On Fri, Nov 28, 2025 at 02:22:18PM +0100, Salvatore Bonaccorso wrote:
> Hi Tobias,
>
> On Tue, Nov 25, 2025 at 09:15:21PM +0100, Tobias Frost wrote:
> > Hi Salvatore,
> >
> > attached is the libpng debdiff for trixie.
> > The diff is also available on salsa: https://salsa.debian.org/debian/libpng1.6/-/compare/debian%2F1.6.48-1...debian%2Ftrixie?from_project_id=26504
>
> Thanks for attaching the debdiff.
>
> > Salsa-CI is currently busy rebuilding all r-deps, I'll
> > check the results tomorrow (there will be builds running into timeouts,
> > I'll compile those locally as well.)
> >
> > (I'll also start working on bookworm asap, but didn't want to delay
> > sharing the trixie debdiff)
>
> Ok, please come back to us as well once you have it. We should release
> both updates at the same time for trixie-security and
> bookworm-security.
>
>
> > diff -Nru libpng1.6-1.6.48/debian/changelog libpng1.6-1.6.48/debian/changelog
> > --- libpng1.6-1.6.48/debian/changelog 2025-05-05 21:11:18.000000000 +0200
> > +++ libpng1.6-1.6.48/debian/changelog 2025-11-23 18:21:02.000000000 +0100
> > @@ -1,3 +1,15 @@
> > +libpng1.6 (1.6.48-1+deb13u1) trixie; urgency=medium
>
> This should be targetting trixie-security. The rest is ok, although
> for I prefer to make explitily a urgency=high (but it is not
> technically needed).
fixed the suite.
> > + * Security upload targeting trixie.
> > + * Backport fixes for:
> > + - CVE-2025-64505 - Heap buffer over-read (Closes: #1121219)
>
> I think we should have applied here first the upstream commit
> ea094764f343 ("Fix a memory leak in function `png_set_quantize`;
> refactor"). This affect directly the code which we are fixing and
> fixes a memory leak in png_set_quantize. It does not have a CVE
> afaict, but it might be worth applying before the CVE-2025-64505 fix
> as done in the upstream code, in particular because it is the same
> Samsung-PENTEST reporter discovering the issues with CVE assigned.
Well, https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42
tells commit 6a528eb is the fix for the CVE, which is what I've applied.
The memory leak is not related to the CVE. As the discusison in the
upstream PR #748 shows, png_quantitize *should* only be called once
anyways; only subsequent calls will leak 256 bytes of memory.
On top of the memory-leak-fix, ea094764f343 has additional refactoring,
namely eliminating the struct member png_structrp->quantize_sort, so the
effective fix is adding this line:
png_free(png_ptr, png_ptr->quantize_index);
All other lines in this commit are refactoring.
So certainly we can have this commit in the update, if you prefer
that; I'd prefer at least not to have the refactoring bits, even if the
code is straight forward.
> Would you concur on this?
>
> > + - CVE-2025-64506 - Heap buffer over-read (Closes: #1121218)
> > + - CVE-2025-64720 - Heap buffer overflow (Closes: #1121217)
> > + - CVE-2025-65018 - Heap buffer overflow (Closes: #1121216)
>
> Those looks good to me.
>
> > + * Set gbp.conf for trixie and enable salsa CI
>
> We usually do not do that, but there is clear benefit of running
> additional test coverage, so ok!
Yes, that's the reason and there is no reason not to enable CI :)
> Can you clarify on the above question surrounding CVE-2025-64505?
> Or is it too intrusive to backport to the 1.6.48 version in trixie?
>
> Additionally were you able the update against the published verfiers
> form the GHSAs?
I was able to check against the pocs for 505 and 506 (as attached to
upstream issues 688 and 691) and after the updateI couldn't trigger them
anymore. I was not able to get the poc for 65018 compiled.
> Regards,
> Salvatore
Attachment:
signature.asc
Description: PGP signature