why opencv-python use libpng15 but opencv use 1.6.37

[wqh17101]

Expected behaviour

use the latest libpng 1.6.37

Actual behaviour

libpng15 in use

opencv use 1.6.37

Steps to reproduce

• example code
• operating system
• linux x86
• opencv-python version 4.5.2.54

Issue submission checklist

• This is not a generic OpenCV usage question (looking for help for coding, other usage questions, homework etc.)
• I have read the README of this repository and understand that this repository provides only an automated build toolchain for OpenCV Python packages (there is no actual OpenCV code here)
• The issue is related to the build scripts in this repository, to the pre-built binaries or is a feature request (such as "please enable this additional dependency")
• I'm using the latest version of opencv-python

[wqh17101]

For libpng15 has too many vulns problems

[asmorkalov]

Core OpenCV team has already patched libpng in eabbe380016b1f777edc9a0315c902e1a5da381d. The fix should be available with 4.5.3 release.

[asmorkalov]

Released.

[kevinmehall]

This has not changed in 4.5.3:

unzip -l opencv_python_headless-4.5.3.56-cp36-cp36m-manylinux2014_x86_64.whl 'opencv_python_headless.libs/*'
Archive:  opencv_python_headless-4.5.3.56-cp36-cp36m-manylinux2014_x86_64.whl
  Length      Date    Time    Name
---------  ---------- -----   ----
   752584  2021-07-09 12:13   opencv_python_headless.libs/libssl-f3db6a3b.so.1.1
   566472  2021-07-09 12:13   opencv_python_headless.libs/libswscale-2d2bce5d.so.5.8.100
    70992  2021-07-09 12:13   opencv_python_headless.libs/libbz2-a273e504.so.1.0.6
  2605312  2021-07-09 12:13   opencv_python_headless.libs/libavformat-06a336f2.so.58.61.100
 13876032  2021-07-09 12:13   opencv_python_headless.libs/libavcodec-8daa01ff.so.58.109.100
  3397560  2021-07-09 12:13   opencv_python_headless.libs/libvpx-14094576.so.6.3.0
   128096  2021-07-09 12:13   opencv_python_headless.libs/libswresample-4767dc06.so.3.8.100
   193544  2021-07-09 12:13   opencv_python_headless.libs/libpng15-c2ffaf3d.so.15.13.0
   712752  2021-07-09 12:13   opencv_python_headless.libs/libavutil-01d48d95.so.56.60.100
    96272  2021-07-09 12:13   opencv_python_headless.libs/libz-d8a329de.so.1.2.7
  3565928  2021-07-09 12:13   opencv_python_headless.libs/libcrypto-098682aa.so.1.1
---------                     -------
 25965544                     11 files

Many of the other libraries bundled here are quite outdated as well. I suspect these are coming from the manylinux2014 docker image via auditwheel, rather than the vendored source code in the opencv repo.

However, as manylinux2014 is derived from centos 7, these binaries hopefully include backported fixes for many of the vulnerabilities that scanners are reporting based on the version number.

[skvark]

The manylinux2014 images should be updated, they are 10 months old: https://quay.io/repository/skvark/manylinux2014_x86_64?tab=tags.

They are custom images built by me before this repository was transferred to the OpenCV organization. The Dockerfiles are here: https://github.com/opencv/opencv-python/tree/master/docker

It takes quite a lot of time to build them (especially the aarch64 ones), so you'll need a very powerful CI system or they need to be built locally as I did when I was still maintaining this project.

[asmorkalov]

The docker images was updated for 4.5.4 release: #556