Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libpng12 for openSUSE:Factory checked in at 2026-07-14 13:51:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libpng12 (Old) and /work/SRC/openSUSE:Factory/.libpng12.new.1991 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libpng12" Tue Jul 14 13:51:30 2026 rev:44 rq:1365483 version:1.2.59 Changes: -------- --- /work/SRC/openSUSE:Factory/libpng12/libpng12.changes 2026-04-28 13:22:33.155156360 +0200 +++ /work/SRC/openSUSE:Factory/.libpng12.new.1991/libpng12.changes 2026-07-14 13:51:50.502919339 +0200 @@ -1,0 +2,7 @@ +Tue Jul 14 06:07:26 UTC 2026 - Petr Gajdos <[email protected]> + +- added patches + CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize [bsc#1258020] + * libpng12-CVE-2026-25646.patch + +------------------------------------------------------------------- @@ -41,0 +49 @@ +- fixes CVE-2017-12652 [bsc#1141493] New: ---- libpng12-CVE-2026-25646.patch ----------(New B)---------- New: CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize [bsc#1258020] * libpng12-CVE-2026-25646.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libpng12.spec ++++++ --- /var/tmp/diff_new_pack.oDTI4d/_old 2026-07-14 13:51:52.851000525 +0200 +++ /var/tmp/diff_new_pack.oDTI4d/_new 2026-07-14 13:51:52.855000663 +0200 @@ -40,6 +40,8 @@ Patch3: libpng12-CVE-2026-33416.patch # CVE-2026-34757: Information disclosure and data corruption via use-after-free vulnerability [bsc#1261957] Patch4: libpng12-CVE-2026-34757.patch +# CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize [bsc#1258020] +Patch5: libpng12-CVE-2026-25646.patch BuildRequires: libtool BuildRequires: pkg-config BuildRequires: zlib-devel ++++++ libpng12-CVE-2026-25646.patch ++++++ >From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001 From: Cosmin Truta <[email protected]> Date: Fri, 6 Feb 2026 19:11:54 +0200 Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize` The color distance hash table stored the current palette indices, but the color-pruning loop assumed the original indices. When colors were eliminated and indices changed, the stored indices became stale. This caused the loop bound `max_d` to grow past the 769-element hash array. The fix consists in storing the original indices via `palette_to_index` to match the pruning loop's expectations. Reported-by: Joshua Inscoe <[email protected]> Co-authored-by: Joshua Inscoe <[email protected]> Signed-off-by: Cosmin Truta <[email protected]> --- AUTHORS | 1 + pngrtran.c | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) Index: libpng-1.2.59/pngrtran.c =================================================================== --- libpng-1.2.59.orig/pngrtran.c +++ libpng-1.2.59/pngrtran.c @@ -371,8 +371,8 @@ png_set_dither(png_structp png_ptr, png_ if (t == NULL) break; t->next = hash[d]; - t->left = (png_byte)i; - t->right = (png_byte)j; + t->left = png_ptr->palette_to_index[i]; + t->right = png_ptr->palette_to_index[j]; hash[d] = t; } }
