[AUTOPATCHER-CORE] Upgrade libpng to 1.6.39 Fix CVE-2022-3857 (#9317)

CBL-Mariner-Bot · mandeepsplaha · web-flow · commit 6af9f3d10adb · 2024-06-10T13:31:46.000-07:00
Co-authored-by: Mandeep Plaha &lt;mandeepplaha@microsoft.com&gt;
diff --git a/SPECS/libpng/libpng-fix-pngtest-random-failures.patch b/SPECS/libpng/libpng-fix-pngtest-random-failures.patch
diff --git a/SPECS/libpng/libpng.signatures.json b/SPECS/libpng/libpng.signatures.json
@@ -1,5 +1,5 @@
 {
- "Signatures": {
-  "libpng-1.6.37.tar.xz": "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca"
- }
-}
+  "Signatures": {
+    "libpng-1.6.39.tar.xz": "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
+  }
+}
diff --git a/SPECS/libpng/libpng.spec b/SPECS/libpng/libpng.spec
@@ -1,15 +1,14 @@
 Summary:        contains libraries for reading and writing PNG files.
 Name:           libpng
-Version:        1.6.37
-Release:        6%{?dist}
+Version:        1.6.39
+Release:        1%{?dist}
 License:        zlib
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Libraries
 # The site does NOT have an HTTPS cert available.
 URL:            http://www.libpng.org/
 Source0:        https://downloads.sourceforge.net/libpng/%{name}-%{version}.tar.xz
-Patch0:         libpng-fix-pngtest-random-failures.patch
 
 %description
 The libpng package contains libraries used by other programs for reading and writing PNG files. The PNG format was designed as a replacement for GIF and, to a lesser extent, TIFF, with many improvements and extensions and lack of patent problems.
@@ -23,7 +22,6 @@ It contains the libraries and header files to create applications
 
 %prep
 %setup -q
-%patch0 -p1
 
 %build
 %configure
@@ -59,6 +57,10 @@ make %{?_smp_mflags} -k check
 %{_mandir}/man3/*
 
 %changelog
+* Wed Jun 05 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.6.39-1
+- Auto-upgrade to 1.6.39 - Fix CVE-2022-3857
+- Remove patch - not needed in the new version
+
 * Fri Apr 22 2022 Olivia Crain <oliviacrain@microsoft.com> - 1.6.37-6
 - Remove explicit pkgconfig provides that are now automatically generated by RPM
 
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -10621,8 +10621,8 @@
         "type": "other",
         "other": {
           "name": "libpng",
-          "version": "1.6.37",
-          "downloadUrl": "https://downloads.sourceforge.net/libpng/libpng-1.6.37.tar.xz"
+          "version": "1.6.39",
+          "downloadUrl": "https://downloads.sourceforge.net/libpng/libpng-1.6.39.tar.xz"
         }
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -10621,8 +10621,8 @@`
`10621`	`10621`	`"type": "other",`
`10622`	`10622`	`"other": {`
`10623`	`10623`	`"name": "libpng",`
`10624`		`- "version": "1.6.37",`
`10625`		`- "downloadUrl": "https://downloads.sourceforge.net/libpng/libpng-1.6.37.tar.xz"`
	`10624`	`+ "version": "1.6.39",`
	`10625`	`+ "downloadUrl": "https://downloads.sourceforge.net/libpng/libpng-1.6.39.tar.xz"`
`10626`	`10626`	`}`
`10627`	`10627`	`}`
`10628`	`10628`	`},`