From: Klemens Nanni <kn@openbsd.org>
Subject: Re: [update] png 1.6.54
To: Matthieu Herrb <matthieu@openbsd.org>, ports@openbsd.org
Date: Wed, 14 Jan 2026 04:14:04 +0000

14.01.2026 00:09, Matthieu Herrb пишет:
> CVE-2026-22695 (medium severity): Heap buffer over-read in
> png_image_read_direct_scaled
> CVE-2026-22801 (medium severity): Integer truncation causing heap
> buffer over-read in png_image_write_*.
> 
> ok ?

OK kn

> 
> I'll take care of the embedded copy in xenocara.
> 
> Index: Makefile
> ===================================================================
> RCS file: /local/cvs/ports/graphics/png/Makefile,v
> diff -u -p -u -r1.145 Makefile
> --- Makefile	4 Dec 2025 15:34:39 -0000	1.145
> +++ Makefile	13 Jan 2026 21:05:34 -0000
> @@ -4,7 +4,7 @@
>  
>  COMMENT=	library for manipulating PNG images
>  
> -VERSION=	1.6.52
> +VERSION=	1.6.54
>  DISTNAME=	libpng-${VERSION}
>  PKGNAME=	png-${VERSION}
>  CATEGORIES=	graphics
> Index: distinfo
> ===================================================================
> RCS file: /local/cvs/ports/graphics/png/distinfo,v
> diff -u -p -u -r1.74 distinfo
> --- distinfo	4 Dec 2025 15:34:39 -0000	1.74
> +++ distinfo	13 Jan 2026 21:05:34 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (libpng-1.6.52.tar.xz) = Nr1yYijsk6O2wi/bSelKZ7FvL+mzm3i3y2V3KWZmHMw=
> -SIZE (libpng-1.6.52.tar.xz) = 1063580
> +SHA256 (libpng-1.6.54.tar.xz) = AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU=
> +SIZE (libpng-1.6.54.tar.xz) = 1064472
>