From: Theo Buehler Subject: Re: update: png 1.6.55 To: Matthieu Herrb Cc: ports@openbsd.org Date: Tue, 10 Feb 2026 17:44:45 +0100 On Tue, Feb 10, 2026 at 07:17:29AM +0100, Matthieu Herrb wrote: > Trivial update to png 1.6.55 > > No API/ABI changes. > > libpng 1.6.55 has been released to address a heap buffer overflow > vulnerability in the low-level API. This release fixes one > high-severity CVE affecting all versions of libpng. > > CVE-2026-25646 (High): Heap buffer overflow in png_set_quantize > when called with no histogram and a palette larger than twice the > requested maximum number of colors. > > ok (also for -stable)? > > PS : the embedded copy in xenocara will be updated too, altough > freetype does not use the png_set_quantize() function that is affected > by the CVE. ok for all of this. > > Index: Makefile > =================================================================== > RCS file: /local/cvs/ports/graphics/png/Makefile,v > diff -u -p -u -r1.146 Makefile > --- Makefile 14 Jan 2026 06:23:48 -0000 1.146 > +++ Makefile 10 Feb 2026 06:13:53 -0000 > @@ -4,7 +4,7 @@ > > COMMENT= library for manipulating PNG images > > -VERSION= 1.6.54 > +VERSION= 1.6.55 > DISTNAME= libpng-${VERSION} > PKGNAME= png-${VERSION} > CATEGORIES= graphics > Index: distinfo > =================================================================== > RCS file: /local/cvs/ports/graphics/png/distinfo,v > diff -u -p -u -r1.75 distinfo > --- distinfo 14 Jan 2026 06:23:48 -0000 1.75 > +++ distinfo 10 Feb 2026 06:13:53 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (libpng-1.6.54.tar.xz) = AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU= > -SIZE (libpng-1.6.54.tar.xz) = 1064472 > +SHA256 (libpng-1.6.55.tar.xz) = 2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0= > +SIZE (libpng-1.6.55.tar.xz) = 1064676 > > -- > Matthieu Herrb >