Your message dated Wed, 21 Jan 2026 19:48:51 +0000
with message-id <[email protected]>
and subject line Bug#1125443: fixed in libpng1.6 1.6.54-1
has caused the Debian Bug report #1125443,
regarding libpng1.6: CVE-2026-22695: Heap buffer over-read in
png_image_read_direct_scaled()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125443: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125443
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpng1.6
Version: 1.6.51-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pnggroup/libpng/issues/778
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.6.39-2+deb12u1
Control: found -1 1.6.48-1+deb13u1
Hi,
The following vulnerability was published for libpng1.6.
CVE-2026-22695[0]:
| LIBPNG is a reference library for use in applications that read,
| create, and manipulate PNG (Portable Network Graphics) raster image
| files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in
| the libpng simplified API function png_image_finish_read when
| processing interlaced 16-bit PNGs with 8-bit output format and non-
| minimal row stride. This is a regression introduced by the fix for
| CVE-2025-65018. This vulnerability is fixed in 1.6.54.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-22695
https://www.cve.org/CVERecord?id=CVE-2026-22695
[1] https://github.com/pnggroup/libpng/issues/778
[2] https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp
[3]
https://github.com/pnggroup/libpng/commit/e4f7ad4ea2a471776c81dda4846b7691925d9786
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpng1.6
Source-Version: 1.6.54-1
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 16 Jan 2026 08:49:40 +0100
Source: libpng1.6
Built-For-Profiles: noudeb
Architecture: source
Version: 1.6.54-1
Distribution: unstable
Urgency: medium
Maintainer: Maintainers of libpng1.6 packages <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1125443 1125444
Changes:
libpng1.6 (1.6.54-1) unstable; urgency=medium
.
* New upstream version 1.6.54.
- CVE-2026-22695 - Heap buffer overread. Closes: #1125443
- CVE-2026-22801 - Heap buffer overread. Closes: #1125444
* Bump d/copyright years.
Checksums-Sha1:
86a67f0b84a5b94cde57cbddc62695f032a484a8 2254 libpng1.6_1.6.54-1.dsc
98c659b0f57cb409de4f9c09b0a48440d18c8060 1585700 libpng1.6_1.6.54.orig.tar.gz
9c087ad4dac8d214a3ade02e29877fc1f2bbaea1 33516 libpng1.6_1.6.54-1.debian.tar.xz
b2f474e0f95525e7d8db2c0dc21cbd51466507c6 7911
libpng1.6_1.6.54-1_source.buildinfo
Checksums-Sha256:
dff12a8ad32ced0b8b0c51522806da7c592d41ecb59977239fcdb25d47431890 2254
libpng1.6_1.6.54-1.dsc
ba7efce137409079989df4667706c339bebfbb10e9f413474718012a13c8cd4c 1585700
libpng1.6_1.6.54.orig.tar.gz
12290f527b91445e7fae947333bbc22b17463cc93c8b7be03dcccf203bfef5a0 33516
libpng1.6_1.6.54-1.debian.tar.xz
503c58b806e99285ac81cfa784639f5c2180363ad12fc5b699d48f96678eaced 7911
libpng1.6_1.6.54-1_source.buildinfo
Files:
d6831e7bfc04f2b78a75da3d5f1d2099 2254 libs optional libpng1.6_1.6.54-1.dsc
fbad637cfd2eeef6b35e5ec3af97621c 1585700 libs optional
libpng1.6_1.6.54.orig.tar.gz
59b4210c8d7cf86aad381f891ddb9ca6 33516 libs optional
libpng1.6_1.6.54-1.debian.tar.xz
c1129e52222311964701e5050191538f 7911 libs optional
libpng1.6_1.6.54-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmlxK98ACgkQ808JdE6f
XdkEDQ//QL7I365xEg3YTnZV73bzUAMseulVMwQG0KE2CH0MF/QYLSUV2yfBXm5U
B7f3II1uLswWKkn3yawmSP+OvC1/ySLKmd7/o6XtV6Wi7PO0ZvdagV6co3FeI5Xb
hZ1VVBIfp76rHq6x9OLoSBjOxM7y29UAyjU/A3jhUBRVMESCz9YmoUgQGNoPfjW3
l/DFMu8GD3okMfVBZoFg3AkoAJLNuhPujI0rPMpZYOt9WyMGzh3WhyfO0hV/A6WG
BzQlNMpdToYVSf1jPOCybaugKi0aGExihmM89JASrS0D+Yvb9FKYYR94gVjukaYw
V2e72CUhD0eIdyd54/9+5ID9/blIQDtnb70biMJVjcP6zKeuObuhtsiLMZ3nHSf5
nsI3W0f8eaubO3ebBBcpH/G16v0CEkU2thAPQRfXzJpx8y76jtuaRjqgDY+p4jjS
KrITKH/+Iza239xBoPYauYrNcc2DIUPNhiSuvjZBC/4b4uztMCHjJcD1zCEg05it
NumeNC7UQI8493Qsa9U01N9Ujhb1IQpw3TLLUo0v0VbElEh4GL+ZibA7+izldbVT
6AhGIaQT8ulGOoZ9RQAq8VRWppG2STWQUaSHFYRJ6mNazJGwn8LTdQ73H4M4j9Zb
Q4KDmdyLcXevlf9PKtSmY8hu4FRRXUFh81NlL+4cCrgdbXW/yzM=
=Vz/q
-----END PGP SIGNATURE-----
pgpD8KSkxblzt.pgp
Description: PGP signature
--- End Message ---
