Mailing List Archive | ports@openbsd.org

From:: Theo Buehler <tb@theobuehler.org>
Subject:: Re: [update] png to 1.6.57
To:: Matthieu Herrb <matthieu@openbsd.org>
Cc:: ports@openbsd.org
Date:: Thu, 9 Apr 2026 07:27:00 +0200

Download raw body.

Thread

2026-04-09 05:20 Matthieu Herrb:
[update] png to 1.6.57
- 2026-04-09 05:27 Theo Buehler:
  [update] png to 1.6.57
- - 2026-04-09 05:29 Theo de Raadt:
    [update] png to 1.6.57
  - - 2026-04-09 05:37 Matthieu Herrb:
      [update] png to 1.6.57

On Thu, Apr 09, 2026 at 07:20:33AM +0200, Matthieu Herrb wrote:
> === CVE-2026-34757 ===
> 
> Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST
> leading to corrupted chunk data and potential heap information
> disclosure
> 
> no API/ABI change.
> 
> ok ?

ok

> I'll also take case of updating the embedded copy in xenocara,
> used by freetype, although the affected functions are not called by
> freetype afaict.

The diff between the two version reads fine and completely risk-free to
me. ok for this as well. Thanks!

2026-04-09 05:20 Matthieu Herrb:
[update] png to 1.6.57
- 2026-04-09 05:27 Theo Buehler:
  [update] png to 1.6.57
- - 2026-04-09 05:29 Theo de Raadt:
    [update] png to 1.6.57
  - - 2026-04-09 05:37 Matthieu Herrb:
      [update] png to 1.6.57