On Tue, Feb 17, 2026 at 07:12:01AM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Mon, Feb 16, 2026 at 07:04:20PM +0100, Tobias Frost wrote: > > Hi Moritz, > > > > On Fri, Feb 13, 2026 at 06:57:05PM +0000, Moritz Mühlenhoff wrote: > > > On Fri, Feb 13, 2026 at 05:58:46PM +0100, Tobias Frost wrote: > > > > On Fri, Feb 13, 2026 at 04:23:13PM +0000, Moritz Mühlenhoff wrote: > > > > > Hi Tobi, > > > > > we should fix > > > > > https://security-tracker.debian.org/tracker/CVE-2026-25646 via a DSA, > > > > > could you please prepare updated packages? Since the previous no-dsa > > > > > updates for > > > > > bookworm/trixie have been acked already, we can simply include them > > > > > alongside. > > > > I've prepared the updates; reverse deps have been built with the help of > > debusine, everything looks equally good as before :) > > > > attached is the debdiff 1.6_1.6.48-1+deb13u2 … deb13u3. > > please let me know if that is what you need, of do you need the debdiff > > from 13u1 … 13u3? > > > > attaching the debdiff for bookworm as well. > > > > (CC'ing debian-boot as well, as libpng is producing a udeb as well.) > > > > Ready for upload, waiting for you go ;-) > > FWIW, the debdiff attached aimed to be the one for trixie-security is > for bookworm-security?
It seems that I have overwriten the trixie one with the bookworm when generating it, attaching the correct ones now… Sorry for not spotting that when crafting the email. the diff between trixie-debdiff and boowkworm-debdiff is just metadata change, that is d/changelog and patch metadata + a different copyright year, so I assume the OK to proceed is still good; I'll proceed with upload noonish, shout if I shouldn't. -- tobi > Regards, > Salvatore
diff -Nru libpng1.6-1.6.48/debian/changelog libpng1.6-1.6.48/debian/changelog --- libpng1.6-1.6.48/debian/changelog 2026-01-24 09:32:42.000000000 +0100 +++ libpng1.6-1.6.48/debian/changelog 2026-02-16 18:43:52.000000000 +0100 @@ -1,3 +1,10 @@ +libpng1.6 (1.6.48-1+deb13u3) trixie-security; urgency=high + + * Security upload targeting trixie. + - CVE-2026-25646 - Heap buffer overflow (Closes: #1127566) + + -- Tobias Frost <[email protected]> Mon, 16 Feb 2026 18:43:52 +0100 + libpng1.6 (1.6.48-1+deb13u2) trixie; urgency=medium * Backporting fixes from 1.6.54 for stable: diff -Nru libpng1.6-1.6.48/debian/patches/CVE-2026-25646.patch libpng1.6-1.6.48/debian/patches/CVE-2026-25646.patch --- libpng1.6-1.6.48/debian/patches/CVE-2026-25646.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpng1.6-1.6.48/debian/patches/CVE-2026-25646.patch 2026-02-16 18:43:44.000000000 +0100 @@ -0,0 +1,57 @@ +Description: CVE-2026-25646 - Heap buffer overflow in `png_set_quantize` +Origin: https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88 +Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127566 + +From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta <[email protected]> +Date: Fri, 6 Feb 2026 19:11:54 +0200 +Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize` + +The color distance hash table stored the current palette indices, but +the color-pruning loop assumed the original indices. When colors were +eliminated and indices changed, the stored indices became stale. This +caused the loop bound `max_d` to grow past the 769-element hash array. + +The fix consists in storing the original indices via `palette_to_index` +to match the pruning loop's expectations. + +Reported-by: Joshua Inscoe <[email protected]> +Co-authored-by: Joshua Inscoe <[email protected]> +Signed-off-by: Cosmin Truta <[email protected]> +--- + AUTHORS | 1 + + pngrtran.c | 6 +++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/AUTHORS ++++ b/AUTHORS +@@ -16,6 +16,7 @@ + * Guy Eric Schalnat + * James Yu + * John Bowler ++ * Joshua Inscoe + * Kevin Bracey + * Lucas Chollet + * Magnus Holmgren +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -1,6 +1,6 @@ + /* pngrtran.c - transforms the data in a row for PNG readers + * +- * Copyright (c) 2018-2025 Cosmin Truta ++ * Copyright (c) 2018-2026 Cosmin Truta + * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson + * Copyright (c) 1996-1997 Andreas Dilger + * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +@@ -695,8 +695,8 @@ + break; + + t->next = hash[d]; +- t->left = (png_byte)i; +- t->right = (png_byte)j; ++ t->left = png_ptr->palette_to_index[i]; ++ t->right = png_ptr->palette_to_index[j]; + hash[d] = t; + } + } diff -Nru libpng1.6-1.6.48/debian/patches/series libpng1.6-1.6.48/debian/patches/series --- libpng1.6-1.6.48/debian/patches/series 2026-01-24 09:32:42.000000000 +0100 +++ libpng1.6-1.6.48/debian/patches/series 2026-02-16 18:43:44.000000000 +0100 @@ -9,3 +9,4 @@ CVE-2025-66293-part2.patch CVE-2026-22801.patch CVE-2026-22695.patch +CVE-2026-25646.patch
