* [ptxdist] [PATCH] libpng: Version bump. 1.6.50 -> 1.6.51
@ 2025-11-24 18:15 Christian Melki
0 siblings, 0 replies; only message in thread
From: Christian Melki @ 2025-11-24 18:15 UTC (permalink / raw)
To: ptxdist
Security fixes.
https://sourceforge.net/p/libpng/code/ci/libpng16/tree/CHANGES
Plugs CVEs:
CVE-2025-64505: Heap buffer overflow in `png_do_quantize` via malformed palette index.
CVE-2025-64506: Heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled.
CVE-2025-64720: Buffer overflow in `png_image_read_composite` via incorrect palette premultiplication.
CVE-2025-65018: Heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`.
Pretty bad, suggest update.
Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
rules/libpng.make | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/libpng.make b/rules/libpng.make
index 5b0fa8977..8ed76aa67 100644
--- a/rules/libpng.make
+++ b/rules/libpng.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_LIBPNG) += libpng
#
# Paths and names
#
-LIBPNG_VERSION := 1.6.50
-LIBPNG_MD5 := e583e61455c4f40d565d85c0e9a2fbf9
+LIBPNG_VERSION := 1.6.51
+LIBPNG_MD5 := 8781d5eb8285ac70100b75a1d2a5fc5e
LIBPNG := libpng-$(LIBPNG_VERSION)
LIBPNG_SUFFIX := tar.xz
LIBPNG_URL := $(call ptx/mirror, SF, libpng/$(LIBPNG).$(LIBPNG_SUFFIX))
--
2.43.0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-11-24 18:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-24 18:15 [ptxdist] [PATCH] libpng: Version bump. 1.6.50 -> 1.6.51 Christian Melki
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox