Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libpng12 for openSUSE:Factory 
checked in at 2026-07-14 13:51:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libpng12 (Old)
 and      /work/SRC/openSUSE:Factory/.libpng12.new.1991 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libpng12"

Tue Jul 14 13:51:30 2026 rev:44 rq:1365483 version:1.2.59

Changes:
--------
--- /work/SRC/openSUSE:Factory/libpng12/libpng12.changes        2026-04-28 
13:22:33.155156360 +0200
+++ /work/SRC/openSUSE:Factory/.libpng12.new.1991/libpng12.changes      
2026-07-14 13:51:50.502919339 +0200
@@ -1,0 +2,7 @@
+Tue Jul 14 06:07:26 UTC 2026 - Petr Gajdos <[email protected]>
+
+- added patches
+  CVE-2026-25646: Heap buffer overflow vulnerability in 
png_set_dither/png_set_quantize [bsc#1258020]
+  * libpng12-CVE-2026-25646.patch
+
+-------------------------------------------------------------------
@@ -41,0 +49 @@
+- fixes CVE-2017-12652 [bsc#1141493]

New:
----
  libpng12-CVE-2026-25646.patch

----------(New B)----------
  New:  CVE-2026-25646: Heap buffer overflow vulnerability in 
png_set_dither/png_set_quantize [bsc#1258020]
  * libpng12-CVE-2026-25646.patch
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libpng12.spec ++++++
--- /var/tmp/diff_new_pack.oDTI4d/_old  2026-07-14 13:51:52.851000525 +0200
+++ /var/tmp/diff_new_pack.oDTI4d/_new  2026-07-14 13:51:52.855000663 +0200
@@ -40,6 +40,8 @@
 Patch3:         libpng12-CVE-2026-33416.patch
 # CVE-2026-34757: Information disclosure and data corruption via 
use-after-free vulnerability [bsc#1261957]
 Patch4:         libpng12-CVE-2026-34757.patch
+# CVE-2026-25646: Heap buffer overflow vulnerability in 
png_set_dither/png_set_quantize [bsc#1258020]
+Patch5:         libpng12-CVE-2026-25646.patch
 BuildRequires:  libtool
 BuildRequires:  pkg-config
 BuildRequires:  zlib-devel

++++++ libpng12-CVE-2026-25646.patch ++++++
>From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001
From: Cosmin Truta <[email protected]>
Date: Fri, 6 Feb 2026 19:11:54 +0200
Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize`

The color distance hash table stored the current palette indices, but
the color-pruning loop assumed the original indices. When colors were
eliminated and indices changed, the stored indices became stale. This
caused the loop bound `max_d` to grow past the 769-element hash array.

The fix consists in storing the original indices via `palette_to_index`
to match the pruning loop's expectations.

Reported-by: Joshua Inscoe <[email protected]>
Co-authored-by: Joshua Inscoe <[email protected]>
Signed-off-by: Cosmin Truta <[email protected]>
---
 AUTHORS    | 1 +
 pngrtran.c | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

Index: libpng-1.2.59/pngrtran.c
===================================================================
--- libpng-1.2.59.orig/pngrtran.c
+++ libpng-1.2.59/pngrtran.c
@@ -371,8 +371,8 @@ png_set_dither(png_structp png_ptr, png_
                      if (t == NULL)
                          break;
                      t->next = hash[d];
-                     t->left = (png_byte)i;
-                     t->right = (png_byte)j;
+                     t->left = png_ptr->palette_to_index[i];
+                     t->right = png_ptr->palette_to_index[j];
                      hash[d] = t;
                   }
                }

Reply via email to