bumped the shlibs version to 0.95 as some incompatibilities were
introduced between 0.89 and 0.90.
* Added the Section: and Priority: fields to the control file (fixes bug
#6370).
* Now /usr/doc/libpng0 contains various info and the debian change log
stuff (fixes bug #7925).
* Added -D_REENTRANT compilation flag.
libpng (0.89c-6) unstable; urgency=low
* Moved shlibs file to correct location
libpng (0.89c-5) unstable; urgency=low
* Added shlibs file
libpng (0.89c-4) unstable; urgency=low
* Now stripping shared libraries (Bug#5134)
libpng (0.89c-3) unstable; urgency=low
* Corrected maintainers address
libpng (0.89c-2) unstable; urgency=low
* Accommodate the fact that dpkg-source doesn't properly preserve
permissions on scripts when extracting package. (Bug#4513)
libpng (0.89c-1) unstable; urgency=low
* New upstream version.
* Moved to new source packaging format.
balabit-sync
pushed a commit
to balabit-deps/balabit-os-9-libpng1.6
that referenced
this issue
Nov 15, 2022
libpng1.6 (1.6.37-3build5) jammy; urgency=high
* No change rebuild for ppc64el baseline bump.
libpng1.6 (1.6.37-3build4) impish; urgency=medium
* No-change rebuild to build packages with zstd compression.
libpng1.6 (1.6.37-3build3) hirsute; urgency=medium
* No-change rebuild to build with lto.
libpng1.6 (1.6.37-3build2) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
libpng1.6 (1.6.37-3build1) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
libpng1.6 (1.6.37-3) unstable; urgency=medium
[ Debian Janitor ]
* Wrap long lines in changelog entries: 1.2.5-5.
[ Gianfranco Costamagna ]
* debian/patches/326.patch:
- add upstream proposed patch to fix a decode fail with invalid eXIf
chunks (Closes: #969502)
libpng1.6 (1.6.37-2) unstable; urgency=medium
[ Debian Janitor ]
* Set upstream metadata fields: Bug-Database, Repository, Repository-
Browse.
* Rely on pre-initialized dpkg-architecture variables.
* Fix day-of-week for changelog entry 1.0.0-0.1.
* Set upstream metadata fields: Bug-Submit.
[ Gianfranco Costamagna ]
* Bump std-version to 4.5.0, no changes required
libpng1.6 (1.6.37-1) unstable; urgency=medium
* Upload to unstable
libpng1.6 (1.6.37-1~exp4) experimental; urgency=medium
* debian/patches/72fa126446460347a504f3d9b90f24aed1365595.patch:
- cherry-pick upstream possible fix for tests not being parallel-safe
(Closes: #920657)
libpng1.6 (1.6.37-1~exp3) experimental; urgency=medium
* Fix two lintian warnings:
- drop upstream signing key, upstream seems to have stopped tarball
signatures when moved to github (see upstream issue: #287)
- double "version" tag in debian/watch
libpng1.6 (1.6.37-1~exp2) experimental; urgency=medium
* Simplify tests, by not passing the .libs directory during their
execution
libpng1.6 (1.6.37-1~exp1) experimental; urgency=medium
* New upstream version 1.6.37
- upload to experimental because of freeze
* Update watch file for github publish site
* Update copyright years and text for pngminus
* Drop all upstream patches, patch refresh for apng patch
* Bump compat level to 12
libpng1.6 (1.6.36-6) unstable; urgency=medium
* Upload to unstable
libpng1.6 (1.6.36-5exp1) experimental; urgency=medium
* Drop Anibal from uploaders list,
thank you for your nice work! (Closes: #925014)
* Update copyright years.
* Drop patch 272.patch, superseeded by upstream commits:
70d122aac42933ab8a708c538f973c3307853212.patch (uncommented)
82ae623ec9bc3cb5c68aad22596a766e86d593b7.patch
a627bd26a375f5c41d54f90a47c838157d1bec97.patch
libpng1.6 (1.6.36-5) unstable; urgency=medium
* Tweak old 272 patch to add the only relevant part of commit
70d122aac42933ab8a708c538f973c3307853212.patch
* Drop 70d122aac42933ab8a708c538f973c3307853212.patch, it breaks the
testsuite.
libpng1.6 (1.6.36-4) unstable; urgency=high
* debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch,
debian/patches/8439534daa1d3a5705ba92e653eda9251246dd61.patch:
- new fixes for arm64 and general test failures (and leaks)
* debian/patches/CVE-2019-7317.patch:
- fix for CVE 2019-7317 (Closes: #921355)
Thanks Salvatore Bonaccorso for your report!
libpng1.6 (1.6.36-3) unstable; urgency=medium
* debian/patches/272.patch:
- upstream fix for arm64 test failures.
- drop previous revert-* patches
libpng1.6 (1.6.36-2) unstable; urgency=medium
* Update watch file for github location
* Add apng support, like what is done in arch linux
- pnggroup/libpng#267
* d/p/revert-{7734cda20cf1236aef60f3bbd2267c97bbb40869,
1ceaa83a844cd3ecef25279d60720f910b96f297,
b66ed711315c46ef6c556c83c0074ecdcbd9937f}.patch:
revert on arm64 only the chromebook optimizations, they are
making the build fail.
- discussion at pnggroup/libpng#266
[ Mattia Rizzolo ]
* Fixup std-version numbering
libpng1.6 (1.6.36-1) unstable; urgency=medium
* New upstream version 1.6.36
* update copyright file
* Bump std-version to 4.3.0.1, no changes required
* drop patch 8a057: upstream
* Add nocheck profile in rules file
[ Ondřej Nový <[email protected]> ]
* d/changelog: Remove trailing whitespaces
libpng1.6 (1.6.34-2) unstable; urgency=medium
[ Salvatore Bonaccorso ]
* debian/patches/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2.patch:
Closes: #903430
CVE-2018-13785
[ Gianfranco Costamagna ]
* Upload to unstable
* Switch VCS fields to salsa.d.o
* Bump std-version to 4.1.5, no changes required
* Switch copyright in https mode
libpng1.6 (1.6.34-1) unstable; urgency=medium
* New upstream version 1.6.34
* Remove files removed upstream (the failing png files)
libpng1.6 (1.6.33-1) unstable; urgency=medium
* New upstream version 1.6.33
* Drop idat patch: upstream
* Update copyright
* Bump std-version to 4.1.1
* Remove some new test png files that make testsuite fail
(they fail also on older libpng version, just they weren't available
status is tracked at https://sourceforge.net/p/libpng/bugs/271/ )
libpng1.6 (1.6.32-3) unstable; urgency=high
* Fix invalid IDAT images, thanks Felix Geyer for the debug/bug reassign!
(Closes: #876563)
libpng1.6 (1.6.32-2) unstable; urgency=medium
* Bump std-version to 4.1.0, now priority is extra
* Add missing newline on copyright entry, making lintian sad
* Move the examples into the main libpng-dev (Closes: #876244)
- thanks Helmut Grohne for the useful bug report!
libpng1.6 (1.6.32-1) unstable; urgency=medium
* New upstream version 1.6.32
* Update copyright file
libpng1.6 (1.6.31-1) unstable; urgency=medium
* New upstream release.
* Update d/watch to point to ftp site and to verify gpg signature.
* fix-arm-build.patch removed, fixed upstream.
* Update d/copyright (years and add new maintainers) and remove some
redudant entries.
libpng1.6 (1.6.30-2) unstable; urgency=medium
* Fix arm* build failures with upstream patch
(Closes: #867670)
libpng1.6 (1.6.30-1) unstable; urgency=medium
* New upstream release.
* Update copyright
* Bump std-version to 4.0.0
libpng1.6 (1.6.29-3) unstable; urgency=medium
* Upload to unstable
libpng1.6 (1.6.29-2) experimental; urgency=medium
* Enable PIE eveywhere
libpng1.6 (1.6.29-1) experimental; urgency=medium
* New upstream release.
- Drop fix multiarch patch: upstream
* Use autoreconf.
libpng1.6 (1.6.28-1exp4) experimental; urgency=medium
* Override autoreconf due to debhelper bug 844504
libpng1.6 (1.6.28-1exp3) experimental; urgency=medium
* No-autoreconf for cmake builds
libpng1.6 (1.6.28-1exp2) experimental; urgency=medium
* Readd multiarch patch, it was merged by
upstream on master but not on 1.6 branch
libpng1.6 (1.6.28-1exp1) experimental; urgency=medium
* Switch to cmake
libpng1.6 (1.6.28-1) unstable; urgency=medium
* New upstream release.
libpng1.6 (1.6.27-1) unstable; urgency=medium
* New upstream release (Closes: #849799)
- Fix for CVE-2016-10087
libpng1.6 (1.6.26-6) unstable; urgency=medium
* Enable pie in Debian, disable it in Ubuntu.
- thanks pochu :)
libpng1.6 (1.6.26-5) unstable; urgency=medium
* Revert cmake switch, failing on arm64.
libpng1.6 (1.6.26-4) unstable; urgency=low
* Upload to unstable.
* Disable pie where Ubuntu has not defaulted yet.
(armhf, arm64, powerpc)
libpng1.6 (1.6.26-3) experimental; urgency=medium
* Switch to cmake.
libpng1.6 (1.6.26-2) unstable; urgency=medium
* Enable full hardening (+pie) (Closes: #844429)
libpng1.6 (1.6.26-1) unstable; urgency=low
* New upstream release.
* Switch to compat level 10
- Drop autoreconf/parallel, automatically injected
libpng1.6 (1.6.25-2) unstable; urgency=medium
* Mark the -tools package Multi-Arch: foreign.
(Closes: #840446).
Thanks Francois Gourget for the bug report!
libpng1.6 (1.6.25-1) unstable; urgency=medium
* New upstream release.
libpng1.6 (1.6.24-2) unstable; urgency=medium
* Stop providing pngcp, because a tool with the same
name is provided by pngtools (Closes: #834119, #834118).
- Consider re-enabling it if ineeded, but for now the
tool has no manpage and no help command.
- An alternative might be to make pngtools and libpng-tools
conflict each others.
libpng1.6 (1.6.24-1) unstable; urgency=medium
* New upstream release.
- install also new pngcp tool in libpng-tools package.
libpng1.6 (1.6.23-1) unstable; urgency=medium
* New upstream release.
libpng1.6 (1.6.22-1) unstable; urgency=medium
* New upstream release.
- drop fix_define_PNG_READ_16_TO_8.patch: upstream
* Update copyright file.
libpng1.6 (1.6.21-5) unstable; urgency=medium
* d/control: Add VCS-* to repository on collab-maint.
* Add patch to properly define PNG_READ_16_TO_8_SUPPORTED (Closes: #824014)
* Add d/gbp.conf to ensure signed tags.
libpng1.6 (1.6.21-4) unstable; urgency=medium
* add libpng-config.patch from the old
src:libpng.
- disabling multiarch bits in libpng-config has
the "side-effect" to let us have a Multiarch libpng-dev package.
Closes: #822297
* Make the libpng-dev package Multiarch ready.
libpng1.6 (1.6.21-3) unstable; urgency=medium
[ Manuel A. Fernandez Montecelo ]
* Add hardening flags (excluding PIE. CLoses: #805822)
[ Gianfranco Costamagna ]
* Drop useless pre-depends line.
[ Bart Martens ]
* Fix watch file
[ Laurent Bigonville ]
* Drop useless packages in Replaces field. (Closes: #820887)
libpng1.6 (1.6.21-2) unstable; urgency=medium
* Upload to unstable.
* Add myself and Tobias to uploaders, as per maintainers
suggestion.
* Bump std-version to 3.9.8, no changes required.
libpng1.6 (1.6.21-1) experimental; urgency=medium
* Team upload.
* New upstream release.
* Add upstream signing key
* Fix watch file.
* Update copyright file.
* Drop libpng16-devtools, useless and merged in libpng-dev.
(many packages relies on that script for building correctly)
- breaks + replaces accordingly.
* Remove multiarch -dev package
* Rename libpng16-tools to libpng-tools, there is no need of
strict versioning here.
* Install upstream changelog.
* Run upstream testsuite.
* Remove README.* files, useless now.
libpng1.6 (1.6.20-3) experimental; urgency=medium
* Team upload
* Move libpng16-dev to libpng-dev, to ease next transitions.
* Drop conflicts against mzscheme, pngcrush, pngmeta,
povray-3.5, qemacs, some of them disappeared, some of
them have later versions already in old-oldstable.
* Simplify even more the packaging, probably fixing #813288
* Fix symlinks, and two lintian errors:
- library-in-root-and-usr
- old-style-config-script-multiarch-path
(multiarch: no for libpng16-devtools)
* Update standard-version to 3.9.7, no changes required.
* Switch to dh-autoreconf (Closes: #813027)
* Remove libpng16-devtools circular dependency, recommend it instead.
* Fix duplicate description lintian warning
* Fix copyright lintian warnings
* Remove copyright.in file
* Use new plain dh calls in rules file
* Remove some old lintian overrides.
libpng1.6 (1.6.20-2) experimental; urgency=medium
[ Tobias Frost ]
* libpng16-16-udeb should not Conflicts: libpng-12-0.
[ Anibal Monsalve Salazar ]
* debhelper compat version is 9.
* debian/control: libpng16-devtools is "Multi-Arch: same".
libpng1.6 (1.6.20-1.1) experimental; urgency=medium
* Non-maintainer upload.
* Preparation for the transition, going to experimental.
* Make libpng16-dev depend on libpng16-devtools to have libpng-config
pulled in automatically for reverse dependencies.
* Provide a so-name neutral devtools package
libpng1.6 (1.6.20-1) experimental; urgency=medium
* New upstream release.
Fix CVE-2015-8472.
Closes: #810074.
* Use default options to compress.
Remove debian/source/options.
libpng1.6 (1.6.19-1) experimental; urgency=medium
* New upstream release.
* Update lintian-overrides for 1.6.19.
libpng1.6 (1.6.16-1) experimental; urgency=medium
* New upstream release (Closes: #773823)
Fix CVE-2015-8540.
* Standards Version is 3.9.6.
* Update debian/copyright.
Add infomation of license for other all files.
* Update lintian-overrides for 1.6.16.
libpng1.6 (1.6.10-2) experimental; urgency=low
* Add libpng16-devtools package.
Move libpng-config to this package.
libpng1.6 (1.6.10-1) experimental; urgency=low
* New upstream release (Closes: #740585)
Fixed CVE-2014-0333.
* Update overrides files.
libpng1.6 (1.6.8-2) experimental; urgency=low
* Update debian/copyright. (Closes: #735737)
libpng1.6 (1.6.8-1) experimental; urgency=low
* New upstream release.
libpng1.6 (1.6.7-1) experimental; urgency=low
* New upstream release.
libpng (1.5.11-1) experimental; urgency=low
* New upstream release.
libpng (1.5.10-3) experimental; urgency=low
* Remove libpng12-dev binary package. libpng-dev provides and replaces
libpng12-dev.
libpng (1.5.10-2) experimental; urgency=low
* Add transition packages libpng3, libpng12-0 and libpng12-dev
libpng (1.5.10-1) experimental; urgency=high
* New upstream version 1.5.10
- Fix CVE-2011-3048 (memory corruption flaw)
Closes: 667475
* Standards Version is 3.9.3
libpng (1.5.9-1) experimental; urgency=low
* New upstream version 1.5.9
The purpose of this release is to fix the dangerous CVE-2011-3026.
The libpng patch is different from the one that was distributed
earlier by Chromium, in that the libpng user limit feature is not
crippled by the patch.
Remove 02-660026-CVE-2011-3026.patch
libpng (1.5.8-1) experimental; urgency=high
* New upstream release.
Fix a one-byte (stack) buffer-overrun bug in
png_formatted_warning(), which could lead to crashes (denial of
service) or, conceivably, execution of hostile code.
This vulnerability has been assigned ID CVE-2011-3464.
* Check for both truncation (64-bit platforms) and integer overflow
Fix CVE-2011-3026
Add 02-660026-CVE-2011-3026.patch
Closes: 660026
libpng (1.5.7-2) experimental; urgency=low
* Fix typo from PPFLAGS to CPPFLAGS.
libpng (1.5.7-1) experimental; urgency=low
* New upstream release.
* Update debian/rules.
Enabled hardened build flags. (Closes: #654149)
libpng (1.5.6-1) experimental; urgency=low
* New upstream release.
libpng (1.5.5-1) experimental; urgency=low
* New upstream release.
* Fix lintian error: udeb-uses-non-gzip-data-tarball.
Changed option of dh_builddeb for every package.
* Fix lintian warning: brace-expansion-in-debhelper-config-file.
Remove brace-expansion from debian/libpng-dev.install.
libpng (1.5.4-2) experimental; urgency=low
* Port Steve Langasek's changes for 1.2.46-1
- Build for multiarch. Closes: 634151
- Drop debian/libpng15-15-udeb.dirs, which just adds a pointless empty
directory to the udeb
* Update debian/docs and debian/libpng15-15.docs
* Add debian/libpng15-15.doc-base
* Build-Depend on autotools-dev
libpng (1.2.46-2) unstable; urgency=low
[ Steve Langasek ]
* Build for multiarch. Requires converting libpng3 from Arch: all to
Arch: any. Closes: 634151
* Drop debian/libpng12-0-udeb.dirs, which just adds a pointless empty
directory to the udeb.
[ Anibal Monsalve Salazar ]
* Fix doc-base file
Closes: 633944, 633957, 634120
* Pass "-Zbzip2 -z9" to dpkg-deb
libpng (1.5.4-1) experimental; urgency=low
* New upstream release (Closes: #633871).
- Fix CVE: CVE-2011-2690
Buffer overwrite in png_rgb_to_gray
- CVE: CVE-2011-2691
Crash in png_default_error due to use of NULL Pointer
- CVE: CVE-2011-2692
Memory corruption when handling empty sCAL chunks
- Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream.
libpng (1.2.46-1) unstable; urgency=high
* New upstream release (Closes: #633871).
- Fix CVE: CVE-2011-2690
Buffer overwrite in png_rgb_to_gray
- CVE: CVE-2011-2691
Crash in png_default_error due to use of NULL Pointer
- CVE: CVE-2011-2692
Memory corruption when handling empty sCAL chunks
- Update patches/01-legacy.patch
- Remove patches/02-632786-CVE-2011-2501.patch. Applied to upstream.
libpng (1.5.2-3) experimental; urgency=low
* Rename libpng15-dev to libpng-dev
libpng (1.5.2-2) experimental; urgency=low
* Fix 1-byte uninitialized memory reference in png_format_buffer()
Fix CVE-2011-2501
Add debian/patches/02-632786-CVE-2011-2501.patch
Closes: 632786
* Pass "-Zbzip2 -z9" to dpkg-deb
* Fix xc-package-type-in-debian-control
* Fix debian-rules-missing-recommended-target
libpng (1.2.44-3) unstable; urgency=high
* Fix 1-byte uninitialized memory reference in png_format_buffer()
Fix CVE-2011-2501
Add debian/patches/02-632786-CVE-2011-2501.patch
Closes: 632786
* Standards version is 3.9.2
* Fix xc-package-type-in-debian-control
* Fix debian-rules-missing-recommended-target
libpng (1.5.2-1) experimental; urgency=low
* New upstream release (Closes: #565821, #574257, #606867).
* Remove Sam Hocevar from Uploaders.
* Add myself to Uploaders.
* Remove libtool, automake and autoconf from Build-depends.
* Disable practice of autogen.sh from debian/rules.
* Remove support libpng3 package (Closes: #369104, #615558).
* Update debian/copyright.
- Update copyright holder.
- Add new license for contrib/pngsuite (Closes: #615558).
* Remove patches directory.
* Add libpng15-dev.lintian-overrides.
Overrides manpage-has-errors-from-man usr/share/man/man3/libpng.3.gz.
libpng (1.2.44-2) unstable; urgency=low
* debian/libpng3.links: fix up the compat symlink to point to /lib
Patch by Steve Langasek
Closes: #579074, LP: #284325
libpng (1.2.44-1) unstable; urgency=low
* New upstream release
Stop memory leak when reading a malformed sCAL chunk
libpng (1.2.43-1) unstable; urgency=high
* New upstream release
* Fix CVE-2010-0205 and Cert VU#576029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
https://www.kb.cert.org/vuls/id/576029
Do not stall and consume large quantities of memory while processing
certain Portable Network Graphics (PNG) files
Closes: 572308
libpng (1.2.42-2) unstable; urgency=low
* Merge 1.2.42-1ubuntu1
Move libpng from /usr/lib to /lib, so that plymouth is usable on
systems with a separate /usr.
* Fix out-of-date-standards-version
libpng (1.2.42-1ubuntu1) lucid; urgency=low
* Merge from Debian testing. Remaining changes:
- Move libpng from /usr/lib to /lib, so that plymouth is usable on
systems with a separate /usr.
libpng (1.2.42-1) unstable; urgency=low
* New upstream release
* Remove 02-export-png_set_strip_error_numbers.patch (merged)
* Fix debhelper-but-no-misc-depends
libpng (1.2.41-1ubuntu1) lucid; urgency=low
* Move libpng from /usr/lib to /lib, so that plymouth is usable on systems
with a separate /usr.
libpng (1.2.41-1) unstable; urgency=low
* New upstream release
* Debian source format is 3.0 (quilt)
* Update debian/watch
* Add 02-export-png_set_strip_error_numbers.patch
Define PNG_ERROR_NUMBERS_SUPPORTED
Upstream doesn't define PNG_ERROR_NUMBERS_SUPPORTED since 1.2.41. As
a consecuence, the symbol png_set_strip_error_numbe@@PNG12_0 wasn't
exported.
libpng (1.2.40-1) unstable; urgency=low
* New upstream release
libpng (1.2.39-1) unstable; urgency=low
* New upstream release
* Fix out-of-date-standards-version
* Fix patch-system-but-no-source-readme
libpng (1.2.38-1) unstable; urgency=low
* New upstream release
* Fix out-of-date-standards-version
* Update upstream homepage
Closes: 536474
libpng (1.2.37-1) unstable; urgency=low
* New upstream release
libpng (1.2.36-1) unstable; urgency=low
* New upstream release
* Standards-Version is 3.8.1
* debhelper compat is 7
* Run dh_prep instead of dh_clean -k
libpng (1.2.35-1) unstable; urgency=high
* New upstream release
- http://secunia.com/advisories/33970/
Fix a vulnerability reported by Tavis Ormandy in which
some arrays of pointers are not initialized prior to using
"malloc" to define the pointers.
Closes: #516256
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907
The png_check_keyword function in pngwutil.c in libpng, might
allow context-dependent attackers to set the value of an
arbitrary memory location to zero via vectors involving
creation of crafted PNG files with keywords, related to an
implicit cast of the '\0' character constant to a NULL pointer.
* Don't build libpng3 when binary-indep target is not called.
Closes: #486415
libpng (1.2.33-2) unstable; urgency=low
* Fix the following lintian issues:
W: libpng12-0: copyright-refers-to-versionless-license-file
usr/share/common-licenses/GPL
libpng (1.2.33-1) experimental; urgency=low
* New upstream release
- Fix memory leak after reading a malformed tEXt chunk
libpng (1.2.32-1) experimental; urgency=low
* New upstream release
- libpng.pc is configured to do static linking; closes: #483477
- use autoconf variables in .pc and libpng-config; closes: #483478
* Remove debian/patches/02-501109-pngtest.c.diff; it was merged
libpng (1.2.27-2) unstable; urgency=medium
* Fix CVE-2008-3964: off-by-one error in pngtest.c; closes: #501109
* Standards-Version is 3.8.0
libpng (1.2.27-1) unstable; urgency=low
* New upstream release
* Patches merged upstream:
debian/patches/02-476669-CVE-2008-1382.diff
debian/patches/03-404514-png.5.diff
* Run ./autogen.sh
libpng (1.2.26-1) unstable; urgency=high
* New upstream release. Closes: #431202
* Use quilt
Add 01-legacy.diff
* Fix CVE-2008-1382 denial of service and possibly code execution
Add 02-476669-CVE-2008-1382.diff
Closes: #476669
* Fix URL in png.5. Closes: #404514
Add 03-404514-png.5.diff
* Move examples to libpng12-dev. Closes: #401467
* Fix "libpng (<= 1.2.20) contains grey-licensed code". Closes: #469126
* Fix the following lintian issues:
W: libpng source: debian-rules-ignores-make-clean-error line 37
W: libpng source: substvar-source-version-is-deprecated libpng12-dev
W: libpng source: out-of-date-standards-version 3.7.2 (current is 3.7.3)
W: libpng12-0-udeb udeb: description-contains-homepage
W: libpng3: description-contains-homepage
W: libpng12-dev: description-contains-homepage
W: libpng12-0: package-contains-empty-directory usr/bin/
W: libpng12-0: package-contains-empty-directory usr/sbin/
W: libpng12-0: description-contains-homepage
W: libpng12-0: doc-base-unknown-section libpng12:22 Apps/Programming
libpng (1.2.15~beta5-3) unstable; urgency=high
* ACKed NMU.
* Fixed out-of-bounds read operations triggered by crafted
png image files (CVE-2007-5269) (Closes: #446308).
libpng (1.2.15~beta5-2.1) unstable; urgency=high
* Non-maintainer upload by testing security team.
* Fixed out-of-bounds read operations triggered by crafted
png image files (CVE-2007-5269) (Closes: #446308).
libpng (1.2.15~beta5-2) unstable; urgency=high
* It seems that a grayscale image with a malformed (bad CRC) tRNS
chunk will crash libpng and mozilla. Closes: #424729.
- CVE-2007-2445
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2445
- CERT Vulnerability Note VU#684664
http://www.kb.cert.org/vuls/id/684664
libpng (1.2.15~beta5-1) unstable; urgency=low
* Applied legacy_symbols.patch.
* Changed shlibs dependecy versions to ">= 1.2.13-4".
* libpng12-0: Added the following conflicts: mzscheme (<= 1:209-5),
pngcrush (<= 1.5.10-2), pngmeta (<= 1.11-3), qemacs (<= 0.3.1-5),
povray-3.5 (<= 3.5.0c-10).
libpng (1.2.15~beta5-0) unstable; urgency=high
* New upstream release.
- Fixed asm API functions not exported on amd64. Closes: #401044.
- Fixed "libpng hangs when saving profile". Closes: #401423.
* Fixed "Incorrect shlibs information". Closes: #401465.
* Removed patches for png.h and pngconf.h.
* Updated debian/watch.
libpng (1.2.13-4) unstable; urgency=low
* Removed drop_pass_width patch. Closes: #399499.
libpng (1.2.13-3) unstable; urgency=low
* libpng12-dev: removed the conflict with libpng3-dev.
libpng (1.2.13-2) unstable; urgency=low
* Put back binary package libpng3.
libpng (1.2.13-1) unstable; urgency=low
* Fixed conflict with the new libpng package. Closes: #399296.
* Fixed png.5 man page formatting. Closes: #353061.
Patch by Kevin Ryde <[email protected]>.
libpng (1.2.13-0) unstable; urgency=high
* New upstream release.
* CVE-2006-5793: Fixed a new security issue regarding malformed
sPLT chunks. Closes: #398706.
* Transitional package libpng3 is not shipped anymore.
Closes: #369104.
libpng (1.2.12-0) unstable; urgency=high
* New upstream release. Closes: #366070.
* CVE-2006-3334: Fixed Buffer overflow in the png_decompress_chunk
function in pngrutil.c in libpng before 1.2.12 allows
context-dependent attackers to cause a denial of service and
possibly execute arbitrary code via unspecified vectors related
to "chunk error processing," possibly involving the "chunk_name".
Closes: #397892.
* Removed debian/x86_patches/pnggccrd-PIC.patch as it's merged
upstream.
libpng (1.2.8rel-7) unstable; urgency=low
* New maintainer. Closes: #393109.
* ACK NMUs. Closes: #378463, #377298, #356252.
* debian/control:
- set Standards-Version to 3.7.2.
- set Priority to extra for libpng12-0-udeb.
- added ${misc:Depends} to libpng12-0 and libpng12-0-udeb
dependency lists.
* Added debian/watch file.
libpng (1.2.8rel-6) unstable; urgency=low
* Orphaning package.
libpng (1.2.8rel-5.2) unstable; urgency=low
* Non-maintainer upload.
* Backport changes from 1.2.12 to fix a buffer overflow in
png_decompress_chunk; patch by Alec Berryman. [CVE-2006-3334]
(Closes: #377298)
libpng (1.2.8rel-5.1) unstable; urgency=low
* Non Maintainer Upload (closes: #356252).
* Add support for udeb dependency resolution in shlibs file.
* Update debhelper compatibility to level 5.
libpng (1.2.8rel-5) unstable; urgency=low
* drop_pass_width.patch: don't export png_pass_width, it's absolutely
unnecessary.
* libpng12-0.shlibs: downgrade the shlibs accordingly
(closes: #331383).
libpng (1.2.8rel-4) unstable; urgency=low
* makefile.patch:
+ Use PNG_PRIVATE to get the list of private symbols as well. It
sucks, but they've been there for too long (closes: #329886).
+ Use mawk instead of awk (closes: #329812).
* control: build-depend on mawk.
* rules:
+ Use -O2, not -O3.
+ Actually run the tests.
+ Make use of x86_patches/ on x86 architectures.
* x86_patches/mmxbuild.patch: build MMX routines in pnggccrd.c.
* x86_patches/pnggccrd-PIC.patch: patch from Christian Aichinger
to make the assembly routines PIC-compatible.
* libpng12-0.shlibs: bump the shlibs version.
libpng (1.2.8rel-3) unstable; urgency=low
* Upload to unstable.
* Rename the source package to libpng.
libpng3 (1.2.8rel-2) experimental; urgency=low
* makefile.patch:
+ now patch makefile.elf, so that only public symbols are truly
exported.
+ shorten the differences as much as possible.
* rules: use makefile.elf now.
* Move libpng3 to oldlibs.
* Entirely remove libpng3-dev, making libpng12-dev provide it
(closes: #322051).
* poynton.patch: correct Charles Poynton's address (closes: #289437).
* Don't run the test when cross-building (closes: #285427).
* setjmp_error.patch: don't stop when we are not using _BSD_SOURCE, as
in this case this is harmless (closes: #299343).
* libpng3.postinst: removed, the fix is in sarge.
* Standards-version is 3.6.2.
* legacy_symbols.patch: still export png_read_destroy and
png_write_destroy, which are deprecated but should nevertheless be
accessible.
libpng3 (1.2.8rel-1) unstable; urgency=medium
* New upstream release.
* read_transformations.patch: removed, included upstream.
* libpng12-0.shlibs: Update to version 1.2.8rel, new flags seem to have been
added.
libpng3 (1.2.8beta5-2) unstable; urgency=medium
* read_transformations.patch: fix segmentation fault with latex
(closes: #281789) and totem (closes: #278618).
libpng3 (1.2.8beta5-1) unstable; urgency=medium
* New upstream release.
+ Correct segmentation violation in png_combine_row.
Closes: #278526, #278917, #278921, #279258, #281789, #282368.
libpng3 (1.2.7-1) unstable; urgency=medium
* New upstream release (closes: #278308).
* libpng12-0.shlibs: update shlibs to version 1.2.7.
* Remove all security fixed, they are included upstream.
libpng3 (1.2.5.0-9) unstable; urgency=high
* CAN-2004-0954.patch: removed, this is already fixed in
CAN-2004-0597_0598_0599.patch.
libpng3 (1.2.5.0-8) unstable; urgency=high
* Switch to CDBS.
+ Ship modifications and security fixes in debian/patches.
+ debian/rules: rewritten.
+ debian/control: build-depend on cdbs.
+ debian/libpng12-0.shlibs: new.
* setjmp_error.patch: port explanation of the error when including setjmp.h
from libpng10, thanks Matijs van Zuijlen <[email protected]>
(closes: #273473).
* CAN-2004-0954.patch: fix buffer overflow vulnerability in
png_handle_tRNS().
* CAN-2004-0955.patch: fix integer arithmetic overflow vulnerability in
png_read_png().
libpng3 (1.2.5.0-7) unstable; urgency=high
* pngrtran.c: applied upstream patch 4 to fix incorrect calculation of
buffer offsets [CAN-2004-0768].
* png.h, pngpread.c, pngrutil.c: patch from Chris Evans
<[email protected]> to fix several vulnerabilities (closes: #263500):
+ libpng fails to properly check length on PNG data [CAN-2004-0597].
+ libpng "png_handle_sBIT" does not perform proper checks to avoid stack
buffer overflow [CAN-2004-0597].
+ libpng "png_handle_iCCP" possible NULL-pointer crash
[CAN-2004-0598].
+ libpng "png_handle_sPLT" possible integer overflow
[CAN-2004-0599].
+ libpng "png_read_png" does not properly handle a PNG with excessive
height (integer overflow) [CAN-2004-0599].
+ libpng progressive reading integer overflow [CAN-2004-0599].
libpng3 (1.2.5.0-6) unstable; urgency=high
* pngerror.c: applied patch by Steve Grubb <[email protected]> to
fix unintended memory access that could result in a crash of the
application linking against libpng [CAN-2004-0421].
libpng3 (1.2.5.0-5) unstable; urgency=low
* Use debhelper 4.2, which generates the udeb appropriately.
* Update control and rules appropriately.
* Don't use ${shlibs:Depends} for the udeb, rather write the
dependencies by hand.
* Standards-version is 3.6.1.
libpng3 (1.2.5.0-4) unstable; urgency=low
* scripts/makefile.linux: use versioned dependencies
(closes: #155891).
* debian/rules: bump dependency for dh_makeshlibs.
* add the libpng.a link in libpng12-dev.
* Rework scripts/makefile.linux to make it more consistent.
* Update stuff in debian/ accordingly.
* Updated README.Debian.
libpng3 (1.2.5.0-3) unstable; urgency=low
* Make libpng3{,-dev} depend on libpng12-{0,dev} >= 1.2.5.0-2 instead
of the strict source version.
* Move /usr/share/doc/libpng3{,-dev} into symlinks at postinst time
when directories already exist.
* debian/rules: install correctly doc-base stuff.
* debian/libpng12-dev.doc-base: updated URIs.
libpng3 (1.2.5.0-2) unstable; urgency=low
* scripts/{makefile.linux,libpng-config-body.in}: correct the
libpng12-config script.
* Install correctly pkg-config stuff (closes: #191081).
* Make libpng12-dev conflict explicitly with libpng12-0-dev.
* Update README.Debian.
libpng3 (1.2.5.0-1) unstable; urgency=low
* New maintainer.
* Use real upstream tarball from 1.2.5 release.
* Use dpkg-source's way instead of dpatch for patching.
* A bit of rework in debian/rules, use dh_install and debhelper 4.
* Standards-version is 3.5.9.
* The -dev package is now named libpng12-dev (stop using the
libpkg-guide way).
* libpng3 is now arch-independent.
* Improved descriptions a bit.
* Don't supply libpngpf.3, it is not useful to programmers.
libpng3 (1.2.5-11) unstable; urgency=low
* Add udeb (closes: #174842)
* Add missing section on source files.
libpng3 (1.2.5-10) unstable; urgency=low
* Rebuild with d-shlibs with fixed "libgcc_s1-dev" handling (for gcc-3.2).
(closes: #178070), build-depend on d-shlibs 0.10 or greater.
libpng3 (1.2.5-9) unstable; urgency=low
* Use dpatch for patch system -- divide Debian patch, and security fix patch.
* Standards-Version: 3.5.8
* add manual page libpng-config.1 and libpng12-config.1
libpng3 (1.2.5-8) unstable; urgency=low
* Sorry folks, I made a mistake.
* Forward-port of patch from the Security Team,
really apply what was there. (closes: #172868,#172871)
libpng3 (1.2.5-7) unstable; urgency=high
* Forward-port of patch from the Security Team
* Applied patch to pngrtran.c by Glenn Randers-Pehrson
<[email protected]> to fix a buffer overrun.
libpng3 (1.2.5-6) unstable; urgency=low
* Typo in scripts/makefile.linux.
Mistake. -lz and -lm weren't happening.
* Change LDFLAGS to not list -lz -lm, so that testsuite will catch such error.
* set prefix=/usr/ in scripts/makefile.linux, since it was set to usr/local.
libpng3 (1.2.5-5) unstable; urgency=low
* scripts/makefile.linux: LIBADDFLAGS introduced, for shared library lib
additional
flags, and use that for shared library.
- this should fix build failure (closes: #166704)
Thanks Daniel Schepler <[email protected]> for reporting.
* updated copyright file to note that libpng3 in Debian is patched to
link with -lz -lm.
libpng3 (1.2.5-4) unstable; urgency=low
* Trying to fix the problem that libpng3 seems to be not linked against libz.
LDFLAGS was defined but not being used.
Thanks Mike Furr <[email protected]> for reporting (closes: #166489)
libpng3 (1.2.5-3) unstable; urgency=low
* Fixed description, I mixed up the -devel and non-devel
packages.
* updated README.Debian.
libpng3 (1.2.5-2) unstable; urgency=low
* careless mistake :(
* reinstall libpng.so symlink in libpng-12-0-dev package.
Otherwise other packages won't build ...
libpng3 (1.2.5-1) unstable; urgency=low
* New upstream version (closes: #163425)
* re-patched makefile.linux to work with system zlib,
added workaround to set CFLAGS, and remove rpath settings from LDFLAGS
* Use debhelper.
* No longer create /usr/doc symlinks.
* Standards-Version: 3.5.7
libpng3 (1.2.1-5) unstable; urgency=low
* Not yet released.
* Change priority from standard to optional.
libpng3 (1.2.1-4) unstable; urgency=low
* change -dev dependency of libc6-dev to libc-dev
libpng3 (1.2.1-3) unstable; urgency=low
* Security fix backported from 1.2.4. Check bounds of variables.
(closes: #155403)
libpng3 (1.2.1-2) unstable; urgency=low
* New maintainer (closes: #151343)
* apply buffer overflow patch for interlaced png files (closes: #150595)
* update description for libpng3-dev.
* change libpng-dev to libpng3-dev
libpng3 (1.2.1-1.1) unstable; urgency=low
* NMU
* Provides: libpng2-dev has been changed to Provides: libpng3-dev
libpng2-dev can be put back in when some kind of sane transition has
finished.
(closes: #128384, #128871, #129268, #129269)
libpng3 (1.2.1-1) unstable; urgency=low
* New upstream version; closes: #125679.
* New source package name: libpng3.
* Renamed libpng<x>-dev to libpng-dev to avoid having to maintain several
development packages (the -dev is source compatible).
* Moved png.5 into the -dev package.
* Added a Replaces: libpng2 to libpng-dev so that we can steal the png.5
manpage without fuss.
* Changed debian/shlibs for libpng3.
* Compress examples/pngtest.c.
libpng (1.0.12-3) unstable; urgency=low
* Moved the png.5 manpage to the dev package to allow multiple libpng<n>
packages installed at the same time.
libpng (1.0.12-2) unstable; urgency=low
* Changed libpng2-dev's section to devel to resync with override file.
* Fixed upstream version detection in debian/rules; closes: #105931.
libpng (1.0.12-1) unstable; urgency=low
* New upstream release; closes: #105354.
* Bumped dependency information in debian/shlibs to libpng >= 1.0.12
since there were some non-backwards compatible changes to the API.
* Added support for DEB_BUILD_OPTIONS and get-orig-source to debian/rules.
* Added call to ldconfig on postrm's remove.
* Removed INSTALL file from /usr/share/doc/libpng2.
* Bumped standards version to 3.5.5.0.
libpng (1.0.11-1) unstable; urgency=low
* New upstream release.
libpng (1.0.10-2) unstable; urgency=low
* Force recompile because of bad sparc package.
* Libpng2's priority changed to standard to comply with the override file.
libpng (1.0.10-1) unstable; urgency=low
* New upstream release.
* Changed shlib to depend on libpng2 (>= 2.0.10) because of
non-backwards compatible changes.
libpng (1.0.8-1) unstable; urgency=low
* Changed the doc-base type from 'test' to 'text'; closes: #59877.
* New upstream relase 1.0.8; closes: #70464.
* Updated copyright notice.
* Removed Y2kINFO from the doc directory.
* Added pngtest.c in examples; closes: #65229.
* Updated to standards version 3.2.1.0.
* Added build-depends line in control file; closes: #69291.
libpng (1.0.5-1) frozen unstable; urgency=low
* Maintainer upload (closes: #48244, #48246).
* Added some extra explanations for the setjmp.h mess (closes: #56759),
see pngconf.h for details.
libpng (1.0.5-0.1) unstable; urgency=low
* Non-maintainer release.
* New upstream release. (closes:Bug#48244).
* Remove versioned depend from shlibs (closes:Bug#48246).
libpng (1.0.3-1) unstable; urgency=low
* New upstream version (1.0.3); Closes: #31870, #46333.
* Maintainer upload, closes NMU bugs; Closes: #28412, #31523, #31690.
* FHS compliant.
* New standard-version 3.0.1.
* Lintian clean.
* Removed temporary zlib1g line in control file (used to be a bug in
zlib1g).
* Moved the documentation file to the -dev package.
* Register documentation file to doc-base.
* Fontified man pages with addformat script; Closes #38680.
libpng (1.0.2b-0.1) frozen unstable; urgency=low
* New upstream (bug-fix only) version.
(Should fix bugs #31690滼, since I can't reproduce them)
From the author:
"I have recently uploaded libpng-1.0.2b to
ftp://swrinde.nde.swri.edu/pub/png-group/src
I plan to release it as libpng-1.0.3 in a
few days, but would like to hear whether it
fixes the problems with GNOME.
It restores a few lines of code that were
inadvertently deleted from pngread.c, which
seems to be the cause of problems with adding
an alpha channel (which you fixed by downgrading
to libpng-1.0.1's pngread.c)."
[Glenn Randers-Pehrson <[email protected]>]
* Masquerade version number to 1.0.3 to make Imlib & Co. happy.
libpng (1.0.2-1.1) frozen unstable; urgency=low
* Fix Important bug #28412
(using pngread.c from libpng-1.0.1 did the trick).
libpng (1.0.2-1) unstable; urgency=low
* Maintainer release (to change a bit).
* Pristine sources.
* Libpng2-dev includes example.c (fixes bug #10315).
* Changed control file to reflect difference with libpng0g (fixes #23795).
* Recompiled (should fix the zlib1g missing symbol, bug #24450).
* Added -D_REENTRANT also to static library.
* Added a dependency upon zlib1g >= 1.1.2 (otherwise we get a missing
symbol) (fixes bug #24450).
libpng (1.0.2-0.1) unstable; urgency=low
* Non-maintainer release
* New upstream version
libpng (1.0.1-0.2) unstable; urgency=medium
* debian/rules (binary-arch): don't call install with -s as an
argument when installing a shared library; it doesn't know to use
--strip-unneeded, and we call strip separately later anyway.
* scripts/makefile.lnx (CFLAGS): killed i386-isms.
* scripts/makefile.lnx: compiled shared libraries with -D_REENTRANT.
(The above fixes are from James Troup, who yet again, alerted me to
my screwups ;)
* debian/postinst: only call ldconfig if $1 = configure.
libpng (1.0.1-0.1) unstable; urgency=low
* New upstream bug fix release.
* Include man pages.
libpng (1.0.0-0.1) unstable; urgency=low
* Non-maintainer Release.
* New Upstream Release.
* Changed source package name to `libpng'.
* Added `-f makefile.lnx' to make invocations in debian/rules.
* Removed `ldconfig' call from postrm.
libpng0 (0.96-5) unstable; urgency=low
* Removed executable permissions on shared libs (fixes bug #15478).
* Updated Standards-Version to 2.3.0.1.
libpng0 (0.96-4) unstable; urgency=low
* Shared libraries are stripped with --strip-unneeded and static
libraries with --strip-debug (fixes bug #15669).
* Made the build strip non-i386 specific (patch by James Troup) (fixes
bug #13832).
* Removed the dependency between the libc5 and libc6 versions.
libpng0 (0.96-3) unstable; urgency=low
* Libc6 compilation.
libpng0 (0.96-2) unstable; urgency=low
* Fixed permissions in /usr/doc/libpng0 (fixes bug #10540).
libpng0 (0.96-1) unstable; urgency=low
* New upstream sources.
libpng0 (0.95b-1) unstable; urgency=low
* New maintainer.
* Upgraded to upstream version 0.95b.
* Make debian/rules version independent.
* Debian/rules clean now removes substvars.
* Bumped the shlibs version to 0.95 as some incompatibilities were
introduced between 0.89 and 0.90.
* Added the Section: and Priority: fields to the control file (fixes bug
#6370).
* Now /usr/doc/libpng0 contains various info and the debian change log
stuff (fixes bug #7925).
* Added -D_REENTRANT compilation flag.
libpng (0.89c-6) unstable; urgency=low
* Moved shlibs file to correct location
libpng (0.89c-5) unstable; urgency=low
* Added shlibs file
libpng (0.89c-4) unstable; urgency=low
* Now stripping shared libraries (Bug#5134)
libpng (0.89c-3) unstable; urgency=low
* Corrected maintainers address
libpng (0.89c-2) unstable; urgency=low
* Accommodate the fact that dpkg-source doesn't properly preserve
permissions on scripts when extracting package. (Bug#4513)
libpng (0.89c-1) unstable; urgency=low
* New upstream version.
* Moved to new source packaging format.
|
What does this mean, exactly? Does it mean that if someone now submitted APNG support into libpng, there would be high probability it would be actually accepted? |
|
There are two proven approaches to APNG support and they are mostly incompatible. The first, written by Mozilla but maybe no long used, modifies the distributed libpng library, the second uses the distributed library as-is and handles APNG via the existing "unknown" chunk mechanism. The Mozilla approach broke other things: https://bugs.gentoo.org/824834 The issues are discussed at length here: https://bugs.gentoo.org/824018 To copy'n'paste two (separate) lines from #824018:
It isn't clear to me that either approach is likely to interact correctly with the existing https://www.w3.org/TR/png-3/ figure 13: I see no restriction on fdAT or fcTL with regard to colortype 3 (but as I said I might be missing something). The simple answer to all this is to provide This has the additional advantage that currently applications which handle static images would not suffer code bloat from something else they don't use. Since both Google and Apple have done it this way (using, I assume, unknown chunk handling) and since this has probably defined a "minimal" support API this approach seems compelling. The alternative would have to work in the presence of all the libpng transform APIs or it would have to do exactly the same thing as my hypothetical In any case there is the issue of authoring APNG files; |
|
I'm not yet familiar with libpng's transformations. I'm trying to follow so I understand the problem. My concern is if this is a spec problem. If so, we can change the spec. |
|
As far as I remember from old discussions when it was implemented in Chromium, blending is done manually, and there are test images that cover such things: http://littlesvr.ca/apng/test.html |
|
That is correct. Chromium currently treats each frame as full. |
I mean the set of APIs implemented in pngrtran.c (for APNG read), pngwtran.c (for APNG write) and pngtrans.c (for both). Doing a quick grep there are 35 APIs in there but a few are support APIs. If the libpng user (app or library) can get hold of the png_struct then it is to be expected that those APIs will be invoked. Despite my earlier misgivings I've worked out an implementation inside libpng itself which leverages the transforms to allow the user to get the necessary result regardless of what it is. libpng already defines the behavior of these transforms and there is no need for invention here because the two possibilites of extracting the subframe with alpha or composing the subframe into the rows supplied by the user are adequate for APNG. I also have an algorithm for defining colortype 3 compostion which is really only likely for GIFs with a single transparent color; 0<alpha<1 can be handled by halftoning. I'm also pretty sure that this can be done without breaking the existing API; breaking the API isn't an option, so that means preserving the default "unknown" chunk handling. It turns out that this just works when done correctly and the current unknown chunk handling seems entirely sufficient to address the major issue of having to buffer the entire stream under some circumstances. In addition I think it is even possible to do this in a minor release; that requires ABI downward compatibility (existing apps/libraries need not be recompiled) as well as complete API compatibility (excepting previously deprecated APIs). Nevertheless the final decision is Cosmin's and there is a strong argument for a major release because major releases can coexist on the same machine. E.g. I can have libpng 1.0, 1.2, 1.4, 1.5 and 1.6 all installed at the same time just like I do, at present, have Qt5 and Qt6 both installed.
That's a minimal requirement of PNG editors; they need the original data, however my point above is that both options are fully supported at present along with all the transformations required to convert to a common format (e.g. 8-bit RGBA). In other words the code is already there.
This is a decoder issue, the decoder, which is libpng plus however the app/library uses it, can do what it wants. The spec only recommends (like gamma correction, like doing alpha composition correctly, like ignoring cHRM or iCCP or cICP). How many apps actually support cHRM? It's easy - libpng provides a function to return the corresponding CIEXYZ triple - but how many apps do any colour correction? One this is certain; libpng supports alpha composition (though I do need to check that APNG_BLEND_OP_SOURCE is possible) but not with colour correction; gAMA handling happens, but cHRM, iCCP and cICP will never work inside libpng without a major rewrite (floating point format support). That includes the encoding transforms in iCCP and cICP both of which can generate values outside the range 0..1, particularly the absolute values in cICP (I don't know if that is possible in an ICC profile, but I don't care since libpng provides no support for iCCP beyond the decompression and basic checks; like eXIf.) Spec concerns I have are with regard to tight definition of the format and I've yet to find a spec issue in the APNG stuff. There are a couple of things that may benefit from clarification though I think they're pretty clear:
Would it be possible for those to be licensed/unlicensed/public-domained so that libpng can include them in releases (source tarballs)? Without test images we can't write unit tests and the lack of unit tests has been a real source of bad bugs over the years. With regard to blending all possibilities seem to have the required coverage in libpng. The API means that the app has to handle the placement (but not actual composition) of a frame within the canvas which means the app has to handle the gnarly problem of frames with sub-pixel alignment (low bit gray and palette). libpng never had any meaningful support for oFFs. So far as a high level API is concerned I would expect it to behave like the Simplified API and simplify! Make it so that frames were expanded to a small number of formats (fewer than the Simplified API, maybe just RGBA and GA) and handle the compose/dispose stuff internally, so the output frames can be displayed without any more work (other than composition onto the background if it's not fixed.) I took a quick look at the Rust png crate but it doesn't seem to document what next_frame returns; the result could be either. Seems to be UTSL or experiment (suck it and see.) |
|
In view of @ctruta's lack of comment since Chris's apparent declaration of a putsch on April 29, 2021 I've abandoned the direct modification approach. It doesn't buy anything but unending pain: Cosmin has to accept it, but where? 1.6.44 was, as I understand it, a final clean-up so would everyone have to wait for libpng2, or libpng-ng? A separate library would use the Google/Apple approach (if I understand it; I deliberately haven't read the code, I have no desire to be sued). It would work with most versions of libpng (1.6 but not just 1.6) it wouldn't break any API on the planet (obviously, at least I hope that's obvious) and, if Cosmin accepts the small add of a sub-project or sub-directory, it would be part of libpng. |
I tried to reach out to the author of the test, but he doesn't reply for some reason. The test is already used by the WebKit project at least. It was proposed here by its creator and merged afterwards, all the test files are in the WebKit repository. So I think it should be fine to use the files in this project too. |
|
I'm going to have to build my own test set; the delays in those images are too small to see the intermediate bugs (possibly WebKit test is using automatic capture and binary compare for unit tests.) I can alter timings, blend and disposal modes with Jason Summer's TweakPNG but the current version doesn't seem to support addition of an fDAT (e.g. by importing a PNG file). The other things I found on the web are what O would call converters - apngasm for example seems to take full frames and then make its own choice of how to optimally represent them. There used to be a png->text->png set of converters but I can't find that code any more. It seems it's time for a good basic assembly/disassembly tool. The basic functionality for one is also a library requirement; editors need to be able to extract individual uncomposed frames |
|
Yes, you can use the test set http://littlesvr.ca/apng/test.html whatever you like, |
I sort-of remember something called pngdump which would output a textual representation of a PNG. I was thinking of writing something which would do that but then be able to read it back in and produce the corresponding (binary) PNG. I have to admit I've completely lost enthusiasm for doing anything at this point; the W3C seems to have decided to do nothing (just document the current private chunks, which are a done deal). |
|
Here is libpng 1.6.44 patched with APNG support: and the demos:
|
|
Here is libpng 1.6.45 patched with APNG support: |
|
Another is libpng 1.6.45 patched with APNG support with extra files fot wxWidgets library: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I don't know why the apng project is kept separate, I see arch-linux is adding the patch manually, and some people asked me to do the same in Debian...
do you have any good reason for not merging the patch into the main repo?
https://sourceforge.net/projects/libpng-apng/
thanks
The text was updated successfully, but these errors were encountered: