Hi, alright, updates are ready for all suites. Please let me know how to proceed. The diffs are available on salsa: trixie: https://salsa.debian.org/debian/libpng1.6/-/compare/debian%2F1.6.48-1...debian%2Ftrixie?from_project_id=26504 bookworm: https://salsa.debian.org/debian/libpng1.6/-/compare/debian%2F1.6.39-2...debian%2Fbookworm?from_project_id=26504 The debdiffs are attached. trixie -> libpng1.6-1.6.48-1+deb13u1.debdiff bookworm -> libpng1.6-1.6.39-2+deb12u1.debdiff R-deps autopkg tests have been checked with the utilization of debusine: (Baseline is an unchanged upload beside d/changelog tweaked so debusine is using the right workflow; update is the provided updated package) Trixie-Update: https://debusine.debian.net/debian/developers/work-request/247601/ Trixie-Baseline: https://debusine.debian.net/debian/developers/work-request/248160/ Bookworm-Update: https://debusine.debian.net/debian/developers/work-request/243116/ Boowkorm-Baseline: https://debusine.debian.net/debian/developers/work-request/246248/ All failures in the updates are also present in the baseline. Local testing in VMs looks good too. Also attached is a draft DSA. cheers, -- tobi Hi Salvatore, attached is the libpng debdiff for trixie. The diff is also available on salsa: https://salsa.debian.org/debian/libpng1.6/-/compare/debian%2F1.6.48-1...debian%2Ftrixie?from_project_id=26504 Salsa-CI is currently busy rebuilding all r-deps, I'll check the results tomorrow (there will be builds running into timeouts, I'll compile those locally as well.) (I'll also start working on bookworm asap, but didn't want to delay sharing the trixie debdiff) -- Cheers, tobi On Sun, Nov 23, 2025 at 05:05:13PM +0100, Salvatore Bonaccorso wrote: > Hi Tobi, > > On Sun, Nov 23, 2025 at 04:21:21PM +0100, Tobias Frost wrote: > > Hi Security Team, > > > > I'm currently working on the libpng1.6 update for unstable and I offer > > to tackle stable, oldstable as well. > > > > Let me know if that is OK with you. > > I started looking at those when filling the bugreports in BTS, but I > have added now a note that you are working on updates across the > releases. > > Please come back with debdiffs once you have things ready. > > Regards, > Salvatore
diff -Nru libpng1.6-1.6.48/debian/changelog libpng1.6-1.6.48/debian/changelog
--- libpng1.6-1.6.48/debian/changelog 2025-05-05 21:11:18.000000000 +0200
+++ libpng1.6-1.6.48/debian/changelog 2025-11-23 18:21:02.000000000 +0100
@@ -1,3 +1,15 @@
+libpng1.6 (1.6.48-1+deb13u1) trixie; urgency=medium
+
+ * Security upload targeting trixie.
+ * Backport fixes for:
+ - CVE-2025-64505 - Heap buffer over-read (Closes: #1121219)
+ - CVE-2025-64506 - Heap buffer over-read (Closes: #1121218)
+ - CVE-2025-64720 - Heap buffer overflow (Closes: #1121217)
+ - CVE-2025-65018 - Heap buffer overflow (Closes: #1121216)
+ * Set gbp.conf for trixie and enable salsa CI
+
+ -- Tobias Frost <tobi@debian.org> Sun, 23 Nov 2025 18:21:02 +0100
+
libpng1.6 (1.6.48-1) unstable; urgency=medium
* New upstream version 1.6.48
diff -Nru libpng1.6-1.6.48/debian/gbp.conf libpng1.6-1.6.48/debian/gbp.conf
--- libpng1.6-1.6.48/debian/gbp.conf 2024-12-10 22:43:32.000000000 +0100
+++ libpng1.6-1.6.48/debian/gbp.conf 2025-11-23 18:21:02.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
upstream-branch=upstream
-debian-branch=master
+debian-branch=debian/trixie
pristine-tar = True
sign-tags = True
diff -Nru libpng1.6-1.6.48/debian/patches/CVE-2025-64505.patch libpng1.6-1.6.48/debian/patches/CVE-2025-64505.patch
--- libpng1.6-1.6.48/debian/patches/CVE-2025-64505.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.48/debian/patches/CVE-2025-64505.patch 2025-11-23 18:21:02.000000000 +0100
@@ -0,0 +1,41 @@
+Description: CVE-2025-64505 - Heap buffer over-read in `png_do_quantize`
+Origin: https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121219
+
+From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 8 Nov 2025 23:58:26 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_do_quantize`
+
+Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes)
+instead of num_palette bytes. This approach matches the allocation
+pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which
+were similarly oversized in libpng 1.2.1 to prevent buffer overflows
+from malformed PNG files with out-of-range palette indices.
+
+Out-of-range palette indices `index >= num_palette` will now read
+identity-mapped values from the `quantize_index` array (where index N
+maps to palette entry N). This prevents undefined behavior while
+avoiding runtime bounds checking overhead in the performance-critical
+pixel processing loop.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+---
+ pngrtran.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -496,8 +496,8 @@
+ int i;
+
+ png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)num_palette);
+- for (i = 0; i < num_palette; i++)
++ PNG_MAX_PALETTE_LENGTH);
++ for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++)
+ png_ptr->quantize_index[i] = (png_byte)i;
+ }
+
diff -Nru libpng1.6-1.6.48/debian/patches/CVE-2025-64506.patch libpng1.6-1.6.48/debian/patches/CVE-2025-64506.patch
--- libpng1.6-1.6.48/debian/patches/CVE-2025-64506.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.48/debian/patches/CVE-2025-64506.patch 2025-11-23 18:21:02.000000000 +0100
@@ -0,0 +1,58 @@
+Description: CVE-2025-64506 - Heap buffer over-read in png_write_image_8bit
+Origin: https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121218
+
+From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Fri, 7 Nov 2025 22:40:05 +0200
+Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit`
+
+The condition guarding the pre-transform path incorrectly allowed 8-bit
+input data to enter `png_write_image_8bit` which expects 16-bit input.
+This caused out-of-bounds reads when processing 8-bit grayscale+alpha
+images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
+with the `convert_to_8bit` flag set (an invalid combination that should
+bypass the pre-transform path).
+
+The second part of the condition, i.e.
+
+ colormap == 0 && convert_to_8bit != 0
+
+failed to verify that input was 16-bit, i.e.
+
+ linear != 0
+
+contradicting the comment "This only applies when the input is 16-bit".
+
+The fix consists in restructuring the condition to ensure both the
+`alpha` path and the `convert_to_8bit` path require linear (16-bit)
+input. The corrected condition, i.e.
+
+ linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)
+
+matches the expectation of the `png_write_image_8bit` function and
+prevents treating 8-bit buffers as 16-bit data.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+Reviewed-by: John Bowler <jbowler@acm.org>
+---
+ pngwrite.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/pngwrite.c b/pngwrite.c
+index 35a5d17b60..83148960ef 100644
+--- a/pngwrite.c
++++ b/pngwrite.c
+@@ -2173,8 +2173,7 @@ png_image_write_main(png_voidp argument)
+ * before it is written. This only applies when the input is 16-bit and
+ * either there is an alpha channel or it is converted to 8-bit.
+ */
+- if ((linear != 0 && alpha != 0 ) ||
+- (colormap == 0 && display->convert_to_8bit != 0))
++ if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0))
+ {
+ png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr,
+ png_get_rowbytes(png_ptr, info_ptr)));
diff -Nru libpng1.6-1.6.48/debian/patches/CVE-2025-64720.patch libpng1.6-1.6.48/debian/patches/CVE-2025-64720.patch
--- libpng1.6-1.6.48/debian/patches/CVE-2025-64720.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.48/debian/patches/CVE-2025-64720.patch 2025-11-23 18:21:02.000000000 +0100
@@ -0,0 +1,104 @@
+Description: CVE-2025-64720 - Buffer overflow in `png_image_read_composite`
+Origin: https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121217
+
+From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Wed, 12 Nov 2025 13:46:23 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations`
+
+The palette compositing code in `png_init_read_transformations` was
+incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA
+was set. This violated the premultiplied alpha invariant
+`component <= alpha` expected by `png_image_read_composite`, causing
+values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
+tables.
+
+When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
+premultiplied RGB values without background compositing. The background
+compositing must happen later in `png_image_read_composite` where the
+actual background color from the PNG file is available.
+
+The fix consists in introducing conditional behavior based on
+PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
+premultiplication using the formula `component * alpha + 127) / 255`
+with proper gamma correction. When not set, the original background
+compositing calculation based on the `png_composite` macro is preserved.
+
+This prevents buffer overflows in `png_image_read_composite` where
+out-of-range premultiplied values would cause out-of-bounds array access
+in `png_sRGB_base[]` and `png_sRGB_delta[]`.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: John Bowler <jbowler@acm.org>
+---
+ pngrtran.c | 58 ++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 45 insertions(+), 13 deletions(-)
+
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -1768,19 +1768,51 @@
+ }
+ else /* if (png_ptr->trans_alpha[i] != 0xff) */
+ {
+- png_byte v, w;
++ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0)
++ {
++ /* Premultiply only:
++ * component = round((component * alpha) / 255)
++ */
++ png_uint_32 component;
+
+- v = png_ptr->gamma_to_1[palette[i].red];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red);
+- palette[i].red = png_ptr->gamma_from_1[w];
+-
+- v = png_ptr->gamma_to_1[palette[i].green];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green);
+- palette[i].green = png_ptr->gamma_from_1[w];
+-
+- v = png_ptr->gamma_to_1[palette[i].blue];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue);
+- palette[i].blue = png_ptr->gamma_from_1[w];
++ component = png_ptr->gamma_to_1[palette[i].red];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].red = png_ptr->gamma_from_1[component];
++
++ component = png_ptr->gamma_to_1[palette[i].green];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].green = png_ptr->gamma_from_1[component];
++
++ component = png_ptr->gamma_to_1[palette[i].blue];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].blue = png_ptr->gamma_from_1[component];
++ }
++ else
++ {
++ /* Composite with background color:
++ * component =
++ * alpha * component + (1 - alpha) * background
++ */
++ png_byte v, w;
++
++ v = png_ptr->gamma_to_1[palette[i].red];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.red);
++ palette[i].red = png_ptr->gamma_from_1[w];
++
++ v = png_ptr->gamma_to_1[palette[i].green];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.green);
++ palette[i].green = png_ptr->gamma_from_1[w];
++
++ v = png_ptr->gamma_to_1[palette[i].blue];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.blue);
++ palette[i].blue = png_ptr->gamma_from_1[w];
++ }
+ }
+ }
+ else
diff -Nru libpng1.6-1.6.48/debian/patches/CVE-2025-65018-part1.patch libpng1.6-1.6.48/debian/patches/CVE-2025-65018-part1.patch
--- libpng1.6-1.6.48/debian/patches/CVE-2025-65018-part1.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.48/debian/patches/CVE-2025-65018-part1.patch 2025-11-23 18:21:02.000000000 +0100
@@ -0,0 +1,60 @@
+Description: CVE-2025-65018 - part 1 - Heap buffer overflow
+ in `png_combine_row` triggered via `png_image_finish_read`
+Origin: https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121216
+
+From 16b5e3823918840aae65c0a6da57c78a5a496a4d Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Mon, 17 Nov 2025 20:38:47 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_image_finish_read`
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reject bit-depth mismatches between IHDR and the requested output
+format. When a 16-bit PNG is processed with an 8-bit output format
+request, `png_combine_row` writes using the IHDR depth before
+transformation, causing writes beyond the buffer allocated via
+`PNG_IMAGE_SIZE(image)`.
+
+The validation establishes a safe API contract where
+`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the
+transformation pipeline.
+
+Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):
+- Input format: 16 bits/channel × 3 channels = 6144 bytes
+- Output buffer: 8 bits/channel × 4 channels = 4096 bytes
+- Overflow: 6144 bytes - 4096 bytes = 2048 bytes
+
+Larger images produce proportionally larger overflows. For example,
+for 256×256 pixels, the overflow is 131072 bytes.
+
+Reported-by: yosiimich <yosiimich@users.noreply.github.com>
+---
+ pngread.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/pngread.c
++++ b/pngread.c
+@@ -4034,6 +4034,20 @@
+ int result;
+ png_image_read_control display;
+
++ /* Reject bit depth mismatches to avoid buffer overflows. */
++ png_uint_32 ihdr_bit_depth =
++ image->opaque->png_ptr->bit_depth;
++ int requested_linear =
++ (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
++ if (ihdr_bit_depth == 16 && !requested_linear)
++ return png_image_error(image,
++ "png_image_finish_read: "
++ "16-bit PNG must use 16-bit output format");
++ if (ihdr_bit_depth < 16 && requested_linear)
++ return png_image_error(image,
++ "png_image_finish_read: "
++ "8-bit PNG must not use 16-bit output format");
++
+ memset(&display, 0, (sizeof display));
+ display.image = image;
+ display.buffer = buffer;
diff -Nru libpng1.6-1.6.48/debian/patches/CVE-2025-65018-part2.patch libpng1.6-1.6.48/debian/patches/CVE-2025-65018-part2.patch
--- libpng1.6-1.6.48/debian/patches/CVE-2025-65018-part2.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.48/debian/patches/CVE-2025-65018-part2.patch 2025-11-23 18:21:02.000000000 +0100
@@ -0,0 +1,163 @@
+Description: CVE-2025-65018 - part 2 - Heap buffer overflow
+ in `png_combine_row` triggered via `png_image_finish_read`
+Origin: https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121216
+
+From 218612ddd6b17944e21eda56caf8b4bf7779d1ea Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Wed, 19 Nov 2025 21:45:13 +0200
+Subject: [PATCH] Rearchitect the fix to the buffer overflow in
+ `png_image_finish_read`
+
+Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
+That fix turned out to be unnecessarily limiting. It rejected all
+16-to-8 bit transformations, although the vulnerability only affects
+interlaced PNGs where `png_combine_row` writes using IHDR bit-depth
+before the transformation completes.
+
+The proper solution is to add an intermediate `local_row` buffer,
+specifically for the slow but necessary step of 16-to-8 bit conversion
+of interlaced images. (The processing of non-interlaced images remains
+intact, using the fast path.) We added the flag `do_local_scale` and
+the function `png_image_read_direct_scaled`, following the pattern that
+involves `do_local_compose`.
+
+In conclusion:
+- The 16-to-8 bit transformations of interlaced images are now safe,
+ as they use an intermediate buffer.
+- The 16-to-8 bit transformations of non-interlaced images remain safe,
+ as the fast path remains unchanged.
+- All our regression tests are now passing.
+---
+ pngread.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 75 insertions(+), 14 deletions(-)
+
+--- a/pngread.c
++++ b/pngread.c
+@@ -3123,6 +3123,54 @@
+ }
+ }
+
++/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */
++static int
++png_image_read_direct_scaled(png_voidp argument)
++{
++ png_image_read_control *display = png_voidcast(png_image_read_control*,
++ argument);
++ png_imagep image = display->image;
++ png_structrp png_ptr = image->opaque->png_ptr;
++ png_bytep local_row = png_voidcast(png_bytep, display->local_row);
++ png_bytep first_row = png_voidcast(png_bytep, display->first_row);
++ ptrdiff_t row_bytes = display->row_bytes;
++ int passes;
++
++ /* Handle interlacing. */
++ switch (png_ptr->interlaced)
++ {
++ case PNG_INTERLACE_NONE:
++ passes = 1;
++ break;
++
++ case PNG_INTERLACE_ADAM7:
++ passes = PNG_INTERLACE_ADAM7_PASSES;
++ break;
++
++ default:
++ png_error(png_ptr, "unknown interlace type");
++ }
++
++ /* Read each pass using local_row as intermediate buffer. */
++ while (--passes >= 0)
++ {
++ png_uint_32 y = image->height;
++ png_bytep output_row = first_row;
++
++ for (; y > 0; --y)
++ {
++ /* Read into local_row (gets transformed 8-bit data). */
++ png_read_row(png_ptr, local_row, NULL);
++
++ /* Copy from local_row to user buffer. */
++ memcpy(output_row, local_row, (size_t)row_bytes);
++ output_row += row_bytes;
++ }
++ }
++
++ return 1;
++}
++
+ /* Just the row reading part of png_image_read. */
+ static int
+ png_image_read_composite(png_voidp argument)
+@@ -3541,6 +3589,7 @@
+ int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0;
+ int do_local_compose = 0;
+ int do_local_background = 0; /* to avoid double gamma correction bug */
++ int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */
+ int passes = 0;
+
+ /* Add transforms to ensure the correct output format is produced then check
+@@ -3674,8 +3723,16 @@
+ png_set_expand_16(png_ptr);
+
+ else /* 8-bit output */
++ {
+ png_set_scale_16(png_ptr);
+
++ /* For interlaced images, use local_row buffer to avoid overflow
++ * in png_combine_row() which writes using IHDR bit-depth.
++ */
++ if (png_ptr->interlaced != 0)
++ do_local_scale = 1;
++ }
++
+ change &= ~PNG_FORMAT_FLAG_LINEAR;
+ }
+
+@@ -3951,6 +4008,24 @@
+ return result;
+ }
+
++ else if (do_local_scale != 0)
++ {
++ /* For interlaced 16-to-8 conversion, use an intermediate row buffer
++ * to avoid buffer overflows in png_combine_row. The local_row is sized
++ * for the transformed (8-bit) output, preventing the overflow that would
++ * occur if png_combine_row wrote 16-bit data directly to the user buffer.
++ */
++ int result;
++ png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
++
++ display->local_row = row;
++ result = png_safe_execute(image, png_image_read_direct_scaled, display);
++ display->local_row = NULL;
++ png_free(png_ptr, row);
++
++ return result;
++ }
++
+ else
+ {
+ png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes;
+@@ -4034,20 +4109,6 @@
+ int result;
+ png_image_read_control display;
+
+- /* Reject bit depth mismatches to avoid buffer overflows. */
+- png_uint_32 ihdr_bit_depth =
+- image->opaque->png_ptr->bit_depth;
+- int requested_linear =
+- (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
+- if (ihdr_bit_depth == 16 && !requested_linear)
+- return png_image_error(image,
+- "png_image_finish_read: "
+- "16-bit PNG must use 16-bit output format");
+- if (ihdr_bit_depth < 16 && requested_linear)
+- return png_image_error(image,
+- "png_image_finish_read: "
+- "8-bit PNG must not use 16-bit output format");
+-
+ memset(&display, 0, (sizeof display));
+ display.image = image;
+ display.buffer = buffer;
diff -Nru libpng1.6-1.6.48/debian/patches/series libpng1.6-1.6.48/debian/patches/series
--- libpng1.6-1.6.48/debian/patches/series 2024-12-10 22:43:32.000000000 +0100
+++ libpng1.6-1.6.48/debian/patches/series 2025-11-23 18:21:02.000000000 +0100
@@ -1,2 +1,7 @@
libpng-config.patch
#libpng-1.6.39-apng.patch
+CVE-2025-64505.patch
+CVE-2025-64506.patch
+CVE-2025-64720.patch
+CVE-2025-65018-part1.patch
+CVE-2025-65018-part2.patch
diff -Nru libpng1.6-1.6.48/debian/salsa-ci.yml libpng1.6-1.6.48/debian/salsa-ci.yml
--- libpng1.6-1.6.48/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.48/debian/salsa-ci.yml 2025-11-23 18:21:02.000000000 +0100
@@ -0,0 +1,6 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'trixie'
diff -Nru libpng1.6-1.6.39/debian/changelog libpng1.6-1.6.39/debian/changelog
--- libpng1.6-1.6.39/debian/changelog 2022-11-27 20:59:26.000000000 +0100
+++ libpng1.6-1.6.39/debian/changelog 2025-11-27 22:31:03.000000000 +0100
@@ -1,3 +1,15 @@
+libpng1.6 (1.6.39-2+deb12u1) bookworm; urgency=high
+
+ * Security upload targeting boowkorm.
+ * Backport fixes for:
+ - CVE-2025-64505 - Heap buffer over-read (Closes: #1121219)
+ - CVE-2025-64506 - Heap buffer over-read (Closes: #1121218)
+ - CVE-2025-64720 - Heap buffer overflow (Closes: #1121217)
+ - CVE-2025-65018 - Heap buffer overflow (Closes: #1121216)
+ * Set gbp.conf for bookworm and enable salsa CI
+
+ -- Tobias Frost <tobi@debian.org> Thu, 27 Nov 2025 22:31:03 +0100
+
libpng1.6 (1.6.39-2) unstable; urgency=medium
[ Helmut Grohne ]
diff -Nru libpng1.6-1.6.39/debian/gbp.conf libpng1.6-1.6.39/debian/gbp.conf
--- libpng1.6-1.6.39/debian/gbp.conf 2019-01-15 09:59:23.000000000 +0100
+++ libpng1.6-1.6.39/debian/gbp.conf 2025-11-27 22:31:03.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
upstream-branch=upstream
-debian-branch=master
+debian-branch=debian/bookworm
pristine-tar = True
sign-tags = True
diff -Nru libpng1.6-1.6.39/debian/patches/CVE-2025-64505.patch libpng1.6-1.6.39/debian/patches/CVE-2025-64505.patch
--- libpng1.6-1.6.39/debian/patches/CVE-2025-64505.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.39/debian/patches/CVE-2025-64505.patch 2025-11-27 22:31:03.000000000 +0100
@@ -0,0 +1,41 @@
+Description: CVE-2025-64505 - Heap buffer over-read in `png_do_quantize`
+Origin: https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121219
+
+From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 8 Nov 2025 23:58:26 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_do_quantize`
+
+Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes)
+instead of num_palette bytes. This approach matches the allocation
+pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which
+were similarly oversized in libpng 1.2.1 to prevent buffer overflows
+from malformed PNG files with out-of-range palette indices.
+
+Out-of-range palette indices `index >= num_palette` will now read
+identity-mapped values from the `quantize_index` array (where index N
+maps to palette entry N). This prevents undefined behavior while
+avoiding runtime bounds checking overhead in the performance-critical
+pixel processing loop.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+---
+ pngrtran.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -441,8 +441,8 @@
+ int i;
+
+ png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte))));
+- for (i = 0; i < num_palette; i++)
++ (png_alloc_size_t)((png_uint_32)PNG_MAX_PALETTE_LENGTH * (sizeof (png_byte))));
++ for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++)
+ png_ptr->quantize_index[i] = (png_byte)i;
+ }
+
diff -Nru libpng1.6-1.6.39/debian/patches/CVE-2025-64506.patch libpng1.6-1.6.39/debian/patches/CVE-2025-64506.patch
--- libpng1.6-1.6.39/debian/patches/CVE-2025-64506.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.39/debian/patches/CVE-2025-64506.patch 2025-11-27 22:31:03.000000000 +0100
@@ -0,0 +1,56 @@
+Description: CVE-2025-64506 - Heap buffer over-read in png_write_image_8bit
+Origin: https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121218
+
+From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Fri, 7 Nov 2025 22:40:05 +0200
+Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit`
+
+The condition guarding the pre-transform path incorrectly allowed 8-bit
+input data to enter `png_write_image_8bit` which expects 16-bit input.
+This caused out-of-bounds reads when processing 8-bit grayscale+alpha
+images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
+with the `convert_to_8bit` flag set (an invalid combination that should
+bypass the pre-transform path).
+
+The second part of the condition, i.e.
+
+ colormap == 0 && convert_to_8bit != 0
+
+failed to verify that input was 16-bit, i.e.
+
+ linear != 0
+
+contradicting the comment "This only applies when the input is 16-bit".
+
+The fix consists in restructuring the condition to ensure both the
+`alpha` path and the `convert_to_8bit` path require linear (16-bit)
+input. The corrected condition, i.e.
+
+ linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)
+
+matches the expectation of the `png_write_image_8bit` function and
+prevents treating 8-bit buffers as 16-bit data.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+Reviewed-by: John Bowler <jbowler@acm.org>
+---
+ pngwrite.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/pngwrite.c
++++ b/pngwrite.c
+@@ -2129,8 +2129,7 @@
+ * before it is written. This only applies when the input is 16-bit and
+ * either there is an alpha channel or it is converted to 8-bit.
+ */
+- if ((linear != 0 && alpha != 0 ) ||
+- (colormap == 0 && display->convert_to_8bit != 0))
++ if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0))
+ {
+ png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr,
+ png_get_rowbytes(png_ptr, info_ptr)));
diff -Nru libpng1.6-1.6.39/debian/patches/CVE-2025-64720.patch libpng1.6-1.6.39/debian/patches/CVE-2025-64720.patch
--- libpng1.6-1.6.39/debian/patches/CVE-2025-64720.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.39/debian/patches/CVE-2025-64720.patch 2025-11-27 22:31:03.000000000 +0100
@@ -0,0 +1,104 @@
+Description: CVE-2025-64720 - Buffer overflow in `png_image_read_composite`
+Origin: https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121217
+
+From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Wed, 12 Nov 2025 13:46:23 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations`
+
+The palette compositing code in `png_init_read_transformations` was
+incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA
+was set. This violated the premultiplied alpha invariant
+`component <= alpha` expected by `png_image_read_composite`, causing
+values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
+tables.
+
+When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
+premultiplied RGB values without background compositing. The background
+compositing must happen later in `png_image_read_composite` where the
+actual background color from the PNG file is available.
+
+The fix consists in introducing conditional behavior based on
+PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
+premultiplication using the formula `component * alpha + 127) / 255`
+with proper gamma correction. When not set, the original background
+compositing calculation based on the `png_composite` macro is preserved.
+
+This prevents buffer overflows in `png_image_read_composite` where
+out-of-range premultiplied values would cause out-of-bounds array access
+in `png_sRGB_base[]` and `png_sRGB_delta[]`.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: John Bowler <jbowler@acm.org>
+---
+ pngrtran.c | 58 ++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 45 insertions(+), 13 deletions(-)
+
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -1694,19 +1694,51 @@
+ }
+ else /* if (png_ptr->trans_alpha[i] != 0xff) */
+ {
+- png_byte v, w;
++ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0)
++ {
++ /* Premultiply only:
++ * component = round((component * alpha) / 255)
++ */
++ png_uint_32 component;
+
+- v = png_ptr->gamma_to_1[palette[i].red];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red);
+- palette[i].red = png_ptr->gamma_from_1[w];
+-
+- v = png_ptr->gamma_to_1[palette[i].green];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green);
+- palette[i].green = png_ptr->gamma_from_1[w];
+-
+- v = png_ptr->gamma_to_1[palette[i].blue];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue);
+- palette[i].blue = png_ptr->gamma_from_1[w];
++ component = png_ptr->gamma_to_1[palette[i].red];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].red = png_ptr->gamma_from_1[component];
++
++ component = png_ptr->gamma_to_1[palette[i].green];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].green = png_ptr->gamma_from_1[component];
++
++ component = png_ptr->gamma_to_1[palette[i].blue];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].blue = png_ptr->gamma_from_1[component];
++ }
++ else
++ {
++ /* Composite with background color:
++ * component =
++ * alpha * component + (1 - alpha) * background
++ */
++ png_byte v, w;
++
++ v = png_ptr->gamma_to_1[palette[i].red];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.red);
++ palette[i].red = png_ptr->gamma_from_1[w];
++
++ v = png_ptr->gamma_to_1[palette[i].green];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.green);
++ palette[i].green = png_ptr->gamma_from_1[w];
++
++ v = png_ptr->gamma_to_1[palette[i].blue];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.blue);
++ palette[i].blue = png_ptr->gamma_from_1[w];
++ }
+ }
+ }
+ else
diff -Nru libpng1.6-1.6.39/debian/patches/CVE-2025-65018-part1.patch libpng1.6-1.6.39/debian/patches/CVE-2025-65018-part1.patch
--- libpng1.6-1.6.39/debian/patches/CVE-2025-65018-part1.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.39/debian/patches/CVE-2025-65018-part1.patch 2025-11-27 22:31:03.000000000 +0100
@@ -0,0 +1,60 @@
+Description: CVE-2025-65018 - part 1 - Heap buffer overflow
+ in `png_combine_row` triggered via `png_image_finish_read`
+Origin: https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121216
+
+From 16b5e3823918840aae65c0a6da57c78a5a496a4d Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Mon, 17 Nov 2025 20:38:47 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_image_finish_read`
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reject bit-depth mismatches between IHDR and the requested output
+format. When a 16-bit PNG is processed with an 8-bit output format
+request, `png_combine_row` writes using the IHDR depth before
+transformation, causing writes beyond the buffer allocated via
+`PNG_IMAGE_SIZE(image)`.
+
+The validation establishes a safe API contract where
+`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the
+transformation pipeline.
+
+Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):
+- Input format: 16 bits/channel × 3 channels = 6144 bytes
+- Output buffer: 8 bits/channel × 4 channels = 4096 bytes
+- Overflow: 6144 bytes - 4096 bytes = 2048 bytes
+
+Larger images produce proportionally larger overflows. For example,
+for 256×256 pixels, the overflow is 131072 bytes.
+
+Reported-by: yosiimich <yosiimich@users.noreply.github.com>
+---
+ pngread.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/pngread.c
++++ b/pngread.c
+@@ -4164,6 +4164,20 @@
+ int result;
+ png_image_read_control display;
+
++ /* Reject bit depth mismatches to avoid buffer overflows. */
++ png_uint_32 ihdr_bit_depth =
++ image->opaque->png_ptr->bit_depth;
++ int requested_linear =
++ (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
++ if (ihdr_bit_depth == 16 && !requested_linear)
++ return png_image_error(image,
++ "png_image_finish_read: "
++ "16-bit PNG must use 16-bit output format");
++ if (ihdr_bit_depth < 16 && requested_linear)
++ return png_image_error(image,
++ "png_image_finish_read: "
++ "8-bit PNG must not use 16-bit output format");
++
+ memset(&display, 0, (sizeof display));
+ display.image = image;
+ display.buffer = buffer;
diff -Nru libpng1.6-1.6.39/debian/patches/CVE-2025-65018-part2.patch libpng1.6-1.6.39/debian/patches/CVE-2025-65018-part2.patch
--- libpng1.6-1.6.39/debian/patches/CVE-2025-65018-part2.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.39/debian/patches/CVE-2025-65018-part2.patch 2025-11-27 22:31:03.000000000 +0100
@@ -0,0 +1,163 @@
+Description: CVE-2025-65018 - part 2 - Heap buffer overflow
+ in `png_combine_row` triggered via `png_image_finish_read`
+Origin: https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
+Bug: https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121216
+
+From 218612ddd6b17944e21eda56caf8b4bf7779d1ea Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Wed, 19 Nov 2025 21:45:13 +0200
+Subject: [PATCH] Rearchitect the fix to the buffer overflow in
+ `png_image_finish_read`
+
+Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
+That fix turned out to be unnecessarily limiting. It rejected all
+16-to-8 bit transformations, although the vulnerability only affects
+interlaced PNGs where `png_combine_row` writes using IHDR bit-depth
+before the transformation completes.
+
+The proper solution is to add an intermediate `local_row` buffer,
+specifically for the slow but necessary step of 16-to-8 bit conversion
+of interlaced images. (The processing of non-interlaced images remains
+intact, using the fast path.) We added the flag `do_local_scale` and
+the function `png_image_read_direct_scaled`, following the pattern that
+involves `do_local_compose`.
+
+In conclusion:
+- The 16-to-8 bit transformations of interlaced images are now safe,
+ as they use an intermediate buffer.
+- The 16-to-8 bit transformations of non-interlaced images remain safe,
+ as the fast path remains unchanged.
+- All our regression tests are now passing.
+---
+ pngread.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 75 insertions(+), 14 deletions(-)
+
+--- a/pngread.c
++++ b/pngread.c
+@@ -3260,6 +3260,54 @@
+ }
+ }
+
++/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */
++static int
++png_image_read_direct_scaled(png_voidp argument)
++{
++ png_image_read_control *display = png_voidcast(png_image_read_control*,
++ argument);
++ png_imagep image = display->image;
++ png_structrp png_ptr = image->opaque->png_ptr;
++ png_bytep local_row = png_voidcast(png_bytep, display->local_row);
++ png_bytep first_row = png_voidcast(png_bytep, display->first_row);
++ ptrdiff_t row_bytes = display->row_bytes;
++ int passes;
++
++ /* Handle interlacing. */
++ switch (png_ptr->interlaced)
++ {
++ case PNG_INTERLACE_NONE:
++ passes = 1;
++ break;
++
++ case PNG_INTERLACE_ADAM7:
++ passes = PNG_INTERLACE_ADAM7_PASSES;
++ break;
++
++ default:
++ png_error(png_ptr, "unknown interlace type");
++ }
++
++ /* Read each pass using local_row as intermediate buffer. */
++ while (--passes >= 0)
++ {
++ png_uint_32 y = image->height;
++ png_bytep output_row = first_row;
++
++ for (; y > 0; --y)
++ {
++ /* Read into local_row (gets transformed 8-bit data). */
++ png_read_row(png_ptr, local_row, NULL);
++
++ /* Copy from local_row to user buffer. */
++ memcpy(output_row, local_row, (size_t)row_bytes);
++ output_row += row_bytes;
++ }
++ }
++
++ return 1;
++}
++
+ /* Just the row reading part of png_image_read. */
+ static int
+ png_image_read_composite(png_voidp argument)
+@@ -3678,6 +3726,7 @@
+ int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0;
+ int do_local_compose = 0;
+ int do_local_background = 0; /* to avoid double gamma correction bug */
++ int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */
+ int passes = 0;
+
+ /* Add transforms to ensure the correct output format is produced then check
+@@ -3804,8 +3853,16 @@
+ png_set_expand_16(png_ptr);
+
+ else /* 8-bit output */
++ {
+ png_set_scale_16(png_ptr);
+
++ /* For interlaced images, use local_row buffer to avoid overflow
++ * in png_combine_row() which writes using IHDR bit-depth.
++ */
++ if (png_ptr->interlaced != 0)
++ do_local_scale = 1;
++ }
++
+ change &= ~PNG_FORMAT_FLAG_LINEAR;
+ }
+
+@@ -4081,6 +4138,24 @@
+ return result;
+ }
+
++ else if (do_local_scale != 0)
++ {
++ /* For interlaced 16-to-8 conversion, use an intermediate row buffer
++ * to avoid buffer overflows in png_combine_row. The local_row is sized
++ * for the transformed (8-bit) output, preventing the overflow that would
++ * occur if png_combine_row wrote 16-bit data directly to the user buffer.
++ */
++ int result;
++ png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
++
++ display->local_row = row;
++ result = png_safe_execute(image, png_image_read_direct_scaled, display);
++ display->local_row = NULL;
++ png_free(png_ptr, row);
++
++ return result;
++ }
++
+ else
+ {
+ png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes;
+@@ -4164,20 +4239,6 @@
+ int result;
+ png_image_read_control display;
+
+- /* Reject bit depth mismatches to avoid buffer overflows. */
+- png_uint_32 ihdr_bit_depth =
+- image->opaque->png_ptr->bit_depth;
+- int requested_linear =
+- (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
+- if (ihdr_bit_depth == 16 && !requested_linear)
+- return png_image_error(image,
+- "png_image_finish_read: "
+- "16-bit PNG must use 16-bit output format");
+- if (ihdr_bit_depth < 16 && requested_linear)
+- return png_image_error(image,
+- "png_image_finish_read: "
+- "8-bit PNG must not use 16-bit output format");
+-
+ memset(&display, 0, (sizeof display));
+ display.image = image;
+ display.buffer = buffer;
diff -Nru libpng1.6-1.6.39/debian/patches/libpng-config.patch libpng1.6-1.6.39/debian/patches/libpng-config.patch
--- libpng1.6-1.6.39/debian/patches/libpng-config.patch 2019-01-15 09:59:23.000000000 +0100
+++ libpng1.6-1.6.39/debian/patches/libpng-config.patch 2025-11-27 22:31:03.000000000 +0100
@@ -1,8 +1,6 @@
Description: this patch is needed to strip arch-dep bits and get a multiarch -dev package.
-Index: libpng1.6-1.6.21/scripts/libpng-config-body.in
-===================================================================
---- libpng1.6-1.6.21.orig/scripts/libpng-config-body.in
-+++ libpng1.6-1.6.21/scripts/libpng-config-body.in
+--- a/scripts/libpng-config-body.in
++++ b/scripts/libpng-config-body.in
@@ -7,7 +7,7 @@
Known values for OPTION are:
@@ -21,10 +19,8 @@
echo ${libdir}
;;
-Index: libpng1.6-1.6.21/libpng-config.in
-===================================================================
---- libpng1.6-1.6.21.orig/libpng-config.in
-+++ libpng1.6-1.6.21/libpng-config.in
+--- a/libpng-config.in
++++ b/libpng-config.in
@@ -14,12 +14,13 @@
version="@PNGLIB_VERSION@"
prefix="@prefix@"
diff -Nru libpng1.6-1.6.39/debian/patches/series libpng1.6-1.6.39/debian/patches/series
--- libpng1.6-1.6.39/debian/patches/series 2022-11-26 15:18:36.000000000 +0100
+++ libpng1.6-1.6.39/debian/patches/series 2025-11-27 22:31:03.000000000 +0100
@@ -1,2 +1,7 @@
libpng-config.patch
#libpng-1.6.39-apng.patch
+CVE-2025-64505.patch
+CVE-2025-64506.patch
+CVE-2025-64720.patch
+CVE-2025-65018-part1.patch
+CVE-2025-65018-part2.patch
diff -Nru libpng1.6-1.6.39/debian/salsa-ci.yml libpng1.6-1.6.39/debian/salsa-ci.yml
--- libpng1.6-1.6.39/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ libpng1.6-1.6.39/debian/salsa-ci.yml 2025-11-27 22:31:03.000000000 +0100
@@ -0,0 +1,6 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bookworm'
From: Tobias Frost <tobi@debian.org>
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA XXXX-1] libpng1.6 security update
-------------------------------------------------------------------------
Debian Security Advisory DSA-XXXX-1 security@debian.org
https://www.debian.org/security/ Tobias Frost
November 30, 2025 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : libpng1.6
CVE ID : CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018
Debian Bug : 1121216 1121217 1121218 1121219
Multiple vulnerabilties have been found in libpng, the official PNG
reference library, allowing information disclosure via out-of-bounds
read, denial of service via application crash,
or heap corruption with potential for arbitrary code execution.
CVE-2025-64505
Heap buffer over-read in `png_do_quantize` via malformed palette
index.
CVE-2025-64506
Heap buffer over-read in png_write_image_8bit
CVE-2025-64720
Buffer overflow in `png_image_read_composite` via incorrect palette
premultiplication
CVE-2025-65018
Heap buffer overflow in `png_combine_row` triggered via
`png_image_finish_read`
For the oldstable distribution (bookworm), these problems have been fixed
in version 1.6.39-2+deb12u1.
For the stable distribution (trixie), these problems have been fixed in
version 1.6.48-1+deb13u1.
We recommend that you upgrade your libpng1.6 packages.
For the detailed security status of libpng1.6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
Attachment:
signature.asc
Description: PGP signature