Your message dated Sat, 03 Jan 2026 13:02:21 +0000
with message-id <[email protected]>
and subject line Bug#1121217: fixed in libpng1.6 1.6.48-1+deb13u1
has caused the Debian Bug report #1121217,
regarding libpng1.6: CVE-2025-64720 - Heap buffer overflow in
png_init_read_transformations
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121217: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121217
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpng1.6
Version: 1.6.50-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pnggroup/libpng/issues/686
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libpng1.6.
CVE-2025-64720[0]:
| Buffer overflow in `png_image_read_composite` via incorrect palette
| premultiplication
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-64720
https://www.cve.org/CVERecord?id=CVE-2025-64720
[1] https://github.com/pnggroup/libpng/issues/686
[2] https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww
[3] https://www.openwall.com/lists/oss-security/2025/11/22/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpng1.6
Source-Version: 1.6.48-1+deb13u1
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Dec 2025 11:10:16 +0100
Source: libpng1.6
Architecture: source
Version: 1.6.48-1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Maintainers of libpng1.6 packages <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1121216 1121217 1121218 1121219 1121877
Changes:
libpng1.6 (1.6.48-1+deb13u1) trixie-security; urgency=high
.
* Security upload targeting trixie.
* Backport fixes for:
- CVE-2025-64505 - Heap buffer over-read (Closes: #1121219)
- CVE-2025-64506 - Heap buffer over-read (Closes: #1121218)
- CVE-2025-64720 - Heap buffer overflow (Closes: #1121217)
- CVE-2025-65018 - Heap buffer overflow (Closes: #1121216)
- CVE-2025-66293 - Out-of-bounds read (Closes: #1121877)
* Set gbp.conf for trixie and enable salsa CI
Checksums-Sha1:
ca2e392335594a5f9ef7134f9b14d5085944d0de 2286 libpng1.6_1.6.48-1+deb13u1.dsc
4a0d9412d92e7052f187ba3287875b0220466306 1572923 libpng1.6_1.6.48.orig.tar.gz
c158ecd3f0e96b8ca96583a99243e9d9f25de6dc 39324
libpng1.6_1.6.48-1+deb13u1.debian.tar.xz
bc7018bd97e8c6e03227f84d6e97e343f25ca885 7115
libpng1.6_1.6.48-1+deb13u1_source.buildinfo
Checksums-Sha256:
0f0a79157e67ab9b2df6ca77192b5255277ae5d07a929d9a0ee8cba1ceedb21f 2286
libpng1.6_1.6.48-1+deb13u1.dsc
b17e99026055727e8cba99160c3a9a7f9af788e9f786daeadded5a42243f1dd0 1572923
libpng1.6_1.6.48.orig.tar.gz
416084e356fed53da55e399ec8ea720050db9013a7c28f68454f27a53cf42563 39324
libpng1.6_1.6.48-1+deb13u1.debian.tar.xz
2c582e601bd88327d2ad752d13ac1146f5ea740524af96c2692748923a1afa9c 7115
libpng1.6_1.6.48-1+deb13u1_source.buildinfo
Files:
dcf893119cec79d50047f14ebbc28e1d 2286 libs optional
libpng1.6_1.6.48-1+deb13u1.dsc
be6cc9e411c26115db3b9eab1159a1d9 1572923 libs optional
libpng1.6_1.6.48.orig.tar.gz
6f42ca35f3994adb887939a00181f8b3 39324 libs optional
libpng1.6_1.6.48-1+deb13u1.debian.tar.xz
3e92a99d140ac71577a5b1c535e15483 7115 libs optional
libpng1.6_1.6.48-1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmk0QLgACgkQkWT6HRe9
XTb/rQ/+O5p/wBMCLmO+HTOQFnkARZZPzrEoE04Sz0JMVPYZeewMzECFysZtIqdD
7KZEdiTVVbPEYlnpHpRYCdNg1gck7uShbDfbj2WL6Ki82H3N4pC/nL48GxjOvwz6
YWKOqpotyzO7asvyxh0ewt4M42pI2HRbREPqPapzSWc924BOBcLYjq4SS6VmYNrI
DJUY1YLnnekxrwhuFqTPcsslkaUMnfhMXzJfHxguFVo3YkSike5/FZCG4wJVMl4e
a5KRLBfTeiTqedxP50HQGgihYJdXSlnLxa6xghR6uzzByUPKG5WPCaK1rWGAa9Fn
0e8B0oY6WpUdmMalOrWmTNPFvt6ABajUKxIHwL5MfOpHhUKPLHGOZ+tLGZQdFkn9
19KZoVKRXZctqBtuPOpeXjlB0L/RVdqN+Iupf/Wf9Lpubdq3mrokssz6Gx/FbAnW
Hltco0nObLR/bEbJcvkznquK5HLuOKSXYIq9Dnk7y2hSEIOIg3W6fxB4DiqduU6t
rO6p2JSNVP7Q/eLXzR6axam3YAoMZwvtzFqcwiod5NBrBocd7om4pK2am32XJNH5
t14KvJsQHLmx2t6ey+YH1Q04VX3OiOJUDToOu6BuTLFBmvSXscxmUtnvtVYPtbf5
8zCC1h89Dt1w0oyI/p+yAL2R+bMzI2hp/f6l8oer+z8FHNQmKys=
=khXn
-----END PGP SIGNATURE-----
pgpzpx50G_ps9.pgp
Description: PGP signature
--- End Message ---
