Your message dated Sat, 03 Jan 2026 13:03:15 +0000
with message-id <[email protected]>
and subject line Bug#1121216: fixed in libpng1.6 1.6.39-2+deb12u1
has caused the Debian Bug report #1121216,
regarding libpng1.6: CVE-2025-65018 - Heap buffer overflow in png_combine_row
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121216: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121216
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpng1.6
Version: 1.6.50-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/pnggroup/libpng/issues/755
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libpng1.6.
CVE-2025-65018[0]:
| Heap buffer overflow in `png_combine_row` triggered via
| `png_image_finish_read`
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-65018
https://www.cve.org/CVERecord?id=CVE-2025-65018
[1] https://github.com/pnggroup/libpng/issues/755
[2] https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g
[3] https://www.openwall.com/lists/oss-security/2025/11/22/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpng1.6
Source-Version: 1.6.39-2+deb12u1
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Dec 2025 11:15:39 +0100
Source: libpng1.6
Architecture: source
Version: 1.6.39-2+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Maintainers of libpng1.6 packages <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1121216 1121217 1121218 1121219 1121877
Changes:
libpng1.6 (1.6.39-2+deb12u1) bookworm-security; urgency=high
.
* Security upload targeting boowkorm.
* Backport fixes for:
- CVE-2025-64505 - Heap buffer over-read (Closes: #1121219)
- CVE-2025-64506 - Heap buffer over-read (Closes: #1121218)
- CVE-2025-64720 - Heap buffer overflow (Closes: #1121217)
- CVE-2025-65018 - Heap buffer overflow (Closes: #1121216)
- CVE-2025-66293 - Out-of-bounds read (Closes: #1121877)
* Set gbp.conf for bookworm and enable salsa CI
Checksums-Sha1:
ba5ec9d57c9e70978a26be163e8ac7263d6eb02b 2273 libpng1.6_1.6.39-2+deb12u1.dsc
d384c4526a84d213f697108258c490adc99b4cdb 1519415 libpng1.6_1.6.39.orig.tar.gz
c1857ce68b4ad5bbfafb151fd63c8bb0d3597dec 37092
libpng1.6_1.6.39-2+deb12u1.debian.tar.xz
210b50a2f3563a7e0f7adb0087b69793a5154133 6050
libpng1.6_1.6.39-2+deb12u1_source.buildinfo
Checksums-Sha256:
6b663fc339dbe78547d442c70e82096efee15840ba63681b0073d57a658b7a10 2273
libpng1.6_1.6.39-2+deb12u1.dsc
a00e9d2f2f664186e4202db9299397f851aea71b36a35e74910b8820e380d441 1519415
libpng1.6_1.6.39.orig.tar.gz
a73d8896e915e623873902ec2f1f51d0aa4c93d8f51c11f56a627cd79336c9ba 37092
libpng1.6_1.6.39-2+deb12u1.debian.tar.xz
e966ceb0cf95d7bdb519ddaa40ab0728241a6f52202eee8f9cbde53a715ccc15 6050
libpng1.6_1.6.39-2+deb12u1_source.buildinfo
Files:
43de83d38d2b53ae1864d73ecc16a631 2273 libs optional
libpng1.6_1.6.39-2+deb12u1.dsc
a704977d681a40d8223d8b957fd41b29 1519415 libs optional
libpng1.6_1.6.39.orig.tar.gz
d2043ff6b2f269a6a2ca99b834db2907 37092 libs optional
libpng1.6_1.6.39-2+deb12u1.debian.tar.xz
d5581136f8901794559b312f97b54223 6050 libs optional
libpng1.6_1.6.39-2+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmk0QTYACgkQkWT6HRe9
XTYs2Q/8DHugzTf9Lbg3FTMI0VI2V3dyAETgtlkRitMUxwn8icLy+9zcPJfxpxY8
O4reS/g/6m+GOWRIFxHT6me2o8MN5sS8mH7Wz0Cnhy1Lfi7snhcsgJp/Ks45uWui
mZ4BdmwngxMie9m8q55JZbCi743EQuqJ8SAnbIlMwFQpcD5dqIkGXhIjmOZCvwwI
W+d7GsLole5apcv1zNN69rO9TivpQG15dXGnfcxCY6CJuCAP1tTwWLUMxm61dHkp
TFOObAkmqt+2uUqyx8yUmSWvP4ar9YGor/OutrbyR5Ey8oNRfd2jpLGcsZ3zcp6Q
naTM274VonX02EUlNnTC48rJPb8QLH59KtcaIxvB3R6HBjEMYkFoiXQUCI9C+yim
A/23riAJFz4u/Z9HRtjCWYxcCudVoGQyT7XuPl7LOiLQk+QbwcuVe27s44x009zH
ZIVWs/Cxx4POF7vW7/IkMf0GbFpScTWudm6M1qn9IvEwjSt7ITpDji4hIfANZ6SN
V9QuQRbo5mIEhhN7chu88jlKRaARXPCMkaahP9nXB3KDbsyvqAxo1FBkxDNX4bGJ
DUPh7AuGjG8PP9MrGlKxdLxsATTsfzUU6djeMGteWqfcxcLdIuvmhNkZQCCZqyq8
XlXUZ8PwoqpkU/NV7c4WyOcA9BUjH8kQne6jcFb6KddRPO1zdxw=
=4yBQ
-----END PGP SIGNATURE-----
pgpAzoDpu7yOy.pgp
Description: PGP signature
--- End Message ---
