Hi,
The matching xenocara update is beeing sent to tech@
CVE-2025-64505 (CVSS 6.1, Moderate): Heap buffer over-read in
png_do_quantize via malformed palette index.
CVE-2025-64506 (CVSS 6.1, Moderate): Heap buffer over-read in
png_write_image_8bit with 8-bit input and convert_to_8bit enabled.
CVE-2025-64720 (CVSS 7.1, High): Out-of-bounds read in
png_image_read_composite via palette premultiplication with
PNG_FLAG_OPTIMIZE_ALPHA.
CVE-2025-65018 (CVSS 7.1, High): Heap buffer overflow in
png_combine_row triggered via png_image_finish_read when processing
16-bit interlaced PNGs with 8-bit output format.
All vulnerabilities require user interaction (processing a malicious
PNG file) and can result in information disclosure and/or denial of
service. CVE-2025-65018 may enable arbitrary code execution via heap
corruption in certain heap configurations.
ok, comments ?
Index: Makefile
===================================================================
RCS file: /local/cvs/ports/graphics/png/Makefile,v
diff -u -p -u -r1.143 Makefile
--- Makefile 17 Sep 2025 15:42:46 -0000 1.143
+++ Makefile 22 Nov 2025 09:46:52 -0000
@@ -4,7 +4,7 @@
COMMENT= library for manipulating PNG images
-VERSION= 1.6.50
+VERSION= 1.6.51
DISTNAME= libpng-${VERSION}
PKGNAME= png-${VERSION}
CATEGORIES= graphics
Index: distinfo
===================================================================
RCS file: /local/cvs/ports/graphics/png/distinfo,v
diff -u -p -u -r1.72 distinfo
--- distinfo 11 Sep 2025 10:39:56 -0000 1.72
+++ distinfo 22 Nov 2025 09:46:52 -0000
@@ -1,2 +1,2 @@
-SHA256 (libpng-1.6.50.tar.xz) = TfOWUYYgp6o2UUQ+h9Gyhi5OiMrRNai5NCPgFwYjIwc=
-SIZE (libpng-1.6.50.tar.xz) = 1060992
+SHA256 (libpng-1.6.51.tar.xz) = oFCoktO0p7sBDDqVxzAeSWVtcqZPH8cJqQuK3tGSvtI=
+SIZE (libpng-1.6.51.tar.xz) = 1060772
--
Matthieu Herrb
