From: Theo Buehler <tb@theobuehler.org>
Subject: Re: [update] png to 1.6.57
To: Matthieu Herrb <matthieu@openbsd.org>
Cc: ports@openbsd.org
Date: Thu, 9 Apr 2026 07:27:00 +0200

On Thu, Apr 09, 2026 at 07:20:33AM +0200, Matthieu Herrb wrote:
> === CVE-2026-34757 ===
> 
> Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST
> leading to corrupted chunk data and potential heap information
> disclosure
> 
> no API/ABI change.
> 
> ok ?

ok

> I'll also take case of updating the embedded copy in xenocara,
> used by freetype, although the affected functions are not called by
> freetype afaict.

The diff between the two version reads fine and completely risk-free to
me. ok for this as well. Thanks!