Removed rpms
============
- cyrus-sasl-crammd5-32bit
- cyrus-sasl-gssapi-32bit
- cyrus-sasl-plain-32bit
- glibc-32bit
- glibc-locale-32bit
- glibc-locale-base-32bit
- alsa-plugins-pulse-32bit
- gettext-runtime-32bit
- gnome-keyring-pam-32bit
- libFLAC8-32bit
- libaudit1-32bit
- libbrotlicommon1-32bit
- libcrack2-32bit
- libcurl4-32bit
- libdbus-1-3-32bit
- libdw1-32bit
- libfontconfig1-32bit
- libfreetype6-32bit
- libhogweed6-32bit
- libjansson4-32bit
- liblzma5-32bit
- libmagic1-32bit
- libnss_usrfiles2-32bit
- libnuma1-32bit
- libopenssl1_1-32bit
- libp11-kit0-32bit
- libparted0-32bit
- libpci3-32bit
- libpng16-16-32bit
- libpopt0-32bit
- libsasl2-3-32bit
- libselinux1-32bit
- libsndfile1-32bit
- openslp-32bit
- systemd-32bit
- libasound2-32bit
- libavahi-common3-32bit
- libbrotlidec1-32bit
- libcom_err2-32bit
- libcrypt1-32bit
- libcups2-32bit
- libgio-2_0-0-32bit
- libgnutls30-32bit
- liblua5_3-5-32bit
- liblz4-1-32bit
- libnscd1-32bit
- libpcre1-32bit
- libpsl5-32bit
- libssh4-32bit
- libtextstyle0-32bit
- libudev1-32bit
- libxml2-2-32bit
- qemu-microvm
- qemu-vgabios
- samba-client-32bit
Added rpms
==========
- alsa-plugins-pulse-32bit
- gettext-runtime-32bit
- gnome-keyring-pam-32bit
- cyrus-sasl-crammd5-32bit
- cyrus-sasl-gssapi-32bit
- cyrus-sasl-plain-32bit
- glibc-32bit
- glibc-locale-32bit
- glibc-locale-base-32bit
- libasound2-32bit
- libavahi-common3-32bit
- libbrotlidec1-32bit
- libcom_err2-32bit
- libcrypt1-32bit
- libcups2-32bit
- libgio-2_0-0-32bit
- libgnutls30-32bit
- liblua5_3-5-32bit
- liblz4-1-32bit
- libnscd1-32bit
- libpcre1-32bit
- libpsl5-32bit
- libssh4-32bit
- libtextstyle0-32bit
- libudev1-32bit
- libxml2-2-32bit
- samba-client-32bit
- qemu-microvm
- qemu-vgabios
- libFLAC8-32bit
- libaudit1-32bit
- libbrotlicommon1-32bit
- libcrack2-32bit
- libcurl4-32bit
- libdbus-1-3-32bit
- libdw1-32bit
- libfontconfig1-32bit
- libfreetype6-32bit
- libhogweed6-32bit
- libjansson4-32bit
- liblzma5-32bit
- libmagic1-32bit
- libnss_usrfiles2-32bit
- libnuma1-32bit
- libopenssl1_1-32bit
- libp11-kit0-32bit
- libparted0-32bit
- libpci3-32bit
- libpng16-16-32bit
- libpopt0-32bit
- libsasl2-3-32bit
- libselinux1-32bit
- libsndfile1-32bit
- openslp-32bit
- systemd-32bit
Package Source Changes
======================
cracklib
+- %check: really test the package [bsc#1191736]
+
+- Update to version 2.9.7:
+ + fix a buffer overflow processing long words.
+- Drop 0003-overflow-processing-gecos.patch and
+ 0004-overflow-processing-long-words.patch: fixed upstream.
+- Update source URI.
+- Remove use of translation-update-upstream. It cannot be added to
+ ring 0 on leap, and 2.9.7 has some translation fixes
+ (bsc#1172396).
+
+- Enable translation-update-upstream on leap, to remove the use of
+ is_opensuse (jsc#SLE-12096).
+
+- use /usr/lib instead of %{_libexecdir}, %{_libexecdir} should
+ contain internal binaries, not data
+
+- Use %license (boo#1082318)
+
+- Update to 2.9.6
+ * fix issue with sort and locale
+ * some particularly bad cases to the cracklib small dictionary
+ * updates to cracklib-words (adds a bunch of other dictionary lists)
+ * migration to github
+- run spec-cleaner
+
+- Only buildrequire and call translation-update-upstream on SLE:
+ the package in openSUSE is a dummy and is empty.
+
+- Add patch 0004-overflow-processing-long-words.patch
+ to fix a new buffer overflow identified together with bsc#992966.
+
+- Relabel patches:
+ cracklib-magic.diff -> 0001-cracklib-magic.diff
+ cracklib-2.9.2-visibility.patch -> 0002-cracklib-2.9.2-visibility.patch
+- Add patch 0003-overflow-processing-gecos.patch
+ to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318)
+
+- Update to 2.9.5
+ * fix matching against first password in dictionary (Anton Dobkin)
+- Changes for 2.9.4
+ * remove doubled prototype
+- Changes for 2.9.3
+ * expose additional functions externally
+
+- Cleanup spec file with spec-cleaner
+- Remove old ppc provides/obsoletes
+
+- Update to version 2.9.2
+ + support build of python support outside of source tree
+ + fix bug in Python string distance calculation
+ + fix bug #16 / debian bug 724570 - broken optimization with packlib
+ prevblock
+- Adapt patch to upstream changes
+ + cracklib-visibility.patch > cracklib-2.9.2-visibility.patch
+
cyrus-sasl
+- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
+ in plugins/sql.c (bsc#1196036)
+ o add upstream patch:
+ 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
+
+- postfix: sasl authentication with password fails (bsc#1194265)
+ Add config parameter --with-dblib=gdbm
+- Avoid converting of /etc/sasldb2 by every update. Convert
+ /etc/sasldb2 only if it is a Berkeley DB
+
+- CVE-2020-8032: cyrus-sasl: Local privilege escalation to root
+ due to insecure tmp file usage. (bsc#1180669)
+ Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary
+ files.
+
+- Remove Berkeley DB dependency (JIRA#SLE-12190)
+ The packages cyrus-sasl and cyrus-sasl-saslauthd are built
+ without Berkely DB support. gdbm will be used instead of BDB.
+ The packages cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are built
+ with Berkely DB support.
+- Update to 2.1.27
+ * Added support for OpenSSL 1.1
+ * Added support for lmdb
+ * Lots of build fixes
+ * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting client mech
+ * DIGEST-MD5 plugin:
+ Fixed memory leaks
+ Fixed a segfault when looking for non-existent reauth cache
+ Prevent client from going from step 3 back to step 2
+ Allow cmusaslsecretDIGEST-MD5 property to be disabled
+ * GSSAPI plugin:
+ Added support for retrieving negotiated SSF
+ Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
+ Properly compute maxbufsize AFTER security layers have been set
+ * SCRAM plugin:
+ Added support for SCRAM-SHA-256
+ * LOGIN plugin:
+ Don’t prompt client for password until requested by server
+ * NTLM plugin:
+ Fixed crash due to uninitialized HMAC context
+- Replace references to /var/adm/fillup-templates with new
+ %_fillupdir macro (boo#1069468)
+- bsc#983938 `After=syslog.target` left-overs in several unit files
+- added patches:
+ fix_libpq-fe_include.diff for fixing including libpq-fe.h
+- removed patches obsoleted by upstream changes:
+ * shared_link_on_ppc.patch
+ * cyrus-sasl-2.1.27-openssl-1.1.0.patch
+ * 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
+ * 0003-Check-return-error-from-gss_wrap_size_limit.patch
+ * 0004-Add-support-for-retrieving-the-mech_ssf.patch
+ * 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
+ * cyrus-sasl-fix-logging-in-gssapi.patch
+
+- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
+ * Add 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
+ * Add 0003-Check-return-error-from-gss_wrap_size_limit.patch
+ * Add 0004-Add-support-for-retrieving-the-mech_ssf.patch
+- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
+ * Add 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
+
+- added backport-patch cyrus-sasl-bug587.patch which fixes
+ off-by-one error in _sasl_add_string function
+ (see CVE-2019-19906 bsc#1159635)
+
+- bnc#1044840 syslog is polluted with messages "GSSAPI client step 1"
+ By server context the connection will be sent to the log function.
+ Client content does not have log level information. I.e. there is no
+ way to stop DEBUG level logs nece I've removed it.
+ * add cyrus-sasl-fix-logging-in-gssapi.patch
+
+- OpenSSL 1.1 support (bsc#1055463)
+ * add cyrus-sasl-2.1.27-openssl-1.1.0.patch from Fedora
+
+- added cyrus-sasl-issue-402.patch to fix
+ SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize #402
+ (see https://github.com/cyrusimap/cyrus-sasl/issues/402)
+
+- bnc#1026825 saslauthd: :set_auth_mech : unknown authentication mechanism: kerberos5
+
+- really use SASLAUTHD_PARAMS variable (bnc#938657)
+
+- bnc#908883 cyrus-sasl-scram refers to wrong RFC
+
+- Make sure /usr/sbin/rcsaslauthd exists
+
flac
+- Fix out of bound write in append_to_verify_fifo_interleaved_
+ (CVE-2021-0561 bsc#1196660):
+ libFlac-Exit-at-EOS-in-verify-mode.patch
+
+- Fix memory leak (CVE-2020-0487 bsc#1180112):
+ stream_decoder.c-Fix-a-memory-leak.patch
+
+- Fix out-of-bounds access (CVE-2020-0499 bsc#1180099):
+ libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
+
+- Fix memory leak in read_metadata_vorbiscomment_() function
+ (CVE-2017-6888, bsc#1091045):
+ flac-CVE-2017-6888.patch
+
+- Update to version 1.3.2
+ * Fix undefined behaviour using GCC/Clang UBSAN (erikd).
+ * General hardening via fuzz testing with AFL (erikd and
+ others).
+ * General code improvements (lvqcl, erikd and others).
+ * Add FLAC in MP4 specification docs (Ralph Giles).
+ * Fix some cppcheck warnings (erikd).
+ * Assume all currently used OSes support SSE2.
+ flac:
+ * Fix potential infinite loop on flac-to-flac conversion
+ (erikd).
+ * Add WAVEFORMATEXTENSIBLE to WAV (as needed) when
+ decoding (lvqcl).
+ * Only write vorbis-comments if they are non-empty.
+ * Error out if decoding RAW with bits != (8|16|24).
+ metaflac:
+ * Add --scan-replay-gain option.
+ libraries:
+ * CPU detection cleanup and fixes (Julian Calaby, erikd
+ and lvqcl).
+ * Fix two stream decoder bugs (Max Kellermann).
+ * Fix a NULL dereference bug (on a malformed file).
+ * Changed the LPC order guess for a slight compression
+ improvement, particularly for classical music
+ (Martijn van Beurden).
+ * Improved encoding speed on older Intel CPUs.
+ * Fixed a seeking bug when decoding certain files
+ (Miroslav Lichvar).
+ * Put an upper bound (32768) on the number of seek
+ points.
+ * Fix potential memory leaks.
+ * Support 64bit brword/bwword allowing
+ FLAC__BYTES_PER_WORD to be set to 8 (disabled by
+ default).
+ * Fix an out-of-bounds heap read.
+- Refreshed flac-cflags.patch
+
+- Drop patch that should be upstreamed first, otherwise we will
+ have to keep it ofrever:
+ * flac-ocloexec.patch
+- Drop wrong patch:
+ * flac-fix-pkgconfig.patch
+ + If using this change you get assert.h include overriden in your
+ project by the one from FLAC/ which is not what upstream desired
+ If packages fail to build they should fix their include
+
+- Build documentation as noarch
+
+- Cleanup spec file with spec-cleaner
+- Update url
+- Remove no longer needed patches
+ * flac-fix-CVE-2014-8962.patch
+ * flac-fix-CVE-2014-9028.patch
+ * 0001-getopt_long-not-broken-here.patch
+- Remove following as benefit of using openssl is small
+ * 0001-Allow-use-of-openSSL.patch
+- Add flac-cflags.patch
+- Use doxygen to build documentation
+- Split documentation to separate package
+- Update to 1.3.1
+ * Improved decoding efficiency of all bit depths but especially
+ so for 24 bits for IA32 architecture (lvqcl and Miroslav Lichvar).
+ * Faster encoding using SSE and AVX (lvqcl).
+ * Fixed bartlett, bartlett_hann and triangle functions.
+ * New apodization functions partial_tukey and punchout_tukey for
+ improved compression (Martijn van Beurden).
+ * Retuned compression presets to incorporate new apodization
+ functions (Martijn van Beurden).
+ * Fix -Wcast-align warnings on armhf architecture (Erik de
+ Castro Lopo).
+ * Help output documentation improvements.
+ * I/O buffering improvements on Windows to reduce disk
+ fragmentation when writing files.
+ * Only write vorbis-comments if they are non-empty.
+ * Fix symbol visibility in XMMS plugin.
+ * Many fixes and improvements across all the build systems.
+ * Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962
+ (heap read overflow)
+
+- A couple of security fixes:
+ * flac-fix-CVE-2014-8962.patch:
+ arbitrary code execution by a stack overflow (CVE-2014-8962,
+ bnc#906831)
+ * flac-fix-CVE-2014-9028.patch:
+ Heap overflow via specially crafted .flac files (CVE-2014-9028,
+ bnc#907016)
+
+- Update to final upstream release 1.3.0
+ * No user-visible changes
+- More robust make install call
+
freetype2
+- Add CVE-2020-15999.patch to fix a heap buffer overflow has been
+ found in the handling of embedded PNG bitmaps
+ CVE-2020-15999 bsc#1177914
+
+- Use the compiler default C std, since 2012 gcc defaults
+ have changed, we now only need to get rid of ANSIFLAGS, override
+ that variable instead.
+
+- Update to version 2.10.1
+ * The bytecode hinting of OpenType variation fonts was flawed, since
+ the data in the `CVAR' table wasn't correctly applied.
+ * Auto-hinter support for Mongolian.
+ * The handling of the default character in PCF fonts as introduced
+ in version 2.10.0 was partially broken, causing premature abortion
+ of charmap iteration for many fonts.
+ * If `FT_Set_Named_Instance' was called with the same arguments
+ twice in a row, the function returned an incorrect error code the
+ second time.
+ * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug
+ introduced in version 2.10.0).
+ * Increased precision while computing OpenType font variation
+ instances.
+ * The flattening algorithm of cubic Bezier curves was slightly
+ changed to make it faster. This can cause very subtle rendering
+ changes, which aren't noticeable by the eye, however.
+ * The auto-hinter now disables hinting if there are blue zones
+ defined for a `style' (i.e., a certain combination of a script and
+ its related typographic features) but the font doesn't contain any
+ characters needed to set up at least one blue zone.
+- Add tarball signatures and freetype2.keyring
+
+- Update to version 2.10.0
+ * A bunch of new functions has been added to access and process
+ COLR/CPAL data of OpenType fonts with color-layered glyphs.
+ * As a GSoC 2018 project, Nikhil Ramakrishnan completely
+ overhauled and modernized the API reference.
+ * The logic for computing the global ascender, descender, and
+ height of OpenType fonts has been slightly adjusted for
+ consistency.
+ * `TT_Set_MM_Blend' could fail if called repeatedly with the same
+ arguments.
+ * The precision of handling deltas in Variation Fonts has been
+ increased.The problem did only show up with multidimensional
+ designspaces.
+ * New function `FT_Library_SetLcdGeometry' to set up the geometry
+ of LCD subpixels.
+ * FreeType now uses the `defaultChar' property of PCF fonts to set
+ the glyph for the undefined character at glyph index 0 (as
+ FreeType already does for all other supported font formats). As
+ a consequence, the order of glyphs of a PCF font if accessed
+ with FreeType can be different now compared to previous
+ versions.
+ This change doesn't affect PCF font access with cmaps.
+ * `FT_Select_Charmap' has been changed to allow parameter value
+ `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT
+ formats to access built-in cmaps that don't have a predefined
+ `FT_Encoding' value.
+ * A previously reserved field in the `FT_GlyphSlotRec' structure
+ now holds the glyph index.
+ * The usual round of fuzzer bug fixes to better reject malformed
+ fonts.
+ * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have
+ been removed.These two functions were public by oversight only
+ and were never documented.
+ * A new function `FT_Error_String' returns descriptions of error
+ codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is
+ defined.
+ * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new
+ functions limited to Adobe MultiMaster fonts to directly set and
+ get the weight vector.
+
+- Remove old ppc64 parts in spec file
+- Refresh patches:
+ + bugzilla-308961-cmex-workaround.patch
+ + don-t-mark-libpng-as-required-library.patch
+ + enable-long-family-names-by-default.patch
+- Enable subpixel rendering with infinality config:
+ + enable-subpixel-rendering.patch
+ + enable-infinality-subpixel-hinting.patch
+
+- Re-enable freetype-config, there is just too many fallouts.
+
+- Update to version 2.9.1
+ * Type 1 fonts containing flex features were not rendered
+ correctly (bug introduced in version 2.9).
+ * CVE-2018-6942: Older FreeType versions can crash with certain
+ malformed variation fonts.
+ * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage.
+ * Emboldening of bitmaps didn't work correctly sometimes, showing
+ various artifacts (bug introduced in version 2.8.1).
+ * The auto-hinter script ranges have been updated for Unicode 11.
+ No support for new scripts have been added, however, with the
+ exception of Georgian Mtavruli.
+- freetype-config is now deprecated by upstream and not enabled
+ by default.
+- Drop upstreamed patches:
+ * bnc1079600.patch
+ * psaux-flex.patch
+ * 0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch
+ * 0001-truetype-Better-protection-against-invalid-VF-data.patch
+
+- Add bnc1079600.patch: Fix several integer overflow issues in
+ truetype/ttinterp.c (bsc#1079600)
+
+- Refresh spec-file via spec-cleaner.
+- Add shell script freetype2.sh in separate package
+ freetype2-profile-tti35 in order to be able to set TrueType
+ interpreter version 35 (boo#1084085).
+
+- Added patch:
+ * enable-long-family-names-by-default.patch
+ + Define PCF_CONFIG_OPTION_LONG_FAMILY_NAMES to obtain 2.7.1
+ behaviour
+
+- Added patches:
+ * 0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch
+ + Upstream fix for bsc#1079603: Avoid NULL reference in
+ src/truetype/ttinterp.c
+ * 0001-truetype-Better-protection-against-invalid-VF-data.patch
+ + Upstream fix for bsc#1079601: Protection against invalid VF
+ data
+
+- Add psaux-flex.patch to fix a regression in Type1 rendering
+
+- Update to version 2.9
+ * Advance width values of variation fonts were often wrong.
+ * More fixes for variation font support; you should update to
+ this version if you want to support them.
+ * As a GSoC project, Ewald Hew extended the new (Adobe) CFF
+ engine to handle Type 1 fonts also, thus greatly improving
+ the rendering of this format. This is the new default.
+ * A new function, `FT_Set_Named_Instance', can be used to set
+ or change the current named instance.
+ * Starting with this FreeType version, resetting variation
+ coordinates will return to the currently selected named
+ instance. Previously, FreeType returned to the base font
+ (i.e., no instance set).
+ * Some fuzzer fixes to better reject malformed fonts.
+
+- Update to version 2.8.1
+ * B/W hinting of TrueType fonts didn't work properly if
+ interpreter version 38 or 40 was selected.
+ * Some severe problems within the handling of TrueType Variation
+ Fonts were found and fixed.
+ * Function `FT_Set_Var_Design_Coordinates' didn't correctly handle
+ the case with less input coordinates than axes.
+ * By default, FreeType now offers high quality LCD-optimized
+ output without resorting to ClearType techniques of resolution
+ tripling and filtering. In this method, called Harmony, each
+ color channel is generated separately after shifting the glyph
+ outline, capitalizing on the fact that the color grids on LCD
+ panels are shifted by a third of a pixel. This output is
+ indistinguishable from ClearType with a light 3-tap filter.
+ * Using the new function `FT_Get_Var_Axis_Flags', an application
+ can access the `flags' field of a variation axis (introduced in
+ OpenType version 1.8.2)
+ * FreeType now synthesizes a missing Unicode cmap for (older)
+ TrueType fonts also if glyph names are available.
+ * The warping option has moved from `light' to `normal' hinting
+ where it replaces the original hinting algorithm. The `light'
+ mode is now always void of any hinting in x-direction.
+
+- Update to version 2.8
+ * Support for OpenType Variation Fonts is now complete. The last
+ missing part was handling the `VVAR' and `MVAR' tables, which is
+ available with this release.
+ * A new function `FT_Face_Properties' allows the control of some
+ module and library properties per font. Currently, the
+ following properties can be handled: stem darkening, LCD filter
+ weights, and the random seed for the `random' CFF operator.
+ * The PCF change to show more `colourful' family names (introduced
+ in version 2.7.1) was too radical; it can now be configured with
+ PCF_CONFIG_OPTION_LONG_FAMILY_NAMES at compile time. If
+ activated, it can be switched off at run time with the new pcf
+ property `no-long-family-names'. If the `FREETYPE_PROPERTIES'
+ environment variable is available, you can say
+ FREETYPE_PROPERTIES=pcf:no-long-family-names=1
+ * Support for the following scripts has been added to the
+ auto-hinter.
+ Adlam, Avestan, Bamum, Buhid, Carian, Chakma, Coptic, Cypriot,
+ Deseret, Glagolitic, Gothic, Kayah, Lisu, N'Ko, Ol Chiki, Old
+ Turkic, Osage, Osmanya, Saurashtra, Shavian, Sundanese, Tai
+ Viet, Tifinagh, Unified Canadian Syllabics, Vai
+ * `Light' auto-hinting mode no longer uses TrueType metrics for
+ TrueType fonts. This bug was introduced in version 2.4.6,
+ causing horizontal scaling also. Almost all GNU/Linux
+ distributions (with Fedora as a notable exception) disabled the
+ corresponding patch for good reasons; chances are thus high that
+ you won't notice a difference.
+ * If a TrueType font gets loaded with FT_LOAD_NO_HINTING, FreeType
+ now scales the font linearly again (bug introduced in version
+ 2.4.6).
+ * Fixed CVE-2017-8105, CVE-2017-8287: Older FreeType versions
+ have out-of-bounds writes caused by heap-based buffer overflows
+ related to Type 1 fonts. (boo#1035807, boo#1036457)
+- See https://sourceforge.net/projects/freetype/files/freetype2/2.8/ for
+ the complete changelog.
+
+- Update to version 2.7.1:
+ * IMPORTANT CHANGES
+ + Support for the new CFF2 font format as introduced with
+ OpenType 1.8 has been contributed by Dave Arnolds from Adobe.
+ + Preliminary support for variation fonts as specified in
+ OpenType 1.8 (in addition to the already existing support for
+ Adobe's MM and Apple's GX formats). Dave Arnolds contributed
+ handling of advance width change variation; more will come in
+ the next version.
+ * IMPORTANT BUG FIXES
+ + Handling of raw CID fonts was partially broken (bug introduced
+ in 2.6.4).
+ * MISCELLANEOUS
+ + Some limits for TrueType bytecode execution have been tightened
+ to speed up FreeType's handling of malformed fonts, in
+ particular to quickly abort endless loops.
+ + The number of twilight points can no longer be set to an
+ arbitrarily large value.
+ + The total number of jump opcode instructions (like JMPR) with
+ negative arguments is dynamically restricted; the same holds
+ for the total number of iterations in LOOPCALL opcodes.
+ + The dynamic limits are based on the number of points in a glyph
+ and the number of CVT entries. Please report if you encounter a
+ font where the selected values are not adequate.
+ + PCF family names are made more `colourful'; they now include the
+ foundry and information whether they contain wide characters.
+ For example, you no longer get `Fixed' but rather `Sony Fixed'
+ or `Misc Fixed Wide'.
+ + A new function `FT_Get_Var_Blend_Coordinates' (with its alias
+ name `FT_Get_MM_Blend_Coordinates') to retrieve the normalized
+ blend coordinates of the currently selected variation instance
+ has been added to the Multiple Masters interface.
+ + A new function `FT_Get_Var_Design_Coordinates' to retrieve the
+ design coordinates of the currently selected variation instance
+ has been added to the Multiple Masters interface.
+ + A new load flag `FT_LOAD_BITMAP_METRICS_ONLY' to retrieve bitmap
+ information without loading the (embedded) bitmap itself.
+ + Retrieving advance widths from bitmap strikes (using
+ `FT_Get_Advance' and `FT_Get_Advances') have been sped up.
+ + The usual round of fuzzer fixes to better reject malformed
+ fonts.
+- Drop freetype2-bitmap-foundry.patch, merged upstream.
+
+- update to version 2.7:
+ * IMPORTANT CHANGES
+ + As announced earlier, the 2.7.x series now uses the new subpixel
+ hinting mode as the default, emulating a modern version of
+ ClearType.
+ This change inevitably leads to different rendering results, and
+ you might change the `TT_CONFIG_OPTION_SUBPIXEL_HINTING'
+ configuration option to adapt it to your taste (or use the new
+ `FREETYPE_PROPERTIES' environment variable). See the
+ corresponding entry below for version 2.6.4, which gives more
+ information.
+ + A new option `FT_CONFIG_OPTION_ENVIRONMENT_PROPERTIES' has been
+ introduced. If set (which is the default), an environment
+ variable `FREETYPE_PROPERTIES' can be used to control driver
+ properties. Example:
+ FREETYPE_PROPERTIES=truetype:interpreter-version=35 \
+ cff:no-stem-darkening=1 \
+ autofitter:warping=1
+ This allows to select, say, the subpixel hinting mode at runtime
+ for a given application. See file `ftoption.h' for more.
+ * IMPORTANT BUG FIXES
+ + After loading a named instance of a GX variation font, the
+ `face_index' value in the returned `FT_Face' structure now
+ correctly holds the named instance index in the upper 16bits as
+ documented.
+ * MISCELLANEOUS
+ + A new macro `FT_IS_NAMED_INSTANCE' to test whether a given face
+ is a named instance.
+ + More fixes to GX font handling.
+ + Apple's `GETVARIATION' bytecode operator (needed for GX
+ variation font support) has been implemented.
+ + Another round of fuzzer fixes, mainly to reject invalid fonts
+ faster.
+ + Handling of raw CID fonts was broken (bug introduced in version
+ 2.6.4).
+ + The smooth rasterizer has been streamlined to make it faster by
+ approx. 20%.
+ + The `ftgrid' demo program now understands command line option
+ `-d' to give start-up design coordinates.
+ + The `ftdump' demo program has a new command line option `-p' to
+ dump TrueType bytecode instructions.
+- removed freetype2-subpixel.patch in favor of above
+ FREETYPE_PROPERTIES environment variable
+
+- Update to version 2.6.5:
+ + Compilation works again on Mac OS X (bug introduced in version
+ 2.6.4).
+ + The new subpixel hinting mode is now disabled by default; it
+ will be enabled by default in the forthcoming 2.7.x series.
+ Main reason for reverting this feature is the principle of least
+ surprise: a sudden change in appearance of all fonts (even if
+ the rendering improves for almost all recent fonts) should not
+ be expected in a new micro version of a series.
+- Rebase freetype2-subpixel.patch.
+
+- Upadte to version 2.6.4:
+ * A new subpixel hinting mode, which is now the default rendering
+ mode for TrueType fonts. It implements (almost everything of)
+ version 40 of the bytecode engine. The existing code base in
+ FreeType (the `Infinality code') was stripped to the bare
+ minimum and all configurability removed in the name of speed
+ and simplicity. The configurability was mainly aimed at legacy
+ fonts like Arial, Times New Roman, or Courier. [Legacy fonts
+ are fonts that modify vertical stems to achieve clean
+ black-and-white bitmaps.] The new mode focuses on applying a
+ minimal set of rules to all fonts indiscriminately so that
+ modern and web fonts render well while legacy fonts render
+ okay. Activation of the subpixel hinting support can be
+ controlled with the `TT_CONFIG_OPTION_SUBPIXEL_HINTING'
+ configuration option at compile time: If set to value 1, you
+ get the old Infinality mode (which was never the default due to
+ its slowness). Value 2 activates the new subpixel hinting mode,
+ and value 3 activates both. The default is value 2. At run
+ time, you can select the subpixel hinting mode with the
+ `interpreter-version' property (provided you have compiled in
+ the corresponding hinting mode); see `ftttdrv.h' for more.
+ * Support for the following scripts has been added to the
+ auto-hinter: Armenian, Cherokee, Ethiopic, Georgian, Gujarati,
+ Gurmukhi, Malayalam, Sinhala, Tamil.
+- Rebase freetype2-subpixel.patch.
+
+- Update to version 2.6.3
+ * IMPORTANT CHANGES
+ - Khmer, Myanmar, Bengali, and Kannada script support has been
+ added to the auto-hinter.
+ * MISCELLANEOUS
+ - Better support of Indic scripts like Devanagari by using a
+ top-to-bottom hinting flow.
+ - All FreeType macros starting with two underscores have been
+ renamed to avoid a violation of both the C and C++ standards.
+ Example: Header macros of the form `__FOO_H__' are now called
+ `FOO_H_'. In most cases, this should be completely transparent
+ to the user. The exception to this is `__FTERRORS_H__', which
+ must be sometimes undefined by the user to get FreeType error
+ strings: Both this form and the new `FTERRORS_H_' macro are
+ accepted for backwards compatibility.
+ - Minor improvements mainly to the Type 1 driver.
+ - The new CFF engine now supports all Type 2 operators except
+ `random'.
+ - The macro `_STANDALONE_', used for compiling the B/W and smooth
+ rasterizers as stand-alone modules, has been renamed to
+ `STANDALONE_', since macro names starting with an underscore and
+ followed by an uppercase letter are reserved in both C and C++.
+ - Function `FT_Library_SetLcdFilterWeights' now also activates
+ custom LCD filter weights (instead of just adjusting them).
+ - Support for `unpatented hinting' has been completely removed:
+ Consequently, the two functions `FT_Face_CheckTrueTypePatents'
+ and `FT_Face_SetUnpatentedHinting' now return always false,
+ doing nothing.
+
+- Update to version 2.6.2
+ * IMPORTANT CHANGES
+ - The auto-hinter now supports stem darkening, to be controlled by
+ the new `no-stem-darkening' and `darkening-parameters'
+ properties. This is an experimental feature contributed by
+ Nikolaus Waxweiler, and the interface might change in a future
+ release.
+ - By default, stem darkening is now switched off (for both the CFF
+ engine and the auto-hinter). The main reason is that you need
+ linear alpha blending and gamma correction to get correct
+ rendering results, and the latter is not yet available in most
+ freely available rendering stacks like X11. Applying stem
+ darkening without proper gamma correction leads to far too dark
+ rendering results.
+ - The meaning of `FT_RENDER_MODE_LIGHT' has been slightly
+ modified. It now essentially means `no hinting along the
+ horizontal axis'; in particular, no change of glyph advance
+ widths. Consequently, the auto-hinter is used for all scalable
+ font formats except for CFF. It is planned that other
+ font-specific rendering engines (TrueType, Type 1) will follow.
+ * MISCELLANEOUS
+ - The default LCD filter has been changed to be normalized and
+ color-balanced.
+ - For better compatibility with FontConfig, function
+ `FT_Library_SetLcdFilter' accepts a new enumeration value
+ `FT_LCD_FILTER_LEGACY1' (which has the same meaning as
+ `FT_LCD_FILTER_LEGACY').
+ - A large number of bugs have been detected by using the libFuzzer
+ framework, which should further improve handling of invalid
+ fonts. Thanks again to Kostya Serebryany and Bungeman!
+ - `TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES', a new configuration
+ option, controls the maximum number of executed opcodes within a
+ bytecode program. You don't want to change this except for very
+ special situations (e.g., making a library fuzzer spend less
+ time to handle broken fonts).
+ - The smooth renderer has been made faster.
+
+- Update to version 2.6.1
+ * IMPORTANT BUG FIXES
+ - It turned out that for CFFs only the advance widths should be
+ taken from the `htmx' table, not the side bearings. This bug,
+ introduced in version 2.6.0, makes it necessary to upgrade if
+ you are using CFFs; otherwise, you get cropped glyphs with GUI
+ interfaces like GTK or Qt.
+ - Accessing Type 42 fonts returned incorrect results if the glyph
+ order of the embedded TrueType font differs from the glyph order
+ of the Type 42 charstrings table.
+ * IMPORTANT CHANGES
+ - The header file layout has been changed (again), moving all
+ header files except `ft2build.h' into a subdirectory tree.
+ Doing so reduces the possibility of header file name clashes
+ (e.g., FTGL's `FTGlyph.h' with FreeType's `ftglyph.h') on case
+ insensitive file systems like Mac OS X or Windows.
+ Applications that use (a) the `freetype-config' script or
+ FreeType's `freetype2.pc' file for pkg-config to get the include
+ directory for the compiler, and (b) the documented way for
+ header inclusion like
+ [#]include <ft2build.h>
+ [#]include FT_FREETYPE_H
+ ...
+ don't need any change to the source code.
+ - Simple access to named instances in GX variation fonts is now
+ available (in addition to the previous method via FreeType's MM
+ interface). In the `FT_Face' structure, bits 16-30 of the
+ `face_index' field hold the current named instance index for the
+ given face index, and bits 16-30 of `style_flags' contain the
+ number of instances for the given face index. `FT_Open_Face'
+ and friends also understand the extended bits of the face index
+ parameter.
+ You need to enable TT_CONFIG_OPTION_GX_VAR_SUPPORT for this new
+ feature. Otherwise, bits 16-30 of the two fields are zero (or
+ are ignored).
+ - Lao script support has been added to the auto-hinter.
+ * MISCELLANEOUS
+ - The auto-hinter's Arabic script support has been enhanced.
+ - Superscript-like and subscript-like glyphs as used by various
+ phonetic alphabets like the IPA are now better supported by the
+ auto-hinter.
+ - The TrueType bytecode interpreter now runs slightly faster.
+ - Improved support for builds with cmake.
+ - The function `FT_CeilFix' now always rounds towards plus
+ infinity.
+ - The function `FT_FloorFix' now always rounds towards minus
+ infinity.
+ - A new load flag `FT_LOAD_COMPUTE_METRICS' has been added; it
+ makes FreeType ignore pre-computed metrics, as needed by font
+ validating or font editing programs. Right now, only the
+ TrueType module supports it to ignore data from the `hdmx'
+ table.
+ - Another round of bug fixes to better handle broken fonts, found
+ by Kostya Serebryany <kcc@google.com>.
+- Dropping upstreamed patch Dont-use-hmtx-table-for-LSB.patch.
+
+- Add Dont-use-hmtx-table-for-LSB.patch: Fixes gnu#45520, cut off
+ fonts in gtk and qt. Taken from upstream git.
+
+- Update to version 2.6
+ * Thread safety improvements
+ * Thai script support has been added to the auto-hinter.
+ * Arabic script support has been added to the auto-hinter.
+ * Following OpenType version 1.7, advance widths and side bearing
+ values in CFFs (wrapped in an SFNT structure) are now always
+ taken from the `hmtx' table.
+ * Following OpenType version 1.7, the PostScript font name of a
+ CFF font (wrapped in an SFNT structure) is now always taken from
+ the `name' table. This is also true for OpenType Collections
+ (i.e., TTCs using CFFs subfonts instead of TTFs), where it may
+ have a significant difference.
+ * Fonts natively hinted for ClearType are now supported, properly
+ handling selector index 3 of the INSTCTRL bytecode instruction.
+ * Major improvements to the GX TrueType variation font handling.
+
+- Merge with the version 2.5.5 from openSUSE:Factory
+- Removed patches:
+ * CVE-2014-9656.patch
+ * CVE-2014-9657.patch
+ * CVE-2014-9658.patch
+ * CVE-2014-9659.patch
+ * CVE-2014-9660.patch
+ * CVE-2014-9661.patch
+ * CVE-2014-9662.patch
+ * CVE-2014-9663.patch
+ * CVE-2014-9664.patch
+ * CVE-2014-9665.patch
+ * CVE-2014-9666.patch
+ * CVE-2014-9667.patch
+ * CVE-2014-9668.patch
+ * CVE-2014-9669.patch
+ * CVE-2014-9670.patch
+ * CVE-2014-9671.patch
+ * CVE-2014-9672.patch
+ * CVE-2014-9673.patch
+ * CVE-2014-9674.patch
+ * CVE-2014-9675.patch
+ - Integrated in the 2.5.5 release
+- Modified patches:
+ * don-t-mark-libpng-as-required-library.patch
+ * bugzilla-308961-cmex-workaround.patch
+ * freetype2-subpixel.patch
+ * freetype2-bitmap-foundry.patch
+ * overflow.patch
+ - Adapt to the new version of sources
+
+- Modified patch:
+ * CVE-2014-9671.patch
+ - Adapt the code to correspond to the current git master of
+ freetype2 (fixes bsc#933247)
+
+- Enable the bz2 compression in freetype2
+- Remove patch overflow.patch from freetype2.spec where it is not
+ applied.
+- Run spec-cleaner on the spec file.
+
+- fixed vulnerabilities (bnc#916847, bnc#916856, bnc#916857,
+ bnc#916858, bnc#916859, bnc#916860, bnc#916861, bnc#916862,
+ bnc#916863, bnc#916864, bnc#916865, bnc#916867, bnc#916868,
+ bnc#916870, bnc#916871, bnc#916872, bnc#916873, bnc#916874,
+ bnc#916879, bnc#916881)
+ - CVE-2014-9656.patch
+ - CVE-2014-9657.patch
+ - CVE-2014-9658.patch
+ - CVE-2014-9659.patch
+ - CVE-2014-9660.patch
+ - CVE-2014-9661.patch
+ - CVE-2014-9662.patch
+ - CVE-2014-9663.patch
+ - CVE-2014-9664.patch
+ - CVE-2014-9665.patch
+ - CVE-2014-9666.patch
+ - CVE-2014-9667.patch
+ - CVE-2014-9668.patch
+ - CVE-2014-9669.patch
+ - CVE-2014-9670.patch
+ - CVE-2014-9671.patch
+ - CVE-2014-9672.patch
+ - CVE-2014-9673.patch
+ - CVE-2014-9674.patch
+ - CVE-2014-9675.patch
+
+- Update to version 2.5.5
+ * IMPORTANT BUG FIXES
+ - Handling of uncompressed PCF files works again (bug
+ introduced in version 2.5.4).
+- Drop freetype2-2.5.3-fix-pcf.patch, merged upstream
+
+- Update to version 2.5.4
+ * IMPORTANT BUG FIXES
+ - A variant of vulnerability CVE-2014-2240 was identified
+ (cf. http://savannah.nongnu.org/bugs/?43661) and fixed
+ in the new CFF driver. All users should upgrade.
+ - The new auto-hinter code using HarfBuzz crashed for some
+ invalid fonts.
+ - Many fixes to better protect against malformed input.
+ * IMPORTANT CHANGES
+ - Full auto-hinter support of the Devanagari script.
+ - Experimental auto-hinter support of the Telugu script.
+ - CFF stem darkening behaviour can now be controlled at
+ build time using the eight macros
+ CFF_CONFIG_OPTION_DARKENING_PARAMETER_{X,Y}{1,2,3,4} .
+ - Some fields in the `FT_Bitmap' structure have been changed
+ from signed to unsigned type, which better reflects
+ the actual usage. It is also an additional means to
+ protect against malformed input. This change doesn't break
+ the ABI; however, it might cause compiler warnings.
+ * MISCELLANEOUS
+ - Improvements to the auto-hinter's algorithm to recognize
+ stems and local extrema.
+ - Function `FT_Get_SubGlyph_Info' always returned an error
+ even in case of success.
+ - Version 2.5.1 introduced major bugs in the cjk part of
+ the auto-hinter, which are now fixed.
+ - The `FT_Sfnt_Tag' enumeration values have been changed to
+ uppercase, e.g. `FT_SFNT_HEAD'. The lowercase variants
+ are deprecated. This is for orthogonality with all other
+ enumeration (and enumeration-like) values in FreeType.
+ - `cmake' now supports builds of FreeType as an OS X framework
+ and for iOS.
+ - Improved project files for vc2010,
+ introducing a property file
+ - The documentation generator for the API reference has been
+ updated to produce better HTML code (with proper CSS).
+ At the same time, the documentation got a better structure.
+ - The FT_LOAD_BITMAP_CROP flag is obsolete; it is not used
+ by any driver.
+ - The TrueType DELTAP[123] bytecode instructions now work in
+ subpixel hinting mode as described in the ClearType
+ whitepaper (i.e., for touched points in the
+ non-subpixel direction).
+ - Many small improvements to the internal arithmetic routines.
+- Rebase don-t-mark-libpng-as-required-library.patch,
+ bugzilla-308961-cmex-workaround.patch, freetype2-subpixel.patch,
+ freetype2-bitmap-foundry.patch and overflow.patch
+- Add freetype2-2.5.3-fix-pcf.patch from upstream to resolve
+ http://savannah.nongnu.org/bugs/?43774, "Freetype 2.5.4 does not
+ load ungzipped PCF fonts"
+
libpng16
+- security update
+- added patches
+ CVE-2019-7317 [bsc#1124211]
+ + libpng16-CVE-2019-7317.patch
+
+- asan_build: build ASAN included
+- debug_build: build more suitable for debugging, install pngcp
+- usecase example: [bsc#1121624]
+
+- security update:
+ * CVE-2018-13785 [bsc#1100687]
+ + libpng16-CVE-2018-13785.patch
+
+- check with -j1
+
+- Fix SRPM group and grammar issues.
+
+- removed obsoleted Obsoletes
+
+- update to 1.6.34:
+ * Removed contrib/pngsuite/i*.png; some of these were incorrect
+ and caused test failures.
+- includes 1.6.33:
+ * Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added
+ missing parenthesis in contrib/pngminus/pnm2png.c
+ * Fixed off-by-one error in png_do_check_palette_indexes()
+ * Initialize png_handler.row_ptr in libpng_read_fuzzer.cc
+ to fix shortlived oss-fuzz issue 3234.
+ * Compute a larger limit on IDAT because some applications write
+ a deflate buffer for each row
+ * Use current date (DATE) instead of release-date (RDATE) in last
+ changed date of contrib/oss-fuzz files.
+ * Enabled ARM support in CMakeLists.txt
+ * Fixed incorrect typecast of some arguments to png_malloc() and
+ png_calloc() that were png_uint_32 instead of png_alloc_size_t
+ * Use pnglibconf.h.prebuilt when building for ANDROID with cmake
+ * Initialize memory allocated by png_inflate to zero, using
+ memset, to stop an oss-fuzz "use of uninitialized value"
+ detection in png_set_text_2() due to truncated iTXt or zTXt
+ chunk.
+ * Initialize memory allocated by png_read_buffer to zero, using
+ memset, to stop an oss-fuzz "use of uninitialized value"
+ detection in png_icc_check_tag_table() due to truncated iCCP
+ chunk.
+ * Removed redundant tests
+ * Added an interlaced version of each file in contrib/pngsuite.
+ * Relocate new memset() call in pngrutil.c
+ * Add support for loading images with associated alpha in the
+ Simplified API
+ * Revert contrib/oss-fuzz/libpng_read_fuzzer.cc to libpng-1.6.32
+ state
+ * Initialize png_handler.row_ptr in libpng_read_fuzzer.cc
+ * Add end_info structure and png_read_end() to the libpng fuzzer
+- includes 1.6.32:
+ * Avoid possible NULL dereference in png_handle_eXIf when
+ benign_errors are allowed. Avoid leaking the input buffer
+ "eXIf_buf".
+ * Eliminated png_ptr->num_exif member from pngstruct.h and added
+ num_exif to arguments for png_get_eXIf() and png_set_eXIf().
+ * Added calls to png_handle_eXIf(() in pngread.c and
+ png_write_eXIf() in pngwrite.c, and made various other fixes
+ to png_write_eXIf().
+ * Changed name of png_get_eXIF and png_set_eXIf() to
+ png_get_eXIf_1() and png_set_eXIf_1(), respectively, to avoid
+ breaking API compatibility with libpng-1.6.31.
+ * Updated contrib/libtests/pngunknown.c with eXIf chunk.
+ * Initialized btoa[] in pngstest.c
+ * Stop memory leak when returning from png_handle_eXIf() with an
+ error
+ * Replaced local eXIf_buf with info_ptr-eXIf_buf in png_handle_eXIf().
+ * Update libpng.3 and libpng-manual.txt about eXIf functions.
+ * Restored png_get_eXIf() and png_set_eXIf() to maintain API
+ compatability.
+ * Removed png_get_eXIf_1() and png_set_eXIf_1().
+ * Check length of all chunks except IDAT against user limit to
+ fix an OSS-fuzz issue (Fixes CVE-2017-12652)
+ * Check length of IDAT against maximum possible IDAT size,
+ accounting for height, rowbytes, interlacing and zlib/deflate
+ overhead.
+ * Restored png_get_eXIf_1() and png_set_eXIf_1(), because
+ strlen(eXIf_buf) does not work (the eXIf chunk data can
+ contain zeroes).
+ * Revised symlink creation, no longer using deprecated cmake
+ LOCATION feature
+ * Fixed five-byte error in the calculation of IDAT maximum
+ possible size.
+ * Moved chunk-length check into a png_check_chunk_length()
+ private function
+ * Moved bad pngs from tests to contrib/libtests/crashers
+ * Moved testing of bad pngs into a separate
+ tests/pngtest-badpngs script
+ * Added the --xfail (expected FAIL) option to pngtest.c. It
+ writes XFAIL in the output but PASS for the libpng test.
+ * Require cmake-3.0.2 in CMakeLists.txt
+ * Fix "const" declaration info_ptr argument to png_get_eXIf_1()
+ and the num_exif argument to png_get_eXIf_1()
+ * Added "eXIf" to "chunks_to_ignore[]" in png_set_keep_unknown_chunks().
+ * Added huge_IDAT.png and empty_ancillary_chunks.png to
+ testpngs/crashers.
+ * Make pngtest --strict, --relax, --xfail options imply -m
+ (multiple).
+ * Removed unused chunk_name parameter from png_check_chunk_length().
+ * Relocated setting free_me for eXIf data, to stop an OSS-fuzz'
+ leak.
+ * Initialize profile_header[] in png_handle_iCCP() to fix
+ OSS-fuzz issue.
+ * Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix
+ OSS-fuzz UMR.
+ * Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
+ * Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(),
+ to account for the minimum 'deflate' stream, and relocate the
+ test to a point after the keyword has been read.
+ * Check that the eXIf chunk has at least 2 bytes and begins with
+ "II" or "MM".
+ * Added a set of "huge_xxxx_chunk.png" files to
+ contrib/testpngs/crashers, one for each known chunk type, with
+ length = 2GB-1.
+ * Check for 0 return from png_get_rowbytes() and added some
+ (size_t) typecasts in contrib/pngminus/*.c to stop some Coverity
+ issues (162705, 162706, and 162707).
+ * Renamed chunks in contrib/testpngs/crashers to avoid having
+ files whose names differ only in case; this causes problems with
+ some platforms
+ * Added contrib/oss-fuzz directory which contains files used by
+ the oss-fuzz project
+- cleanup with spec-cleaner
+
+- update to 1.6.31:
+ * Guard the definition of _POSIX_SOURCE in pngpriv.h.
+ * Revised pngpriv.h to work around failure to compile
+ arm/filter_neon.S.
+ * Added "Requires: zlib" to libpng.pc.in.
+ * Added special case for FreeBSD in arm/filter_neon.S.
+ * Changed "int" to "png_size_t" in intel/filter_sse2.c to prevent
+ possible integer overflow.
+ * Added eXIf chunk support.
+- remove upstreamed
+ 0001-libpng16-Revised-pngpriv.h-to-use-PNG_VERSION_INFO_O.patch
+
+- Drop png-version-info-only.patch, it has no effect after applying
+ 0001-libpng16-Revised-pngpriv.h-to-use-PNG_VERSION_INFO_O.patch
+ Both patches achieve the same, prefer the upstream version
+
+- Add 0001-libpng16-Revised-pngpriv.h-to-use-PNG_VERSION_INFO_O.patch
+ Fix build on ARM
+
+- png-version-info-only.patch: fix missing PNG_VERSION_INFO_ONLY check
+
+- update to 1.6.30:
+ Revised documentation of png_get_error_ptr() in the libpng manual.
+ Document need to check for integer overflow when allocating a pixel
+ buffer for multiple rows in contrib/gregbook, contrib/pngminus,
+ example.c, and in the manual (suggested by Jaeseung Choi). This
+ is similar to the bug reported against pngquant in CVE-2016-5735.
+ Check for integer overflow in contrib/visupng and contrib/tools/genpng.
+ Do not double evaluate CMAKE_SYSTEM_PROCESSOR in CMakeLists.txt.
+ Avoid writing an empty IDAT when the last IDAT exactly fills the
+ compression buffer (bug report by Brian Baird). This bug was
+ introduced in libpng-1.6.0.
+ Add a reference to the libpng.download site in README.
+
+- update to 1.6.29:
+ Moved SSE2 optimization code into the main libpng source directory.
+ Configure libpng with "configure --enable-intel-sse" or compile
+ libpng with "-DPNG_INTEL_SSE" in CPPFLAGS to enable it.
+ Added code for PowerPC VSX optimisation (Vadim Barkov).
+ Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
+
+- update to 1.6.28: fix build issues
+
+- update to 1.6.27: fixes CVE-2016-10087
+
+- update to 1.6.26:
+ Fixed handling zero length IDAT in pngfix (bug report by Agostino Sarubbo,
+ bugfix by John Bowler).
+ Do not issue a png_error() on read in png_set_pCAL() because
+ png_handle_pCAL has allocated memory that libpng needs to free.
+ Issue a png_benign_error instead of a png_error on ADLER32 mismatch
+ while decoding compressed data chunks.
+ Changed PNG_ZLIB_VERNUM to ZLIB_VERNUM in pngpriv.h, pngstruct.h, and
+ pngrutil.c.
+ If CRC handling of critical chunks has been set to PNG_CRC_QUIET_USE,
+ ignore the ADLER32 checksum in the IDAT chunk as well as the chunk CRCs.
+ Issue png_benign_error() on ADLER32 checksum mismatch instead of
+ png_error().
+ Updated the documentation about CRC and ADLER32 handling.
+ Fixed offsets in contrib/intel/intel_sse.patch
+ Changed integer constant 4294967294 to unsigned 4294967294U in pngconf.h
+ to avoid a signed/unsigned compare in the preprocessor.
+ Use zlib-1.2.8.1 inflateValidate() instead of inflateReset2() to
+ optionally avoid ADLER32 evaluation.
+
+- update to 1.6.25:
+ Reject oversized iCCP profile immediately.
+ Conditionally compile png_inflate().
+ Don't install pngcp; it conflicts with pngcp in the pngtools package.
+ Added MIPS support (Mandar Sahastrabuddhe <
+
+- update to 1.6.24:
+ Avoid potential overflow of the PNG_IMAGE_SIZE macro.
+ Correct filter heuristic overflow handling.
+ Use a more efficient absolute value calculation on SSE2.
+ Added pngcp.
+ etc. see ANNOUNCE
+
+- Update to new upstream release 1.6.23
+ * Fixes a potential memleak in png_set_tRNS.
+ * Fixed the progressive reader to handle empty first IDAT
+ chunk properly.
+ * Added tests in pngvalid.c to check zero-length IDAT chunks
+ in various positions.
+ * Fixed the sequential reader to handle these more robustly.
+ * Corrected progressive read input buffer in pngvalid.c.
+ * Moved sse2 prototype from pngpriv.h to
+ contrib/intel/intel_sse.patch.
+ * Fixed undefined behavior in png_push_save_buffer().
+ Do not call memcpy() with a null source, even if count is zero.
+ * Fixed bad link to RFC2083 in png.5.
+
+- update to 1.6.22:
+ Added a png_image_write_to_memory() API and a number of assist macros
+ to allow an application that uses the simplified API write to bypass
+ stdio and write directly to memory.
+ Relaxed limit checks on gamma values in pngrtran.c. As suggested in
+ the comments gamma values outside the range currently permitted
+ by png_set_alpha_mode are useful for HDR data encoding. These values
+ are already permitted by png_set_gamma so it is reasonable caution to
+ extend the png_set_alpha_mode range as HDR imaging systems are starting
+ to emerge.
+ Restored "& 0xff" in png_save_uint_16() and png_save_uint_32() that
+ were accidentally removed from libpng-1.6.17.
+ Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h
+ (Robert C. Seacord).
+ Added INTEL-SSE2 support (Mike Klein and Matt Sarett, Google, Inc.).
+ SSE filter speed improvements for bpp=3:
+ memcpy-free implementations of load3() / store3().
+ Added PNG_FAST_FILTERS macro (defined as
+ PNG_FILTER_NONE|PNG_FILTER_SUB|PNG_FILTER_UP).
+
+- Update to new upstream release 1.6.21
+ * Widened the 'limit' check on the internally calculated error limits in
+ the 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error
+ checks) and changed the check to only operate in non-release builds
+ (base build type not RC or RELEASE.)
+ * Fixed undefined behavior in pngvalid.c, undefined because
+ (png_byte) << shift is undefined if it changes the signed bit
+ (because png_byte is promoted to int). The libpng exported functions
+ png_get_uint_32 and png_get_uint_16 handle this.
+
+- update to 1.6.20:
+ Avoid potential pointer overflow/underflow in png_handle_sPLT() and
+ png_handle_pCAL() (Bug report by John Regehr).
+ Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
+ not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
+ vulnerability.
+ Backported tests from libpng-1.7.0beta69.
+ Fixed an error in handling of bad zlib CMINFO field in pngfix, found by
+ American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't
+ immediately fault a bad CMINFO field; instead a 'too far back' error
+ happens later (at least some times). pngfix failed to limit CMINFO to
+ the allowed values but then assumed that window_bits was in range,
+ triggering an assert. The bug is mostly harmless; the PNG file cannot
+ be fixed.
+ In libpng 1.6 zlib initialization was changed to use the window size
+ in the zlib stream, not a fixed value. This causes some invalid images,
+ where CINFO is too large, to display 'correctly' if the rest of the
+ data is valid. This provides a workaround for zlib versions where the
+ error arises (ones that support the API change to use the window size
+ in the stream).
+
+- update to 1.6.19:
+ Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
+ Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
+ Fixed the recently reported 1's complement security issue.
+ Fixed png_save_int_32 when int is not 2's complement by replacing
+ the value that is illegal in the PNG spec, in both signed and
+ unsigned values, with 0.
+ etc., see ANNOUNCE and CHANGES for details
+- removed: libpng-rgb_to_gray-checks.patch (upstreamed)
+
+- drop unknown configure switch
+
+- Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c.
+ + libpng-rgb_to_gray-checks.patch
+
+- updated to 1.6.17:
+ Corrected the width limit calculation in png_check_IHDR().
+ Removed user limits from pngfix. Also pass NULL pointers to
+ png_read_row to skip the unnecessary row de-interlace stuff.
+ Implement previously untested cases of libpng transforms in pngvalid.c
+ Fixed byte order in 2-byte filler, in png_do_read_filler().
+ Made the check for out-of-range values in png_set_tRNS() detect
+ values that are exactly 2^bit_depth, and work on 16-bit platforms.
+ Merged some parts of libpng-1.6.17beta01 and libpng-1.7.0beta47.
+ Added #ifndef __COVERITY__ where needed in png.c, pngrutil.c and
+ pngset.c to avoid warnings about dead code.
+ Do not build png_product2() when it is unused.
+ Display user limits in the output from pngtest.
+ Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
+ and 1-million-row default limits in pnglibconf.dfa, that can be reset
+ by the user at build time or run time. This provides a more robust
+ defense against DOS and as-yet undiscovered overflows.
+ Added PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED macro, on by default.
+ Allow user to call png_get_IHDR() with NULL arguments (Reuben Hawkins).
+ Moved png_set_filter() prototype into a PNG_WRITE_SUPPORTED block
+ of png.h.
+ Free the unknown_chunks structure even when it contains no data.
+ Fixed simplified 8-bit-linear to sRGB alpha. The calculated alpha
+ value was wrong. It's not clear if this affected the final stored
+ value; in the obvious code path the upper and lower 8-bits of the
+ alpha value were identical and the alpha was truncated to 8-bits
+ rather than dividing by 257 (John Bowler).
+
+- build with PNG_SAFE_LIMITS_SUPPORTED [bnc#912076], [bnc#912929]
+
+- updated to 1.6.16:
+ * Restored a test on width that was removed from png.c at libpng-1.6.9
+ (Bug report by Alex Eubanks).
+ * Fixed an overflow in png_combine_row with very wide interlaced images.
+
+- updated to 1.6.15:
+ * Avoid out-of-bounds memory access in png_user_version_check().
+ * Fixed incorrect handling of the iTXt compression.
+ * Free all allocated memory in pngimage.
+ * Fixed array size calculations to avoid warnings.
+ etc. see ANNOUNCE
+
libsndfile
+- Fix heap buffer overflow in flac_buffer_copy (CVE-2021-4156,
+ bsc#1194006):
+ libsndfile-CVE-2021-4156.patch
+
+- Fix heap buffer overflow vulnerability in msadpcm_decode_block
+ (CVE-2021-3246, bsc#1188540):
+ ms_adpcm-Fix-and-extend-size-checks.patch
+
+- Fix segfault in wav conversion due to the invalid loop count
+ (CVE-2018-19758, bsc#1117954):
+ libsndfile-wav-loop-count-fix.patch
+
+- Fix buffer overflow in sndfile-deinterleave, which isn't really a
+ security issue (bsc#1100167, CVE-2018-13139, bsc#1116993,
+ CVE-2018-19432):
+ sndfile-deinterlace-channels-check.patch
+
+- Use license file tag
+
+- Fix potential overflow in d2alaw_array() (CVE-2017-17456,
+ bsc#1071777):
+ libsndfile-CVE-2017-17456-alaw-range-check.patch
+- Fix potential overflow in d2ulaw_array() (CVE-2017-17457,
+ bsc#1071767):
+ libsndfile-CVE-2017-17457-ulaw-range-check.patch
+
+- Fix VUL-0: divide-by-zero error exists in the function
+ double64_init() in double64.c (CVE-2017-14634, bsc#1059911):
+ 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
+- Tentative fix for VUL-0: out of bounds read in the function
+ d2alaw_array() in alaw.c (CVE-2017-14245, bsc#1059912) and
+ VUL-0: out of bounds read in the function d2ulaw_array() in
+ ulaw.c (CVE-2017-14246, bsc#1059913):
+ 0031-sfe_copy_data_fp-check-value-of-max-variable.patch
+
+- Fix Heap-based Buffer Overflow in the psf_binheader_writef
+ (CVE-2017-12562, bsc#1052476):
+ 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch
+
+- Fix out-of-bounds read memory access in the aiff_read_chanmap()
+ (CVE-2017-6892, bsc#1043978):
+ 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
+
+- Fix FLAC buffer overflows (CVE-2017-8361 CVE-2017-8363
+ CVE-2017-8365 CVE-2017-8362 bsc#1036944 bsc#1036945 bsc#1036946
+ bsc#1036943):
+ 0001-FLAC-Fix-a-buffer-read-overrun.patch
+ 0002-src-flac.c-Fix-a-buffer-read-overflow.patch
+
+- Update to version 1.0.27:
+ * Fix a seek regression in 1.0.26
+ * Add metadata read/write for CAF and RF64
+ * FIx PAF endian-ness issue
+- Update to version 1.0.28
+ * Fix buffer overruns in FLAC and ID3 handling code
+ (CVE-2017-7585, CVE-2017-7586, bsc#1033054, bsc#1033053)
+ * Reduce default header memory requirements
+ * Fix detection of Large File Support for 32 bit systems.
+- Obsoleted patch:
+ libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
+
+- Fix spec file to enable builds on non opensuse OS
+
+- Update to version 1.0.26:
+ * Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805.
+ * Add ALAC/CAF support. Minor bug fixes and improvements.
+- Refreshed patches:
+ sndfile-ocloexec.patch
+ libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
+- Removed obsoleted patches:
+ libsndfile-example-fix.diff
+ libsndfile-fix-header-read-CVE-2015-7805.patch
+ libsndfile-paf-zero-division-fix.diff
+ libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
+ libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch
+ sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
+ sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
+
+- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-7805, bsc#953516)
+ libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
+ libsndfile-fix-header-read-CVE-2015-7805.patch
+- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-8075, bsc#953519)
+ libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
+- Fix the build with SLE11-SP3 due to AM_SILENT_RULE macro
+
+- VUL-1: libsndfile DoS/divide-by-zero (CVE-2014-9756, bsc#953521):
+ libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch
+
+- Cleanup spec file with spec-cleaner
+- Add gpg signature
+- Remove old ppc provides/obsoletes
+
+- VUL-0: two buffer read overflows in sd2_parse_rsrc_fork()
+ (CVE-2014-9496, bnc#911796): backported upstream fix patches
+ sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
+ sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
+
openslp
+- Implement automatic active discovery retries so that DAs do
+ not get dropped if they are not reachable for some time
+ [bnc#1166637] [bnc#1184008]
+ new patch: openslp.unicastactivediscovery.diff
+
+- Add missing group(daemon) prerequires to the openslp-server
+ package [bnc#1165050]
+- Add missing openslp requires to the openslp-server package
+ [bnc#1165121]
+
+- Add missing zlib build dependency, which used to be pulled in
+ by libopenssl-devel. The package fails to build since the openssl
+ upgrade to 1.1.1 (bsc#1149792)
+
+- Use tcp connects to talk with other DAs [bnc#1117969]
+ new patch: openslp.tcpknownda.diff
+- Fix segfault in predicate match if a registered service has
+ a malformed attribute list [bnc#1136136]
+ new patch: openslp.nullattr.diff
+
+- Fix memory corruption when the sendbuf gets reallocated
+ [bnc#1090638] [CVE-2017-17833]
+ new patch: openslp.sendbuf_move.diff
+- Fix out of bounds reads in message parsing
+ new patch: openslp.parseoob.diff
+
+- move systemd notification before the chroot() call, otherwise
+ the notify function cannot reach systend's unix domain socket
+ [bnc#1089097]
+
+- Use %license (boo#1082318)
+- fix slpd using the peer address as local address for TCP
+ connections [bnc#1076035]
+ new patch: openslp.localaddr.diff
+- use tcp connections for unicast requests [bnc#1080964]
+ new patch: openslp.tcpunicast.diff
+
+- add separate source openslp.logrotate.systemd to
+ use systemctl reload for logrotate configuration
+
+- Add support for OpenSSL 1.1. Commit from upstream [bsc#1042665]
+ new patch: openslp.openssl-1.1.diff
+
+- Also update openslp.sd_notify.diff to use the new systemd lib
+
+- Replace pkgconfig(libsystemd-*) with pkgconfig(libsystemd)
+ Nowadays pkgconfig(libsystemd) replaces all libsystemd-* libs, which
+ are obsolete.
+
+- Fix bounds check in SLPFoldWhiteSpace
+ [bnc#1001600] [CVE-2016-7567]
+ new patch: openslp.foldws.diff
+
+- remove convenience code as changes bytes in the message
+ buffer breaking the verification code [bnc#994989]
+ new patch: openslp.noconvenience.diff
+- fix storage handling in predicate code, it clashed with gcc's
+ fortify_source extension [bnc#909195]
+ new patch: openslp.predicatestorage.diff
+- bring back allowDoubleEqualInPredicate option
+ new patch: openslp.doubleequal.diff
+- fix bug in openslp.initda.diff patch
+- fix rcopenslp helper
+- fix _xrealloc not checking the malloc return value
+ [bnc#980722] [CVE-2016-4912]
+ new patch: openslp.xrealloc.diff
+
+- Do not depend on fillup and insserv if the package build with
+ systemd support; the dependencies are not needed in that case
+