Hi Moritz, On Fri, Feb 13, 2026 at 06:57:05PM +0000, Moritz Mühlenhoff wrote: > On Fri, Feb 13, 2026 at 05:58:46PM +0100, Tobias Frost wrote: > > On Fri, Feb 13, 2026 at 04:23:13PM +0000, Moritz Mühlenhoff wrote: > > > Hi Tobi, > > > we should fix https://security-tracker.debian.org/tracker/CVE-2026-25646 > > > via a DSA, > > > could you please prepare updated packages? Since the previous no-dsa > > > updates for > > > bookworm/trixie have been acked already, we can simply include them > > > alongside.
I've prepared the updates; reverse deps have been built with the help of debusine, everything looks equally good as before :) attached is the debdiff 1.6_1.6.48-1+deb13u2 … deb13u3. please let me know if that is what you need, of do you need the debdiff from 13u1 … 13u3? attaching the debdiff for bookworm as well. (CC'ing debian-boot as well, as libpng is producing a udeb as well.) Ready for upload, waiting for you go ;-) -- tobi
diff -Nru libpng1.6-1.6.39/debian/changelog libpng1.6-1.6.39/debian/changelog --- libpng1.6-1.6.39/debian/changelog 2026-01-24 14:15:14.000000000 +0100 +++ libpng1.6-1.6.39/debian/changelog 2026-02-15 14:15:00.000000000 +0100 @@ -1,3 +1,10 @@ +libpng1.6 (1.6.39-2+deb12u3) bookworm-security; urgency=medium + + * Security upload targeting boowkorm. + * Backport fix for CVE-2026-25646 - Heap buffer overflow (Closes: #1127566) + + -- Tobias Frost <[email protected]> Sun, 15 Feb 2026 14:15:00 +0100 + libpng1.6 (1.6.39-2+deb12u2) bookworm; urgency=medium * Backporting fixes from 1.6.54 for oldstable: diff -Nru libpng1.6-1.6.39/debian/patches/CVE-2026-25646.patch libpng1.6-1.6.39/debian/patches/CVE-2026-25646.patch --- libpng1.6-1.6.39/debian/patches/CVE-2026-25646.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpng1.6-1.6.39/debian/patches/CVE-2026-25646.patch 2026-02-15 14:15:00.000000000 +0100 @@ -0,0 +1,58 @@ +Description: CVE-2026-25646 - Heap buffer overflow in `png_set_quantize` +Origin: https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88 +Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127566 + +From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta <[email protected]> +Date: Fri, 6 Feb 2026 19:11:54 +0200 +Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize` + +The color distance hash table stored the current palette indices, but +the color-pruning loop assumed the original indices. When colors were +eliminated and indices changed, the stored indices became stale. This +caused the loop bound `max_d` to grow past the 769-element hash array. + +The fix consists in storing the original indices via `palette_to_index` +to match the pruning loop's expectations. + +Reported-by: Joshua Inscoe <[email protected]> +Co-authored-by: Joshua Inscoe <[email protected]> +Signed-off-by: Cosmin Truta <[email protected]> +--- + AUTHORS | 1 + + pngrtran.c | 6 +++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/AUTHORS ++++ b/AUTHORS +@@ -14,6 +14,7 @@ + * Guy Eric Schalnat + * James Yu + * John Bowler ++ * Joshua Inscoe + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -1,7 +1,7 @@ + + /* pngrtran.c - transforms the data in a row for PNG readers + * +- * Copyright (c) 2018-2019 Cosmin Truta ++ * Copyright (c) 2018-2026 Cosmin Truta + * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson + * Copyright (c) 1996-1997 Andreas Dilger + * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +@@ -642,8 +642,8 @@ + break; + + t->next = hash[d]; +- t->left = (png_byte)i; +- t->right = (png_byte)j; ++ t->left = png_ptr->palette_to_index[i]; ++ t->right = png_ptr->palette_to_index[j]; + hash[d] = t; + } + } diff -Nru libpng1.6-1.6.39/debian/patches/series libpng1.6-1.6.39/debian/patches/series --- libpng1.6-1.6.39/debian/patches/series 2026-01-24 14:15:14.000000000 +0100 +++ libpng1.6-1.6.39/debian/patches/series 2026-02-15 14:14:31.000000000 +0100 @@ -9,3 +9,4 @@ CVE-2025-66293-part2.patch CVE-2026-22801.patch CVE-2026-22695.patch +CVE-2026-25646.patch
diff -Nru libpng1.6-1.6.39/debian/changelog libpng1.6-1.6.39/debian/changelog --- libpng1.6-1.6.39/debian/changelog 2026-01-24 14:15:14.000000000 +0100 +++ libpng1.6-1.6.39/debian/changelog 2026-02-15 14:15:00.000000000 +0100 @@ -1,3 +1,10 @@ +libpng1.6 (1.6.39-2+deb12u3) bookworm-security; urgency=medium + + * Security upload targeting boowkorm. + * Backport fix for CVE-2026-25646 - Heap buffer overflow (Closes: #1127566) + + -- Tobias Frost <[email protected]> Sun, 15 Feb 2026 14:15:00 +0100 + libpng1.6 (1.6.39-2+deb12u2) bookworm; urgency=medium * Backporting fixes from 1.6.54 for oldstable: diff -Nru libpng1.6-1.6.39/debian/patches/CVE-2026-25646.patch libpng1.6-1.6.39/debian/patches/CVE-2026-25646.patch --- libpng1.6-1.6.39/debian/patches/CVE-2026-25646.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpng1.6-1.6.39/debian/patches/CVE-2026-25646.patch 2026-02-15 14:15:00.000000000 +0100 @@ -0,0 +1,58 @@ +Description: CVE-2026-25646 - Heap buffer overflow in `png_set_quantize` +Origin: https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88 +Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127566 + +From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta <[email protected]> +Date: Fri, 6 Feb 2026 19:11:54 +0200 +Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize` + +The color distance hash table stored the current palette indices, but +the color-pruning loop assumed the original indices. When colors were +eliminated and indices changed, the stored indices became stale. This +caused the loop bound `max_d` to grow past the 769-element hash array. + +The fix consists in storing the original indices via `palette_to_index` +to match the pruning loop's expectations. + +Reported-by: Joshua Inscoe <[email protected]> +Co-authored-by: Joshua Inscoe <[email protected]> +Signed-off-by: Cosmin Truta <[email protected]> +--- + AUTHORS | 1 + + pngrtran.c | 6 +++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/AUTHORS ++++ b/AUTHORS +@@ -14,6 +14,7 @@ + * Guy Eric Schalnat + * James Yu + * John Bowler ++ * Joshua Inscoe + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -1,7 +1,7 @@ + + /* pngrtran.c - transforms the data in a row for PNG readers + * +- * Copyright (c) 2018-2019 Cosmin Truta ++ * Copyright (c) 2018-2026 Cosmin Truta + * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson + * Copyright (c) 1996-1997 Andreas Dilger + * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +@@ -642,8 +642,8 @@ + break; + + t->next = hash[d]; +- t->left = (png_byte)i; +- t->right = (png_byte)j; ++ t->left = png_ptr->palette_to_index[i]; ++ t->right = png_ptr->palette_to_index[j]; + hash[d] = t; + } + } diff -Nru libpng1.6-1.6.39/debian/patches/series libpng1.6-1.6.39/debian/patches/series --- libpng1.6-1.6.39/debian/patches/series 2026-01-24 14:15:14.000000000 +0100 +++ libpng1.6-1.6.39/debian/patches/series 2026-02-15 14:14:31.000000000 +0100 @@ -9,3 +9,4 @@ CVE-2025-66293-part2.patch CVE-2026-22801.patch CVE-2026-22695.patch +CVE-2026-25646.patch
signature.asc
Description: PGP signature
