On Wed, Apr 08, 2026 at 11:29:17PM -0600, Theo de Raadt wrote:
> Theo Buehler <tb@theobuehler.org> wrote:
> 
> > On Thu, Apr 09, 2026 at 07:20:33AM +0200, Matthieu Herrb wrote:
> > > === CVE-2026-34757 ===
> > > 
> > > Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST
> > > leading to corrupted chunk data and potential heap information
> > > disclosure
> > > 
> > > no API/ABI change.
> > > 
> > > ok ?
> 
> How did you see that in the mail?

I did not see it in the mail. I ran check_sym and tests. I also ran
'make patch' before applying the diff and after and inspected with
diff -r between the two relevant directories below /usr/ports/pobj
as I always do when libraries are updated in ports.

Two headers changed. One is only a comment updating the version number.
The other header changed version number macros and a typedef used as
a guard against not mixing source and headers of different versions:

-typedef char *png_libpng_version_1_6_56;
+typedef char *png_libpng_version_1_6_57;

and png.c does the corresponding

-typedef png_libpng_version_1_6_56 Your_png_h_is_not_version_1_6_56;
+typedef png_libpng_version_1_6_57 Your_png_h_is_not_version_1_6_57;

I see no ABI/API change.