From nobody@FreeBSD.org  Tue Apr 29 03:18:36 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 253E5106568A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 29 Apr 2008 03:18:36 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 0AFE98FC1D
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 29 Apr 2008 03:18:36 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m3T3HxNd003694
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 29 Apr 2008 03:17:59 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m3T3HxL5003692;
	Tue, 29 Apr 2008 03:17:59 GMT
	(envelope-from nobody)
Message-Id: <200804290317.m3T3HxL5003692@www.freebsd.org>
Date: Tue, 29 Apr 2008 03:17:59 GMT
From: bf <bf2006a@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH]graphics/png: update to 1.2.27
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         123186
>Category:       ports
>Synopsis:       [PATCH]graphics/png: update to 1.2.27
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ache
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 29 03:20:00 UTC 2008
>Closed-Date:    Tue Apr 29 12:10:22 UTC 2008
>Last-Modified:  Tue Apr 29 12:10:22 UTC 2008
>Originator:     bf
>Release:        7-STABLE i386
>Organization:
-
>Environment:
>Description:
Update to 1.2.27, released 29 April 2008.  Relevant changes:

  Fixed bug (introduced in libpng-1.0.5h) with handling zero-length
    unknown chunks.
  Added more information about png_set_keep_unknown_chunks() to the
    documentation.
  Reject tRNS chunk with out-of-range samples instead of masking off
    the invalid high bits as done in since libpng-1.2.19beta5.
  Revised documentation about unknown chunk and user chunk handling.
  Keep tRNS chunk with out-of-range samples and issue a png_warning().
  Added check for NULL ptr in TURBOC version of png_free_default().
  Removed several unnecessary checks for NULL before calling png_free().
  Revised png_set_tRNS() so that calling it twice removes and invalidates
    the previous call.
  Revised pngtest to check for out-of-range tRNS samples.
  Avoid changing color_type from GRAY to RGB by
    png_set_expand_gray_1_2_4_to_8().

Since this fixes CVE-2008-1382 (see, for example, 

http://jaist.dl.sourceforge.net/sourceforge/libpng/Advisory-1.2.27.txt

), the security/vuxml database should be updated to show that this version of the port is not insecure.  Also, it's probably time to switch to USE_LDCONFIG, but since my last proposed changes in this direction were rejected, I'll let the maintainer/portmgr worry about it.  This is related to PR ports/122869, but the proposed update in this PR is to a later stable version.

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff -ruN png.orig/Makefile png/Makefile
--- png.orig/Makefile	2008-04-28 22:30:20.473072988 -0400
+++ png/Makefile	2008-04-28 22:47:35.836374748 -0400
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	png
-PORTVERSION=	1.2.26
+PORTVERSION=	1.2.27
 CATEGORIES=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	lib${PORTNAME}
diff -ruN png.orig/distinfo png/distinfo
--- png.orig/distinfo	2008-04-28 22:30:20.473072988 -0400
+++ png/distinfo	2008-04-28 22:47:35.836374748 -0400
@@ -1,3 +1,3 @@
-MD5 (libpng-1.2.26.tar.bz2) = 1f743f4a3e5a9c12ea16eff0c60c3f8e
-SHA256 (libpng-1.2.26.tar.bz2) = 17c589b64902c6fc045ad85d748c647035b9916016813182402e89114aa7ebe7
-SIZE (libpng-1.2.26.tar.bz2) = 627569
+MD5 (libpng-1.2.27.tar.bz2) = 310954baea8bedbe1a1c0fbd13a494ad
+SHA256 (libpng-1.2.27.tar.bz2) = 742891c0ec5a5fa5a7a545b08865e96e922447d8095b71e5348b9ff6d3123a9a
+SIZE (libpng-1.2.27.tar.bz2) = 641193
diff -ruN png.orig/files/patch-ab png/files/patch-ab
--- png.orig/files/patch-ab	2008-04-28 22:30:20.473072988 -0400
+++ png/files/patch-ab	2008-04-28 22:47:35.836374748 -0400
@@ -12,7 +12,7 @@
  
  Name: libpng
  Description: Loads and saves PNG files
- Version: 1.2.26
+ Version: 1.2.27
 -Libs: -L${libdir} -lpng12
 +Libs: -L${libdir} -lpng -lz -lm
  Cflags: -I${includedir}


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->ache 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Tue Apr 29 03:20:06 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123186 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/123186: commit references a PR
Date: Tue, 29 Apr 2008 12:09:10 +0000 (UTC)

 ache        2008-04-29 12:09:06 UTC
 
   FreeBSD ports repository
 
   Modified files:
     graphics/png         Makefile distinfo 
     graphics/png/files   patch-ab 
   Log:
   Upgrade to 1.2.27
   It fix CVE-2008-1382
   
   PR:             123186
   Submitted by:   bf <bf2006a@yahoo.com>
   
   Revision  Changes    Path
   1.87      +1 -1      ports/graphics/png/Makefile
   1.40      +3 -3      ports/graphics/png/distinfo
   1.13      +1 -1      ports/graphics/png/files/patch-ab
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: ache 
State-Changed-When: Tue Apr 29 12:10:07 UTC 2008 
State-Changed-Why:  
Committed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123186 
>Unformatted:
