Upgrade libpng to 1.6.37 (fixes vulnerability)

[mkoeppe]

The libpng homepage warns:

Vulnerability Warning

libpng versions 1.6.36 and earlier have a use-after-free bug in
the simplified libpng API png_image_free(). It has been assigned
ID CVE-2019-7317.
The vulnerability is fixed in version 1.6.37,
released on 15 April 2019.

Before this ticket we have libpng 1.6.29 which
has the vulnerability. This ticket upgrades to
libpng 1.6.37 which fixes it.

Previous update: #22159 (1.6.29)

Tarball: see checksums.ini

CC: @jpflori @frederichan-IMJPRG @tscrim @slel @dimpase

Component: packages: standard

Author: Matthias Koeppe

Reviewer: Dima Pasechnik

Issue created by migration from https://trac.sagemath.org/ticket/30564

[mkoeppe]

Branch: u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_

[mkoeppe]

New commits:

5ae93cc	build/pkgs/libpng: Upgrade to 1.6.37
569050b	build/pkgs/libpng/spkg-install.in: Remove outdated CFLAGS, CPPFLAGS settings
d6c59f4	build/pkgs/libpng/spkg-install.in: Do not build a static library

[mkoeppe]

Author: Matthias Koeppe

[mkoeppe]

Commit: d6c59f4

[slel]

Description changed:

--- 
+++ 
@@ -1,4 +1,17 @@
-http://www.libpng.org/pub/png/libpng.html
+The [libpng homepage](http://www.libpng.org/pub/png/libpng.html) warns:
+
+> Vulnerability Warning
+>
+>
+> libpng versions 1.6.36 and earlier have a use-after-free bug in
+> the simplified libpng API png_image_free(). It has been assigned
+> ID [CVE-2019-7317](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317).
+> The vulnerability is fixed in version 1.6.37,
+> released on 15 April 2019.
+
+Before this ticket we have libpng 1.6.29 which
+has the vulnerability. This ticket upgrades to
+libpng 1.6.37 which fixes it.
 
 Previous update: #22159 (1.6.29)
 

[dimpase]

comment:4

lgtm

[dimpase]

Reviewer: Dima Pasechnik

[mkoeppe]

comment:5

Thanks!

[vbraun]

Changed branch from u/mkoeppe/upgrade_libpng_to_1_6_37__fixes_vulnerability_ to d6c59f4

[vbraun]

comment:7

************************************************************************
Traceback (most recent call last):
  File "setup.py", line 48, in <module>
    from sage_setup.command.sage_build_cython import sage_build_cython
  File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/command/sage_build_cython.py", line 19, in <module>
    from sage_setup.library_order import library_order
  File "/Users/buildbot-sage/slave/sage_git/build/src/sage_setup/library_order.py", line 35, in <module>
    png_pc = pkgconfig.parse('libpng')
  File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 248, in parse
    _raise_if_not_exists(package)
  File "/Users/buildbot-sage/slave/sage_git/build/local/lib/python3.8/site-packages/pkgconfig/pkgconfig.py", line 103, in _raise_if_not_exists
    raise PackageNotFoundError(package)
pkgconfig.pkgconfig.PackageNotFoundError: libpng not found
************************************************************************

[vbraun]

Changed commit from d6c59f4 to none