From: Matthieu Herrb <matthieu@openbsd.org>
Subject: [update] png 1.6.51
To: ports@openbsd.org
Date: Sat, 22 Nov 2025 10:48:20 +0100

Hi,

The matching xenocara update is beeing sent to tech@

CVE-2025-64505 (CVSS 6.1, Moderate): Heap buffer over-read in
png_do_quantize via malformed palette index.

CVE-2025-64506 (CVSS 6.1, Moderate): Heap buffer over-read in
png_write_image_8bit with 8-bit input and convert_to_8bit enabled.

CVE-2025-64720 (CVSS 7.1, High): Out-of-bounds read in
png_image_read_composite via palette premultiplication with
PNG_FLAG_OPTIMIZE_ALPHA.

CVE-2025-65018 (CVSS 7.1, High): Heap buffer overflow in
png_combine_row triggered via png_image_finish_read when processing
16-bit interlaced PNGs with 8-bit output format.

All vulnerabilities require user interaction (processing a malicious
PNG file) and can result in information disclosure and/or denial of
service. CVE-2025-65018 may enable arbitrary code execution via heap
corruption in certain heap configurations.

ok, comments ?

Index: Makefile
===================================================================
RCS file: /local/cvs/ports/graphics/png/Makefile,v
diff -u -p -u -r1.143 Makefile
--- Makefile	17 Sep 2025 15:42:46 -0000	1.143
+++ Makefile	22 Nov 2025 09:46:52 -0000
@@ -4,7 +4,7 @@
 
 COMMENT=	library for manipulating PNG images
 
-VERSION=	1.6.50
+VERSION=	1.6.51
 DISTNAME=	libpng-${VERSION}
 PKGNAME=	png-${VERSION}
 CATEGORIES=	graphics
Index: distinfo
===================================================================
RCS file: /local/cvs/ports/graphics/png/distinfo,v
diff -u -p -u -r1.72 distinfo
--- distinfo	11 Sep 2025 10:39:56 -0000	1.72
+++ distinfo	22 Nov 2025 09:46:52 -0000
@@ -1,2 +1,2 @@
-SHA256 (libpng-1.6.50.tar.xz) = TfOWUYYgp6o2UUQ+h9Gyhi5OiMrRNai5NCPgFwYjIwc=
-SIZE (libpng-1.6.50.tar.xz) = 1060992
+SHA256 (libpng-1.6.51.tar.xz) = oFCoktO0p7sBDDqVxzAeSWVtcqZPH8cJqQuK3tGSvtI=
+SIZE (libpng-1.6.51.tar.xz) = 1060772

-- 
Matthieu Herrb