Re: security update for libpng1.6

To: team@security.debian.org, libpng1.6@packages.debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: security update for libpng1.6
From: Tobias Frost <tobi@debian.org>
Date: Sun, 30 Nov 2025 16:37:53 +0100
Message-id: <[🔎] aSxk0c0jco6zk3iW@isildor2.loewenhoehle.ip>
In-reply-to: <[🔎] aSmiCjhBzsyQpiIs@eldamar.lan>
References: <[🔎] aSMmcaZiryjRxWtL@isildor2.loewenhoehle.ip> <[🔎] aSMwuZ48lEtT3lj9@eldamar.lan> <[🔎] aSYOWUP3ueoCRGUT@isildor2.loewenhoehle.ip> <[🔎] aSmiCjhBzsyQpiIs@eldamar.lan>

Hi,

As I've unfortunatly missed this mail before I've sent the update today;
just a short head-up that I'll check/incorporate the suggested changes.

On Fri, Nov 28, 2025 at 02:22:18PM +0100, Salvatore Bonaccorso wrote:
> Hi Tobias,
> 
> On Tue, Nov 25, 2025 at 09:15:21PM +0100, Tobias Frost wrote:
> > Hi Salvatore,
> > 
> > attached is the libpng debdiff for trixie.
> > The diff is also available on salsa: https://salsa.debian.org/debian/libpng1.6/-/compare/debian%2F1.6.48-1...debian%2Ftrixie?from_project_id=26504
> 
> Thanks for attaching the debdiff.
> 
> > Salsa-CI is currently busy rebuilding all r-deps, I'll
> > check the results tomorrow (there will be builds running into timeouts,
> > I'll compile those locally as well.)
> > 
> > (I'll also start working on bookworm asap, but didn't want to delay
> > sharing the trixie debdiff)
> 
> Ok, please come back to us as well once you have it. We should release
> both updates at the same time for trixie-security and
> bookworm-security.
> 
> 
> > diff -Nru libpng1.6-1.6.48/debian/changelog libpng1.6-1.6.48/debian/changelog
> > --- libpng1.6-1.6.48/debian/changelog	2025-05-05 21:11:18.000000000 +0200
> > +++ libpng1.6-1.6.48/debian/changelog	2025-11-23 18:21:02.000000000 +0100
> > @@ -1,3 +1,15 @@
> > +libpng1.6 (1.6.48-1+deb13u1) trixie; urgency=medium
> 
> This should be targetting trixie-security. The rest is ok, although
> for I prefer to make explitily a urgency=high (but it is not
> technically needed).
> 
> > +  * Security upload targeting trixie.
> > +  * Backport fixes for:
> > +    - CVE-2025-64505 - Heap buffer over-read (Closes: #1121219)
> 
> I think we should have applied here first the upstream commit
> ea094764f343 ("Fix a memory leak in function `png_set_quantize`;
> refactor"). This affect directly the code which we are fixing and
> fixes a memory leak in png_set_quantize. It does not have a CVE
> afaict, but it might be worth applying before the CVE-2025-64505 fix
> as done in the upstream code, in particular because it is the same
> Samsung-PENTEST reporter discovering the issues with CVE assigned.
> 
> Would you concur on this?
> 
> > +    - CVE-2025-64506 - Heap buffer over-read (Closes: #1121218)
> > +    - CVE-2025-64720 - Heap buffer overflow (Closes: #1121217)
> > +    - CVE-2025-65018 - Heap buffer overflow (Closes: #1121216)    
> 
> Those looks good to me.
> 
> > +  * Set gbp.conf for trixie and enable salsa CI
> 
> We usually do not do that, but there is clear benefit of running
> additional test coverage, so ok!
> 
> Can you clarify on the above question surrounding CVE-2025-64505?
> Or is it too intrusive to backport to the 1.6.48 version in trixie?
> 
> Additionally were you able the update against the published verfiers
> form the GHSAs?
> 
> Regards,
> Salvatore

Reply to:

References:
- security update for libpng1.6:x
  - From: Tobias Frost <tobi@debian.org>
- Re: security update for libpng1.6:x
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: security update for libpng1.6:x
  - From: Tobias Frost <tobi@debian.org>
- Re: security update for libpng1.6
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: security update for libpng1.6:x
Next by Date: Debian LTS and ELTS report: November 2025
Previous by thread: Re: security update for libpng1.6
Next by thread: Re: security update for libpng1.6
Index(es):
- Date
- Thread