From: Matthieu Herrb <matthieu@openbsd.org>
Subject: update: png 1.6.55
To: ports@openbsd.org
Date: Tue, 10 Feb 2026 07:17:29 +0100

Trivial update to png 1.6.55

No API/ABI changes.

libpng 1.6.55 has been released to address a heap buffer overflow
vulnerability in the low-level API. This release fixes one
high-severity CVE affecting all versions of libpng.

CVE-2026-25646 (High): Heap buffer overflow in png_set_quantize
when called with no histogram and a palette larger than twice the
requested maximum number of colors.

ok (also for -stable)?

PS : the embedded copy in xenocara will be updated too, altough
freetype does not use the png_set_quantize() function that is affected
by the CVE.

Index: Makefile
===================================================================
RCS file: /local/cvs/ports/graphics/png/Makefile,v
diff -u -p -u -r1.146 Makefile
--- Makefile	14 Jan 2026 06:23:48 -0000	1.146
+++ Makefile	10 Feb 2026 06:13:53 -0000
@@ -4,7 +4,7 @@
 
 COMMENT=	library for manipulating PNG images
 
-VERSION=	1.6.54
+VERSION=	1.6.55
 DISTNAME=	libpng-${VERSION}
 PKGNAME=	png-${VERSION}
 CATEGORIES=	graphics
Index: distinfo
===================================================================
RCS file: /local/cvs/ports/graphics/png/distinfo,v
diff -u -p -u -r1.75 distinfo
--- distinfo	14 Jan 2026 06:23:48 -0000	1.75
+++ distinfo	10 Feb 2026 06:13:53 -0000
@@ -1,2 +1,2 @@
-SHA256 (libpng-1.6.54.tar.xz) = AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU=
-SIZE (libpng-1.6.54.tar.xz) = 1064472
+SHA256 (libpng-1.6.55.tar.xz) = 2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0=
+SIZE (libpng-1.6.55.tar.xz) = 1064676

-- 
Matthieu Herrb