From: Matthieu Herrb <matthieu@openbsd.org>
Subject: [update] png to 1.6.57
To: ports@openbsd.org
Date: Thu, 9 Apr 2026 07:20:33 +0200

=== CVE-2026-34757 ===

Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST
leading to corrupted chunk data and potential heap information
disclosure

no API/ABI change.

ok ?

I'll also take case of updating the embedded copy in xenocara,
used by freetype, although the affected functions are not called by
freetype afaict.

Index: Makefile
===================================================================
RCS file: /local/cvs/ports/graphics/png/Makefile,v
diff -u -p -u -r1.148 Makefile
--- Makefile	26 Mar 2026 19:55:16 -0000	1.148
+++ Makefile	9 Apr 2026 05:12:13 -0000
@@ -4,7 +4,7 @@
 
 COMMENT=	library for manipulating PNG images
 
-VERSION=	1.6.56
+VERSION=	1.6.57
 DISTNAME=	libpng-${VERSION}
 PKGNAME=	png-${VERSION}
 CATEGORIES=	graphics
Index: distinfo
===================================================================
RCS file: /local/cvs/ports/graphics/png/distinfo,v
diff -u -p -u -r1.77 distinfo
--- distinfo	26 Mar 2026 19:55:16 -0000	1.77
+++ distinfo	9 Apr 2026 05:12:13 -0000
@@ -1,2 +1,2 @@
-SHA256 (libpng-1.6.56.tar.xz) = 99i/FgG3gE9YOiVKs0OmVJymzyfSVcMCxHry2dNqbxg=
-SIZE (libpng-1.6.56.tar.xz) = 1067028
+SHA256 (libpng-1.6.57.tar.xz) = 0Qwg1xcVaYBMro38E7ptzQZixB7TnUPU1CkxSq+xCoA=
+SIZE (libpng-1.6.57.tar.xz) = 1069484

-- 
Matthieu Herrb