[AUTOPATCHER-CORE] Upgrade libpng to 1.6.39 Fix CVE-2022-3857 (#9317)

Co-authored-by: Mandeep Plaha <mandeepplaha@microsoft.com>
2024-06-10 13:31:46 -07:00 · 2024-06-10 13:31:46 -07:00 · 6af9f3d10a
--- a/SPECS/libpng/libpng-fix-pngtest-random-failures.patch
+++ b/SPECS/libpng/libpng-fix-pngtest-random-failures.patch
@ -1,94 +0,0 @@
-Add upstream patch to fix the following random test error.
-    "FAIL: tests/pngtest"
-Patch comes from: https://github.com/glennrp/libpng/commit/72fa126446460347a504f3d9b90f24aed1365595
-
-
-diff -ruN a/Makefile.am b/Makefile.am
--- a/Makefile.am	2021-03-05 15:51:50.996269641 -0800
-+++ b/Makefile.am	2021-03-05 15:58:47.711103516 -0800
-@@ -59,8 +59,7 @@
- # Generally these are single line shell scripts to run a test with a particular
- # set of parameters:
- TESTS =\
-   tests/pngtest\
-   tests/pngtest-badpngs\
-+   tests/pngtest-all\
-    tests/pngvalid-gamma-16-to-8 tests/pngvalid-gamma-alpha-mode\
-    tests/pngvalid-gamma-background tests/pngvalid-gamma-expand16-alpha-mode\
-    tests/pngvalid-gamma-expand16-background\
-diff -ruN a/Makefile.in b/Makefile.in
--- a/Makefile.in	2021-03-05 15:51:56.072247998 -0800
-+++ b/Makefile.in	2021-03-05 16:20:34.141504371 -0800
-@@ -736,8 +736,7 @@
- # Generally these are single line shell scripts to run a test with a particular
- # set of parameters:
- TESTS = \
-   tests/pngtest\
-   tests/pngtest-badpngs\
-+   tests/pngtest-all\
-    tests/pngvalid-gamma-16-to-8 tests/pngvalid-gamma-alpha-mode\
-    tests/pngvalid-gamma-background tests/pngvalid-gamma-expand16-alpha-mode\
-    tests/pngvalid-gamma-expand16-background\
-@@ -1578,16 +1577,9 @@
- 	        am__force_recheck=am--force-recheck \
- 	        TEST_LOGS="$$log_list"; \
- 	exit $$?
-tests/pngtest.log: tests/pngtest
-	@p='tests/pngtest'; \
-	b='tests/pngtest'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-tests/pngtest-badpngs.log: tests/pngtest-badpngs
-	@p='tests/pngtest-badpngs'; \
-	b='tests/pngtest-badpngs'; \
-+tests/pngtest-all.log: tests/pngtest-all
-+	@p='tests/pngtest-all'; \
-+	b='tests/pngtest-all'; \
- 	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- 	--log-file $$b.log --trs-file $$b.trs \
- 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-diff -ruN a/tests/pngtest b/tests/pngtest
--- a/tests/pngtest	2021-03-05 15:52:16.180164597 -0800
-+++ b/tests/pngtest	1969-12-31 16:00:00.000000000 -0800
-@@ -1,2 +0,0 @@
-#!/bin/sh
-exec ./pngtest --strict ${srcdir}/pngtest.png
-diff -ruN a/tests/pngtest-all b/tests/pngtest-all
--- a/tests/pngtest-all	1969-12-31 16:00:00.000000000 -0800
-+++ b/tests/pngtest-all	2021-03-05 15:56:44.159342792 -0800
-@@ -0,0 +1,16 @@
-+#!/bin/sh
-+
-+# normal execution
-+
-+./pngtest --strict ${srcdir}/pngtest.png
-+
-+# various crashers
-+# using --relaxed because some come from fuzzers that don't maintain CRC's
-+
-+./pngtest --relaxed ${srcdir}/contrib/testpngs/crashers/badcrc.png
-+./pngtest --relaxed ${srcdir}/contrib/testpngs/crashers/badadler.png
-+./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/bad_iCCP.png
-+./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/empty_ancillary_chunks.png
-+./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/huge_*_chunk.png \
-+    ${srcdir}/contrib/testpngs/crashers/huge_*safe_to_copy.png
-+./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/huge_IDAT.png
-diff -ruN a/tests/pngtest-badpngs b/tests/pngtest-badpngs
--- a/tests/pngtest-badpngs	2021-03-05 15:52:49.056035782 -0800
-+++ b/tests/pngtest-badpngs	1969-12-31 16:00:00.000000000 -0800
-@@ -1,13 +0,0 @@
-#!/bin/sh
-
-# various crashers
-# using --relaxed because some come from fuzzers that don't maintain CRC's
-
-./pngtest --relaxed ${srcdir}/contrib/testpngs/crashers/badcrc.png
-./pngtest --relaxed ${srcdir}/contrib/testpngs/crashers/badadler.png
-./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/bad_iCCP.png
-./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/empty_ancillary_chunks.png
-./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/huge_*_chunk.png \
-    ${srcdir}/contrib/testpngs/crashers/huge_*safe_to_copy.png
-
-exec ./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/huge_IDAT.png
--- a/SPECS/libpng/libpng.signatures.json
+++ b/SPECS/libpng/libpng.signatures.json
@ -1,5 +1,5 @@
 {
- "Signatures": {
-  "libpng-1.6.37.tar.xz": "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca"
- }
-}
+  "Signatures": {
+    "libpng-1.6.39.tar.xz": "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
+  }
+}
--- a/SPECS/libpng/libpng.spec
+++ b/SPECS/libpng/libpng.spec
@ -1,7 +1,7 @@
 Summary:        contains libraries for reading and writing PNG files.
 Name:           libpng
-Version:        1.6.37
-Release:        6%{?dist}
+Version:        1.6.39
+Release:        1%{?dist}
 License:        zlib
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -9,7 +9,6 @@ Group:          System Environment/Libraries
 # The site does NOT have an HTTPS cert available.
 URL:            http://www.libpng.org/
 Source0:        https://downloads.sourceforge.net/libpng/%{name}-%{version}.tar.xz
-Patch0:         libpng-fix-pngtest-random-failures.patch

 %description
 The libpng package contains libraries used by other programs for reading and writing PNG files. The PNG format was designed as a replacement for GIF and, to a lesser extent, TIFF, with many improvements and extensions and lack of patent problems.
@ -23,7 +22,6 @@ It contains the libraries and header files to create applications

 %prep
 %setup -q
-%patch0 -p1

 %build
 %configure
@ -59,6 +57,10 @@ make %{?_smp_mflags} -k check
 %{_mandir}/man3/*

 %changelog
+* Wed Jun 05 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.6.39-1
+- Auto-upgrade to 1.6.39 - Fix CVE-2022-3857
+- Remove patch - not needed in the new version
+
 * Fri Apr 22 2022 Olivia Crain <oliviacrain@microsoft.com> - 1.6.37-6
 - Remove explicit pkgconfig provides that are now automatically generated by RPM

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -10621,8 +10621,8 @@
        "type": "other",
        "other": {
          "name": "libpng",
-          "version": "1.6.37",
-          "downloadUrl": "https://downloads.sourceforge.net/libpng/libpng-1.6.37.tar.xz"
+          "version": "1.6.39",
+          "downloadUrl": "https://downloads.sourceforge.net/libpng/libpng-1.6.39.tar.xz"
        }
      }
    },