Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade libpng to 1.6.37 (fixes vulnerability) #30564

Closed
mkoeppe opened this issue Sep 12, 2020 · 14 comments · Fixed by #38522
Closed

Upgrade libpng to 1.6.37 (fixes vulnerability) #30564

mkoeppe opened this issue Sep 12, 2020 · 14 comments · Fixed by #38522

Comments

@mkoeppe
Copy link
Contributor

mkoeppe commented Sep 12, 2020

The libpng homepage warns:

Vulnerability Warning

libpng versions 1.6.36 and earlier have a use-after-free bug in
the simplified libpng API png_image_free(). It has been assigned
ID CVE-2019-7317.
The vulnerability is fixed in version 1.6.37,
released on 15 April 2019.

Before this ticket we have libpng 1.6.29 which
has the vulnerability. This ticket upgrades to
libpng 1.6.37 which fixes it.

Previous update: #22159 (1.6.29)

Tarball: see checksums.ini

CC: @jpflori @frederichan-IMJPRG @tscrim @slel @dimpase

Component: packages: standard

Author: Matthias Koeppe

Reviewer: Dima Pasechnik

Issue created by migration from https://trac.sagemath.org/ticket/30564

@mkoeppe mkoeppe added this to the sage-9.2 milestone Sep 12, 2020
@mkoeppe
Copy link
Contributor Author

mkoeppe commented Sep 12, 2020

@mkoeppe
Copy link
Contributor Author

mkoeppe commented Sep 12, 2020

New commits:

5ae93ccbuild/pkgs/libpng: Upgrade to 1.6.37
569050bbuild/pkgs/libpng/spkg-install.in: Remove outdated CFLAGS, CPPFLAGS settings
d6c59f4build/pkgs/libpng/spkg-install.in: Do not build a static library

@mkoeppe
Copy link
Contributor Author

mkoeppe commented Sep 12, 2020

Author: Matthias Koeppe

@mkoeppe
Copy link
Contributor Author

mkoeppe commented Sep 12, 2020

Commit: d6c59f4

@slel

This comment has been minimized.

@dimpase
Copy link
Member

dimpase commented Sep 13, 2020

comment:4

lgtm

@dimpase
Copy link
Member

dimpase commented Sep 13, 2020

Reviewer: Dima Pasechnik

@mkoeppe
Copy link
Contributor Author

mkoeppe commented Sep 13, 2020

comment:5

Thanks!

@vbraun
Copy link
Member

vbraun commented Sep 18, 2020

@vbraun
Copy link
Member

vbraun commented Sep 20, 2020

comment:7
************************************************************************
Traceback (most recent call last):
  File "setup.py", line 48, in <module>
    from sage_setup.command.sage_build_cython import sage_build_cython
  File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/command/sage_build_cython.py", line 19, in <module>
    from sage_setup.library_order import library_order
  File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/library_order.py", line 35, in <module>
    png_pc = pkgconfig.parse('libpng')
  File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 248, in parse
    _raise_if_not_exists(package)
  File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 103, in _raise_if_not_exists
    raise PackageNotFoundError(package)
pkgconfig.pkgconfig.PackageNotFoundError: libpng not found
************************************************************************

@vbraun
Copy link
Member

vbraun commented Sep 20, 2020

Changed commit from d6c59f4 to none

@vbraun vbraun reopened this Sep 20, 2020
@dimpase
Copy link
Member

dimpase commented Sep 27, 2020

comment:8

hmm, libpng installs an unversioned libpng.pc, which is a link to libpng16.pc - could it be that pkgconfig.parse('libpng') does not like it (on macOS - it seems)?

@mkoeppe mkoeppe modified the milestones: sage-9.2, sage-9.3 Oct 24, 2020
@mkoeppe
Copy link
Contributor Author

mkoeppe commented May 10, 2021

comment:10

Moving to 9.4, as 9.3 has been released.

@mkoeppe mkoeppe modified the milestones: sage-9.3, sage-9.4 May 10, 2021
@mkoeppe mkoeppe modified the milestones: sage-9.4, sage-9.5 Aug 22, 2021
@mkoeppe mkoeppe removed this from the sage-9.5 milestone Dec 18, 2021
@mkoeppe mkoeppe added this to the sage-9.6 milestone Dec 18, 2021
@mkoeppe mkoeppe modified the milestones: sage-9.6, sage-9.7 May 3, 2022
@mkoeppe mkoeppe modified the milestones: sage-9.7, sage-9.8 Sep 19, 2022
@mkoeppe mkoeppe removed this from the sage-9.8 milestone Jan 29, 2023
@mkoeppe
Copy link
Contributor Author

mkoeppe commented Aug 18, 2024

Removed branch from ticket description; replaced by PR #38522.

vbraun pushed a commit to vbraun/sage that referenced this issue Aug 27, 2024
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Rebased and updated from sagemath#30564. Fixes sagemath#30564

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [ ] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation and checked the documentation
preview.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->
    
URL: sagemath#38522
Reported by: Matthias Köppe
Reviewer(s): Kwankyu Lee
vbraun pushed a commit to vbraun/sage that referenced this issue Aug 28, 2024
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Rebased and updated from sagemath#30564. Fixes sagemath#30564

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [ ] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation and checked the documentation
preview.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->
    
URL: sagemath#38522
Reported by: Matthias Köppe
Reviewer(s): Kwankyu Lee
@mkoeppe mkoeppe added this to the sage-10.5 milestone Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants