On Sat, Nov 22, 2025 at 10:48:20AM +0100, Matthieu Herrb wrote:
> Hi,
> 
> The matching xenocara update is beeing sent to tech@
> 
> CVE-2025-64505 (CVSS 6.1, Moderate): Heap buffer over-read in
> png_do_quantize via malformed palette index.
> 
> CVE-2025-64506 (CVSS 6.1, Moderate): Heap buffer over-read in
> png_write_image_8bit with 8-bit input and convert_to_8bit enabled.
> 
> CVE-2025-64720 (CVSS 7.1, High): Out-of-bounds read in
> png_image_read_composite via palette premultiplication with
> PNG_FLAG_OPTIMIZE_ALPHA.
> 
> CVE-2025-65018 (CVSS 7.1, High): Heap buffer overflow in
> png_combine_row triggered via png_image_finish_read when processing
> 16-bit interlaced PNGs with 8-bit output format.
> 
> All vulnerabilities require user interaction (processing a malicious
> PNG file) and can result in information disclosure and/or denial of
> service. CVE-2025-65018 may enable arbitrary code execution via heap
> corruption in certain heap configurations.
> 
> ok, comments ?

Builds fine on amd64, riscv64 and sparc64, runtime lightly tested.  No
shared lib version bump needed, and no concerning change in include
files.

ok jca@

-- 
jca