main/libpng: security upgrade to 1.5.21 (CVE-2014-9495,CVE-2015-0973)

fixes #3849

2 files changed, 8 insertions, 47 deletions

diff --git a/main/libpng/APKBUILD b/main/libpng/APKBUILD
index 65d06ff680..3044e06549 100644
--- a/main/libpng/APKBUILD
+++ b/main/libpng/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libpng
-pkgver=1.5.15
-pkgrel=1
+pkgver=1.5.21
+pkgrel=0
 pkgdesc="Portable Network Graphics library"
 url="http://www.libpng.org/"
 arch="all"
@@ -13,7 +13,6 @@ makedepends="$depends_dev gawk"
 subpackages="$pkgname-doc $pkgname-dev"
 source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
 	http://downloads.sourceforge.net/project/libpng-apng/libpng15/$pkgver/libpng-$pkgver-apng.patch.gz
-	libpng15-CVE-2013-6954.patch
 	"
 
 _builddir="$srcdir/$pkgname-$pkgver"
@@ -42,12 +41,9 @@ package() {
 	rm -f "$pkgdir"/usr/lib/*.la
 }
 
-md5sums="ea24254980fd820964a710e4d2a947c7  libpng-1.5.15.tar.gz
-3ae9ea7e4bd201f0b25e25cd6049b094  libpng-1.5.15-apng.patch.gz
-8cdbf47318e9f4710a957a4704f1dd6e  libpng15-CVE-2013-6954.patch"
-sha256sums="726224b7a6b5ad0032078bf3fb5a84ffb5ad683a33a62d67f7be5eb5bc37d076  libpng-1.5.15.tar.gz
-e6c46fafd5fbea6250daa07c1b7be2b9571a7cc4c99e985c594666a33de52f6b  libpng-1.5.15-apng.patch.gz
-0c039a6cf4476b239ffc9c9f92ed48aabc9678e30b9c982ab6996dfddf6696f2  libpng15-CVE-2013-6954.patch"
-sha512sums="3d4f04bc33150177c9ca46543d92884dd3e6857494b99f7cc171fc90371b345495ae777b11bbed88978ec4a00daab632431b3efa78420b0abb659d5cf5690bc7  libpng-1.5.15.tar.gz
-631f4bb60b5e0a09e8fcb794bb240d39beae832a6aca9dab2d382ba2444bb2f7cb5a72dd02976cbe0972371e4a6238aa00b017ac4d8956c5afc0ec8671dcdbd6  libpng-1.5.15-apng.patch.gz
-d4b390479cadd7637f71e494709a7628671d61bacf10a522547f53be58acc08088e23867ae05047d7a9f53985c7eca78616f28ecec82e785fd18cde84ed9dd86  libpng15-CVE-2013-6954.patch"
+md5sums="5a399a6dd143cb82cdb6c8d98c75fa42  libpng-1.5.21.tar.gz
+c2db739bf068fe5ca66bbf184030b24d  libpng-1.5.21-apng.patch.gz"
+sha256sums="835ce1d42ea9f50eddf74754f2b06b1c0f7a1d8e46deb89b839a5ca018599793  libpng-1.5.21.tar.gz
+fe78d77cea22017cfd9568e35ca4e721c7052dd12fb353396c78f2302d43b1b2  libpng-1.5.21-apng.patch.gz"
+sha512sums="d59e733f7268480e5cd2816e3894d11bdf739a230c0d1a717eac23a5e2825ed50ed1eaeba7701ee049304ef992d87a13bd7dc52b29aa616de35b35d8ab21cc99  libpng-1.5.21.tar.gz
+6fc6c043e24edaace05d46589c9d4be46741710b9656e6061c4c8d25e46a58f2b997377bdb0fbfd7df8ee1602b77a048233e7e9699e8c8bc383b940d04538965  libpng-1.5.21-apng.patch.gz"
diff --git a/main/libpng/libpng15-CVE-2013-6954.patch b/main/libpng/libpng15-CVE-2013-6954.patch
deleted file mode 100644
index 9619d8a931..0000000000
--- a/main/libpng/libpng15-CVE-2013-6954.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-diff --git a/pngrtran.c b/pngrtran.c
-index 5673193..04eecee 100644
---- a/pngrtran.c
-+++ b/pngrtran.c
-@@ -1900,6 +1900,9 @@ png_read_transform_info(png_structp png_ptr, png_infop info_ptr)
- 
-          info_ptr->bit_depth = 8;
-          info_ptr->num_trans = 0;
-+
-+         if (png_ptr->palette == NULL)
-+            png_error (png_ptr, "Palette is NULL in indexed image");
-       }
-       else
-       {
-diff --git a/pngset.c b/pngset.c
-index 4177e62..3876103 100644
---- a/pngset.c
-+++ b/pngset.c
-@@ -524,6 +524,16 @@ png_set_PLTE(png_structp png_ptr, png_infop info_ptr,
-          return;
-       }
-    }
-+   if ((num_palette > 0 && palette == NULL) ||
-+      (num_palette == 0
-+ #       ifdef PNG_MNG_FEATURES_SUPPORTED
-+            && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
-+ #       endif
-+      ))
-+   {
-+      png_error(png_ptr, "Invalid palette");
-+      return;
-+   }
- 
-    /* It may not actually be necessary to set png_ptr->palette here;
-     * we do it for backward compatibility with the way the png_handle_tRNS