Re: security update for libpng1.6

To: Tobias Frost <tobi@debian.org>
Cc: team@security.debian.org, libpng1.6@packages.debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: security update for libpng1.6
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 28 Nov 2025 14:22:18 +0100
Message-id: <[🔎] aSmiCjhBzsyQpiIs@eldamar.lan>
Mail-followup-to: Tobias Frost <tobi@debian.org>, team@security.debian.org, libpng1.6@packages.debian.org, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] aSYOWUP3ueoCRGUT@isildor2.loewenhoehle.ip>
References: <[🔎] aSMmcaZiryjRxWtL@isildor2.loewenhoehle.ip> <[🔎] aSMwuZ48lEtT3lj9@eldamar.lan> <[🔎] aSYOWUP3ueoCRGUT@isildor2.loewenhoehle.ip>

Hi Tobias,

On Tue, Nov 25, 2025 at 09:15:21PM +0100, Tobias Frost wrote:
> Hi Salvatore,
> 
> attached is the libpng debdiff for trixie.
> The diff is also available on salsa: https://salsa.debian.org/debian/libpng1.6/-/compare/debian%2F1.6.48-1...debian%2Ftrixie?from_project_id=26504

Thanks for attaching the debdiff.

> Salsa-CI is currently busy rebuilding all r-deps, I'll
> check the results tomorrow (there will be builds running into timeouts,
> I'll compile those locally as well.)
> 
> (I'll also start working on bookworm asap, but didn't want to delay
> sharing the trixie debdiff)

Ok, please come back to us as well once you have it. We should release
both updates at the same time for trixie-security and
bookworm-security.

> diff -Nru libpng1.6-1.6.48/debian/changelog libpng1.6-1.6.48/debian/changelog
> --- libpng1.6-1.6.48/debian/changelog	2025-05-05 21:11:18.000000000 +0200
> +++ libpng1.6-1.6.48/debian/changelog	2025-11-23 18:21:02.000000000 +0100
> @@ -1,3 +1,15 @@
> +libpng1.6 (1.6.48-1+deb13u1) trixie; urgency=medium

This should be targetting trixie-security. The rest is ok, although
for I prefer to make explitily a urgency=high (but it is not
technically needed).

> +  * Security upload targeting trixie.
> +  * Backport fixes for:
> +    - CVE-2025-64505 - Heap buffer over-read (Closes: #1121219)

I think we should have applied here first the upstream commit
ea094764f343 ("Fix a memory leak in function `png_set_quantize`;
refactor"). This affect directly the code which we are fixing and
fixes a memory leak in png_set_quantize. It does not have a CVE
afaict, but it might be worth applying before the CVE-2025-64505 fix
as done in the upstream code, in particular because it is the same
Samsung-PENTEST reporter discovering the issues with CVE assigned.

Would you concur on this?

> +    - CVE-2025-64506 - Heap buffer over-read (Closes: #1121218)
> +    - CVE-2025-64720 - Heap buffer overflow (Closes: #1121217)
> +    - CVE-2025-65018 - Heap buffer overflow (Closes: #1121216)    

Those looks good to me.

> +  * Set gbp.conf for trixie and enable salsa CI

We usually do not do that, but there is clear benefit of running
additional test coverage, so ok!

Can you clarify on the above question surrounding CVE-2025-64505?
Or is it too intrusive to backport to the 1.6.48 version in trixie?

Additionally were you able the update against the published verfiers
form the GHSAs?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: security update for libpng1.6
  - From: Tobias Frost <tobi@debian.org>
- Re: security update for libpng1.6
  - From: Tobias Frost <tobi@debian.org>

References:
- security update for libpng1.6:x
  - From: Tobias Frost <tobi@debian.org>
- Re: security update for libpng1.6:x
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: security update for libpng1.6:x
  - From: Tobias Frost <tobi@debian.org>

Prev by Date: Documentation recap - October
Next by Date: Request to introduce support for ppc64el in LTS (was: Hardware donation for ppc64el LTS support)
Previous by thread: Re: security update for libpng1.6:x
Next by thread: Re: security update for libpng1.6
Index(es):
- Date
- Thread