From: Matthieu Herrb <matthieu@openbsd.org>
Subject: [update] png 1.6.54
To: ports@openbsd.org
Date: Tue, 13 Jan 2026 22:09:12 +0100

CVE-2026-22695 (medium severity): Heap buffer over-read in
png_image_read_direct_scaled
CVE-2026-22801 (medium severity): Integer truncation causing heap
buffer over-read in png_image_write_*.

ok ?

I'll take care of the embedded copy in xenocara.

Index: Makefile
===================================================================
RCS file: /local/cvs/ports/graphics/png/Makefile,v
diff -u -p -u -r1.145 Makefile
--- Makefile	4 Dec 2025 15:34:39 -0000	1.145
+++ Makefile	13 Jan 2026 21:05:34 -0000
@@ -4,7 +4,7 @@
 
 COMMENT=	library for manipulating PNG images
 
-VERSION=	1.6.52
+VERSION=	1.6.54
 DISTNAME=	libpng-${VERSION}
 PKGNAME=	png-${VERSION}
 CATEGORIES=	graphics
Index: distinfo
===================================================================
RCS file: /local/cvs/ports/graphics/png/distinfo,v
diff -u -p -u -r1.74 distinfo
--- distinfo	4 Dec 2025 15:34:39 -0000	1.74
+++ distinfo	13 Jan 2026 21:05:34 -0000
@@ -1,2 +1,2 @@
-SHA256 (libpng-1.6.52.tar.xz) = Nr1yYijsk6O2wi/bSelKZ7FvL+mzm3i3y2V3KWZmHMw=
-SIZE (libpng-1.6.52.tar.xz) = 1063580
+SHA256 (libpng-1.6.54.tar.xz) = AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU=
+SIZE (libpng-1.6.54.tar.xz) = 1064472

-- 
Matthieu Herrb