* Thu Jan 15 2026 pgajdos@suse.com
- security update
- added patches
* libpng16-CVE-2025-22801.patch
CVE-2026-22695 [bsc#1256525], Heap buffer over-read in png_image_finish_read
* libpng16-CVE-2026-22695.patch
CVE-2026-22801 [bsc#1256526], Integer truncation causing heap buffer over-read in png_image_write_*
* libpng16-CVE-2026-22801.patch
* Fri Dec 05 2025 pgajdos@suse.com
- security update
- added patches
CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite
* libpng16-CVE-2025-66293.patch
* Fri Nov 28 2025 pgajdos@suse.com
- security update
- added patches
CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index
* libpng16-CVE-2025-64505.patch
CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled
* libpng16-CVE-2025-64506.patch
CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication
* libpng16-CVE-2025-64720.patch
CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`
* libpng16-CVE-2025-65018.patch
* Tue Oct 29 2024 guillaume.gardet@opensuse.org
- version update to 1.6.44:
* Hardened calculations in chroma handling to prevent overflows, and
relaxed a constraint in cHRM validation to accomodate the standard
ACES AP1 set of color primaries.
(Contributed by John Bowler)
* Removed the ASM implementation of ARM Neon optimizations and updated
the build accordingly. Only the remaining C implementation shall be
used from now on, thus ensuring the support of the PAC/BTI security
features on ARM64.
(Contributed by Ross Burton and John Bowler)
* Fixed the pickup of the PNG_HARDWARE_OPTIMIZATIONS option in the
CMake build on FreeBSD/amd64. This is an important performance fix
on this platform.
* Applied various fixes and improvements to the CMake build.
(Contributed by Eric Riff, Benjamin Buch and Erik Scholz)
* Added fuzzing targets for the simplified read API.
(Contributed by Mikhail Khachayants)
* Fixed a build error involving pngtest.c under a custom config.
This was a regression introduced in a code cleanup in libpng-1.6.43.
(Contributed by Ben Wagner)
* Fixed and improved the config files for AppVeyor CI and Travis CI.
- Drop upstream patch:
* 563.patch
* Sun Aug 11 2024 schwab@suse.de
- Fix missing backslash
* Wed Jun 12 2024 guillaume.gardet@opensuse.org
- Backport patch to fix PAC/BTI support on aarch64:
* 563.patch
* Thu Mar 07 2024 pgajdos@suse.com
- version update to 1.6.43
* Fixed the row width check in png_check_IHDR().
This corrected a bug that was specific to the 16-bit platforms,
and removed a spurious compiler warning from the 64-bit builds.
(Reported by Jacek Caban; fixed by John Bowler)
* Added eXIf chunk support to the push-mode reader in pngpread.c.
(Contributed by Chris Blume)
* Added contrib/pngexif for the benefit of the users who would like
to inspect the content of eXIf chunks.
* Added contrib/conftest/basic.dfa, a basic build-time configuration.
(Contributed by John Bowler)
* Fixed a preprocessor condition in pngread.c that broke build-time
configurations like contrib/conftest/pngcp.dfa.
(Contributed by John Bowler)
* Added CMake build support for LoongArch LSX.
(Contributed by GuXiWei)
* Fixed a CMake build error that occurred under a peculiar state of the
dependency tree. This was a regression introduced in libpng-1.6.41.
(Contributed by Dan Rosser)
* Marked the installed libpng headers as system headers in CMake.
(Contributed by Benjamin Buch)
* Updated the build support for RISCOS.
(Contributed by Cameron Cawley)
* Updated the makefiles to allow cross-platform builds to initialize
conventional make variables like AR and ARFLAGS.
* Added various improvements to the CI scripts in areas like version
consistency verification and text linting.
* Added version consistency verification to pngtest.c also.
* Sat Feb 17 2024 yann.boyer742@gmail.com
- Update to version 1.6.42:
* Fixed the implementation of the macro function "png_check_sig".
This was an API regression, introduced in libpng-1.6.41.
(Reported by Matthieu Darbois)
* Thu Jun 22 2023 mpluskal@suse.com
- Update to version 1.6.40:
* Fixed the eXIf chunk multiplicity checks.
* Fixed a memory leak in pCAL processing.
* Corrected the validity report about tRNS inside png_get_valid().
* Fixed various build issues on *BSD, Mac and Windows.
* Updated the configurations and the scripts for continuous integration.
* Cleaned up the code, the build scripts, and the documentation.
* Mon May 15 2023 pgajdos@suse.com
- do not use NEON instructions [bsc#1211176]