News and History of the PNG Development Group from 2011
Herein lie news items and historical stuff primarily of interest to the
Portable Network Graphics Development Group itself. Feel free to poke
around even if you're not a member, though. Note that some of the links,
particularly the older ones, are broken; in some cases this is explained by
later entries. Other links (CompuServe, tcg.arl.mil) have fallen prey to
reorganizations or upgrades; should they ever reappear, the entries below
will be updated as needed.
Keep in mind that this is history here...
- current - see here
- 16 December 2011 - libpng 1.5.7
is released with various minor cleanups and improvements.
- 2 November 2011 - libpng 1.5.6
is released with several decoding optimizations and numerous minor
cleanups and fixes.
- 22 September 2011 - libpng 1.5.5
is released with a security fix for a divide-by-zero
png_handle_cHRM(). It also contains some cleanups for Windows
DLL generation, fixes to rgb_to_gray() and the cHRM XYZ (color
space) code, and various other minor fixes.
- 9 July 2011 - libpng 1.2.46 (and
1.0.56) is released with a couple of makefile fixes. (1.5.4 is
fine as is.)
- 7 July 2011 - libpng 1.5.4 is
is released with fixes for three security-related bugs: a
buffer-overrun with arbitrary
(attacker-controlled) data when promoting palette images with
transparency to gray+alpha, though only for apps that call
png_rgb_to_gray() and not png_set_expand() (of
which none are known); a png_default_error()
crash bug due to internal use of a
NULL pointer instead of the empty string (""); and an
out-of-bounds read when handling an
empty sCAL chunk, as well as improper handling of certain malformed sCAL
chunks. (There was no libpng 1.5.3 release. libpng 1.4.8,
1.2.45, and 1.0.55 are also released, with the same fixes.)
No formal CERT CVE numbers have yet been assigned.
[Update 13 July 2011:
- 31 March 2011 - libpng 1.5.2 is
released with minor bugfixes, cleanups, and documentation corrections.
- 3 February 2011 - libpng 1.5.1 is
is released with a fix for a
(CVE-2011-0408) in the RGB-to-grayscale
transform code. (This could potentially cause
execution of hostile code, but since the
bug was introduced in libpng 1.5.0, released just a month ago, no
software is known to have shipped with it. Still, you should upgrade
if you downloaded a copy.)
- 6 January 2011 - libpng 1.5.0 is
released, finally hiding the details of libpng's internal structs
inside private header files. (Apps that compiled with libpng 1.4 without
warnings about deprecated features should happily compile with 1.5, too.)
It also includes a new, more thorough test program (pngvalid.c)
and a new pnglibconf.h header file that tracks what features
were enabled or disabled when libpng was built. See the summary for details.
(And many thanks to John Bowler, who did most of this work!)
Here are some related PNG pages at this site:
Last modified 27 January 2013.
Copyright © 1995-2013 Greg Roelofs.