News and History of the PNG Development Group from 2012

Herein lie news items and historical stuff primarily of interest to the Portable Network Graphics Development Group itself. Feel free to poke around even if you're not a member, though. Note that some of the links, particularly the older ones, are broken; in some cases this is explained by later entries. Other links (CompuServe, tcg.arl.mil) have fallen prey to reorganizations or upgrades; should they ever reappear, the entries below will be updated as needed.

Keep in mind that this is history here...

• current - see here

• 27 September 2012 - libpng 1.5.13 is released with a fix for a potential crash bug (specific to the 1.5 branch) when writing PNGs using the png_set_filler() call to strip a filler channel. The release also contains some minor fixes and cleanups.

• 10 July 2012 - libpng 1.5.12 (and 1.4.12, 1.2.50, and 1.0.60) is released with a fix for a minor permissions issue (CVE-2012-3386) in Makefile.in (used by configure). Only users who run make distcheck are affected. (No non-build-related sources were changed in this release.)

• 14 June 2012 - libpng 1.5.11 is released with minor cleanups.

• 2 May 2012 - zlib 1.2.7 is released with small fixes and two new features: the addition of "x" (O_EXCL) and "e" (O_CLOEXEC) modes to gzopen(), and a new (Windows-only) gzopen_w() function for wide-character pathnames.

• 29 March 2012 - libpng 1.5.10 (and 1.4.11, 1.2.49, and 1.0.59) is released with a fix for a serious memory-corruption bug (CVE-2011-3048) in png_set_text_2(). (This bug also was first "reported" as part of a Chromium release.)

• 18 February 2012 - libpng 1.5.9 (and 1.4.9, 1.2.47, and 1.0.57) is released with a fix for a more serious buffer-overrun bug (CVE-2011-3026) in png_decompress_chunk(), which affects 32-bit systems. (The bug, and a fix for it, was first published as part of Chromium 19.0.1036.7.)

• 1 February 2012 - libpng 1.5.8 is released with a fix for a one-byte buffer-overrun bug (CVE-2011-3464) in png_formatted_warning(). This can cause a crash in certain cases (e.g., Apple apps compiled with -fstack-protector), and it could conceivably result in execution of hostile code, though no exploit is currently known to exist. The bug appears to have been introduced in libpng 1.5.4.

• 29 January 2012 - zlib 1.2.6 is released with a number of new features and improvements, particularly in the gz* convenience functions for gzip streams and in the low-level deflate functions.

Here are some related PNG pages at this site:

• Current News of the PNG Development Group
• Historical PNG news:
  • 2013 · 2012 · 2011 · 2010 · 2009 · 2008 · 2007 · 2006 · 2005 · 2004 · 2003 · 2002 · 2001 · 2000 · 1999 · 1998 · 1997 · 1996 · 1995
• History of PNG
• Current Status of PNG

• PNG Home Page
• Complete PNG Site Map

Copyright © 1995-2013 Greg Roelofs.