News and History of the PNG Development Group from 2015

Herein lie news items and historical stuff primarily of interest to the Portable Network Graphics Development Group itself. Feel free to poke around even if you're not a member, though. Note that some of the links, particularly the older ones, are broken; in some cases this is explained by later entries. Other links (CompuServe, tcg.arl.mil) have fallen prey to reorganizations or upgrades; should they ever reappear, the entries below will be updated as needed.

Keep in mind that this is history here...

• current - see here

• 17 December 2015 - libpng 1.5.26, 1.4.19, 1.2.56, and 1.0.66 (all old branches) is released with a fix for an out-of-bounds read in png_check_keyword() (CVE-2015-8540). The current branch (1.6.x) is not vulnerable to the bug.

• 3 December 2015 - libpng 1.6.20 (and 1.5.25, 1.4.18, 1.2.55, and 1.0.65) is released with fixes for a potential pointer overflow/underflow in png_handle_sPLT()/png_handle_pCAL() (and in png_handle_iTXt()/png_handle_zTXt() in the older branches) and for a bug in the png_set_PLTE() implementation that left it open to the out-of-bounds write bug (CVE-2015-8126) that was supposed to have been fixed in the previous release. It also fixes a bug in pngfix with regard to the handling of bad zlib CMINFO fields. (Such PNG files cannot be fixed, so the impact of the bug was minor.)

• 12 November 2015 - libpng 1.6.19 (and 1.5.24, 1.4.17, 1.2.54, and 1.0.64) is released with fixes for an out-of-bounds read in png_set_tIME()/png_convert_to_rfc1123() (CVE-2015-7981) and for an out-of-bounds write in png_get_PLTE()/png_set_PLTE() (CVE-2015-8126). It also includes a huge number of code-quality fixes and improvements.

• 23 July 2015 - libpng 1.6.18 is released with a large number of cleanups, minor bugfixes, and a pair of new demo programs by John Bowler (contrib/examples/simpleover.c and contrib/examples/genpng.c), the former of which shows alpha-compositing of multiple images using the simplified API.

• 5 April 2015 - libpng 1.6.17 is released with a number of strengthened security-related checks, a fix for an incorrect alpha calculation in 8-bit-linear to sRGB conversion, some build/configure updates, etc.

Here are some related PNG pages at this site:

• Current News of the PNG Development Group
• Historical PNG news:
  • 2016 · 2015 · 2014 · 2013 · 2012 · 2011 · 2010 · 2009 · 2008 · 2007 · 2006 · 2005 · 2004 · 2003 · 2002 · 2001 · 2000 · 1999 · 1998 · 1997 · 1996 · 1995
• History of PNG
• Current Status of PNG

• PNG Home Page
• Complete PNG Site Map

Copyright © 1995-2016 Greg Roelofs.