This is a straightforward update to libpng 1.5.9 which already includes the security fixes we had to shoehorn into the port.
I bumped the library because png_struct changed. It's supposed to be opaque and we probably don't really need the bump, but... I don't expect any fallout from this update. Index: Makefile =================================================================== RCS file: /cvs/ports/graphics/png/Makefile,v retrieving revision 1.84 diff -u -p -r1.84 Makefile --- Makefile 17 Feb 2012 15:44:13 -0000 1.84 +++ Makefile 25 Feb 2012 18:27:47 -0000 @@ -2,11 +2,10 @@ COMMENT= library for manipulating PNG images -REVISION= 1 -VERSION= 1.5.6 +VERSION= 1.5.9 DISTNAME= libpng-${VERSION} PKGNAME= png-${VERSION} -SHARED_LIBS= png 13.0 +SHARED_LIBS= png 14.0 CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=libpng/} Index: distinfo =================================================================== RCS file: /cvs/ports/graphics/png/distinfo,v retrieving revision 1.30 diff -u -p -r1.30 distinfo --- distinfo 14 Nov 2011 17:48:59 -0000 1.30 +++ distinfo 25 Feb 2012 18:27:47 -0000 @@ -1,5 +1,5 @@ -MD5 (libpng-1.5.6.tar.gz) = iwwF7RJjfuHwYN37v1Juow== -RMD160 (libpng-1.5.6.tar.gz) = k+8DwEmdUbqn0Q8oyaZTA0JTqEY= -SHA1 (libpng-1.5.6.tar.gz) = Bo0wioIAPLskYC/9/HOMyEjPTq8= -SHA256 (libpng-1.5.6.tar.gz) = Hc2lannwYYbTBAuAlauAfQdpUrS8t1eZNqohsIGTpUo= -SIZE (libpng-1.5.6.tar.gz) = 1051616 +MD5 (libpng-1.5.9.tar.gz) = x0C6Zs1wdLokcbak/0jh+w== +RMD160 (libpng-1.5.9.tar.gz) = P+f7QB8ayFCr4gGHcgZABUyF0xQ= +SHA1 (libpng-1.5.9.tar.gz) = 5FOEdZhU4EkwUbFfaRXAFWLC/CQ= +SHA256 (libpng-1.5.9.tar.gz) = t12uJhUfmwMQYsjS9XeglLCNoK5E/owRF10Ln/Q0zAI= +SIZE (libpng-1.5.9.tar.gz) = 1065637 Index: patches/patch-pngerror_c =================================================================== RCS file: patches/patch-pngerror_c diff -N patches/patch-pngerror_c --- patches/patch-pngerror_c 3 Feb 2012 18:23:14 -0000 1.8 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,105 +0,0 @@ -$OpenBSD: patch-pngerror_c,v 1.8 2012/02/03 18:23:14 gsoares Exp $ - -Fix for CVE-2011-3464 -(libpng "png_formatted_warning()" Off-by-One Vulnerability) - -patch came from upstream git: -(http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h= -00c6a9a62c1825617c35c03ceb408114fffeca32) - ---- pngerror.c.orig Thu Nov 3 01:42:50 2011 -+++ pngerror.c Fri Feb 3 11:53:42 2012 -@@ -284,32 +284,35 @@ png_formatted_warning(png_structp png_ptr, png_warning - /* The internal buffer is just 128 bytes - enough for all our messages, - * overflow doesn't happen because this code checks! - */ -- size_t i; -+ size_t i = 0; /* Index in the msg[] buffer: */ - char msg[128]; - -- for (i=0; i<(sizeof msg)-1 && *message != '\0'; ++i) -+ /* Each iteration through the following loop writes at most one character -+ * to msg[i++] then returns here to validate that there is still space for -+ * the trailing '\0'. It may (in the case of a parameter) read more than -+ * one character from message[]; it must check for '\0' and continue to the -+ * test if it finds the end of string. -+ */ -+ while (i<(sizeof msg)-1 && *message != '\0') - { -- if (*message == '@') -+ /* '@' at end of string is now just printed (previously it was skipped); -+ * it is an error in the calling code to terminate the string with @. -+ */ -+ if (p != NULL && *message == '@' && message[1] != '\0') - { -- int parameter = -1; -- switch (*++message) -- { -- case '1': -- parameter = 0; -- break; -+ int parameter_char = *++message; /* Consume the '@' */ -+ static const char valid_parameters[] = "123456789"; -+ int parameter = 0; - -- case '2': -- parameter = 1; -- break; -+ /* Search for the parameter digit, the index in the string is the -+ * parameter to use. -+ */ -+ while (valid_parameters[parameter] != parameter_char && -+ valid_parameters[parameter] != '\0') -+ ++parameter; - -- case '\0': -- continue; /* To break out of the for loop above. */ -- -- default: -- break; -- } -- -- if (parameter >= 0 && parameter < PNG_WARNING_PARAMETER_COUNT) -+ /* If the parameter digit is out of range it will just get printed. */ -+ if (parameter < PNG_WARNING_PARAMETER_COUNT) - { - /* Append this parameter */ - png_const_charp parm = p[parameter]; -@@ -319,28 +322,32 @@ png_formatted_warning(png_structp png_ptr, png_warning - * that parm[] has been initialized, so there is no guarantee of a - * trailing '\0': - */ -- for (; i<(sizeof msg)-1 && parm != '\0' && parm < pend; ++i) -- msg[i] = *parm++; -+ while (i<(sizeof msg)-1 && *parm != '\0' && parm < pend) -+ msg[i++] = *parm++; - -+ /* Consume the parameter digit too: */ - ++message; - continue; - } - - /* else not a parameter and there is a character after the @ sign; just -- * copy that. -+ * copy that. This is known not to be '\0' because of the test above. - */ - } - - /* At this point *message can't be '\0', even in the bad parameter case - * above where there is a lone '@' at the end of the message string. - */ -- msg[i] = *message++; -+ msg[i++] = *message++; - } - - /* i is always less than (sizeof msg), so: */ - msg[i] = '\0'; - -- /* And this is the formatted message: */ -+ /* And this is the formatted message, it may be larger than -+ * PNG_MAX_ERROR_TEXT, but that is only used for 'chunk' errors and these are -+ * not (currently) formatted. -+ */ - png_warning(png_ptr, msg); - } - #endif /* PNG_WARNINGS_SUPPORTED */ Index: patches/patch-pngpriv_h =================================================================== RCS file: patches/patch-pngpriv_h diff -N patches/patch-pngpriv_h --- patches/patch-pngpriv_h 3 Feb 2012 18:23:14 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,20 +0,0 @@ -$OpenBSD: patch-pngpriv_h,v 1.1 2012/02/03 18:23:14 gsoares Exp $ - -Fix for CVE-2011-3464 -(libpng "png_formatted_warning()" Off-by-One Vulnerability) - -patch came from upstream git: -(http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h= -00c6a9a62c1825617c35c03ceb408114fffeca32) - ---- pngpriv.h.orig Thu Nov 3 01:42:49 2011 -+++ pngpriv.h Fri Feb 3 11:53:28 2012 -@@ -1368,7 +1368,7 @@ PNG_EXTERN png_charp png_format_number(png_const_charp - #ifdef PNG_WARNINGS_SUPPORTED - /* New defines and members adding in libpng-1.5.4 */ - # define PNG_WARNING_PARAMETER_SIZE 32 --# define PNG_WARNING_PARAMETER_COUNT 8 -+# define PNG_WARNING_PARAMETER_COUNT 8 /* Maximum 9; see pngerror.c */ - - /* An l-value of this type has to be passed to the APIs below to cache the - * values of the parameters to a formatted warning message. Index: patches/patch-pngrutil_c =================================================================== RCS file: patches/patch-pngrutil_c diff -N patches/patch-pngrutil_c --- patches/patch-pngrutil_c 17 Feb 2012 15:44:13 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,24 +0,0 @@ -$OpenBSD: patch-pngrutil_c,v 1.3 2012/02/17 15:44:13 sthen Exp $ - -CVE-2011-3026 libpng: Heap-buffer-overflow in png_decompress_chunk - ---- pngrutil.c.orig Thu Feb 16 10:01:56 2012 -+++ pngrutil.c Thu Feb 16 10:04:05 2012 -@@ -457,8 +457,15 @@ png_decompress_chunk(png_structp png_ptr, int comp_typ - { - /* Success (maybe) - really uncompress the chunk. */ - png_size_t new_size = 0; -- png_charp text = (png_charp)png_malloc_warn(png_ptr, -- prefix_size + expanded_size + 1); -+ png_charp text = NULL; -+ /* Need to check for both truncation (64-bit platforms) and integer -+ * overflow. -+ */ -+ if (prefix_size + expanded_size > prefix_size && -+ prefix_size + expanded_size < 0xffffffffU) -+ { -+ text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1); -+ } - - if (text != NULL) - { Index: patches/patch-scripts_libpng_pc_in =================================================================== RCS file: /cvs/ports/graphics/png/patches/patch-scripts_libpng_pc_in,v retrieving revision 1.22 diff -u -p -r1.22 patch-scripts_libpng_pc_in --- patches/patch-scripts_libpng_pc_in 14 Nov 2011 17:48:59 -0000 1.22 +++ patches/patch-scripts_libpng_pc_in 25 Feb 2012 18:27:47 -0000 @@ -10,7 +10,7 @@ $OpenBSD: patch-scripts_libpng_pc_in,v 1 Name: libpng Description: Loads and saves PNG files - Version: 1.5.6 + Version: 1.5.9 -Libs: -L${libdir} -lpng15 +Libs: -L${libdir} -lpng -lz -lm Cflags: -I${includedir} Index: patches/patch-scripts_makefile_openbsd =================================================================== RCS file: /cvs/ports/graphics/png/patches/patch-scripts_makefile_openbsd,v retrieving revision 1.36 diff -u -p -r1.36 patch-scripts_makefile_openbsd --- patches/patch-scripts_makefile_openbsd 14 Nov 2011 17:48:59 -0000 1.36 +++ patches/patch-scripts_makefile_openbsd 25 Feb 2012 18:27:47 -0000 @@ -1,6 +1,6 @@ $OpenBSD: patch-scripts_makefile_openbsd,v 1.36 2011/11/14 17:48:59 rpointel Exp $ ---- scripts/makefile.openbsd.orig Thu Nov 3 04:42:52 2011 -+++ scripts/makefile.openbsd Thu Nov 3 12:18:34 2011 +--- scripts/makefile.openbsd.orig Sat Feb 18 21:31:16 2012 ++++ scripts/makefile.openbsd Sat Feb 25 18:19:23 2012 @@ -7,8 +7,10 @@ # and license in png.h @@ -12,8 +12,8 @@ $OpenBSD: patch-scripts_makefile_openbsd +INCDIR= ${PREFIX}/include/libpng SHLIB_MAJOR= 15 - SHLIB_MINOR= 1.5.6 -@@ -25,12 +27,30 @@ + SHLIB_MINOR= 1.5.9 +@@ -25,12 +27,30 @@ CPPFLAGS+= -I${.CURDIR} NOPROFILE= Yes @@ -47,14 +47,14 @@ $OpenBSD: patch-scripts_makefile_openbsd # see scripts/pnglibconf.mak for more options pnglibconf.h: scripts/pnglibconf.h.prebuilt cp scripts/pnglibconf.h.prebuilt $@ -@@ -41,13 +61,20 @@ +@@ -41,13 +61,20 @@ pngtest.o: pngtest.c pngtest: pngtest.o ${CC} ${LDFLAGS} ${.ALLSRC} -o ${.TARGET} -L${.OBJDIR} -lpng -lz -lm -test: pngtest - cd ${.OBJDIR} && env \ - LD_LIBRARY_PATH="${.OBJDIR}" ${.OBJDIR}/pngtest -+pngvalid.o: pngvalid.c ++pngvalid.o: contrib/libtests/pngvalid.c + ${CC} ${CPPFLAGS} ${CFLAGS} -c ${.ALLSRC} -o ${.TARGET} +pngvalid: pngvalid.o @@ -73,7 +73,7 @@ $OpenBSD: patch-scripts_makefile_openbsd fi if [ ! -d ${DESTDIR}${LIBDIR} ]; then \ ${INSTALL} -d -o root -g wheel ${DESTDIR}${LIBDIR}; \ -@@ -61,22 +88,19 @@ +@@ -61,22 +88,19 @@ beforeinstall: if [ ! -d ${DESTDIR}${MANDIR}5 ]; then \ ${INSTALL} -d -o root -g wheel ${DESTDIR}${MANDIR}5; \ fi -- Christian "naddy" Weisgerber na...@mips.inka.de