Your message dated Sat, 21 Feb 2026 19:47:55 +0000
with message-id <[email protected]>
and subject line Bug#1127566: fixed in libpng1.6 1.6.48-1+deb13u3
has caused the Debian Bug report #1127566,
regarding libpng16-16t64: CVE-2026-25646 (with alleged code exection)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127566: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127566
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpng16-16t64
Version: 1.6.54-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Hey.
As per oss-security, a fix for CVE-2026-25646 is out:
https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
or.
https://github.com/pnggroup/libpng/releases/tag/v1.6.55
Cheers
Chris.
-- System Information:
Debian Release: forky/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.18.9+deb14-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libpng16-16t64 depends on:
ii libc6 2.42-12
ii zlib1g 1:1.3.dfsg+really1.3.1-2
libpng16-16t64 recommends no packages.
libpng16-16t64 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libpng1.6
Source-Version: 1.6.48-1+deb13u3
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Feb 2026 18:43:52 +0100
Source: libpng1.6
Architecture: source
Version: 1.6.48-1+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: Maintainers of libpng1.6 packages <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1127566
Changes:
libpng1.6 (1.6.48-1+deb13u3) trixie-security; urgency=high
.
* Security upload targeting trixie.
- CVE-2026-25646 - Heap buffer overflow (Closes: #1127566)
Checksums-Sha1:
aa85a149708e8d8a650b31d973bff2d4284000e0 2305 libpng1.6_1.6.48-1+deb13u3.dsc
4a0d9412d92e7052f187ba3287875b0220466306 1572923 libpng1.6_1.6.48.orig.tar.gz
f3603771d5ad68beb6d271bb05c1e25585724702 41976
libpng1.6_1.6.48-1+deb13u3.debian.tar.xz
21bcd326cd6c8323a630775e53f6d598a112b8b2 7448
libpng1.6_1.6.48-1+deb13u3_source.buildinfo
Checksums-Sha256:
a65071c790b9c8e5bb5eea8ad9fa93c844045c85cec86ac73f6cc34a57c1b9e5 2305
libpng1.6_1.6.48-1+deb13u3.dsc
b17e99026055727e8cba99160c3a9a7f9af788e9f786daeadded5a42243f1dd0 1572923
libpng1.6_1.6.48.orig.tar.gz
44669e466062d3ed1bc4a2b52b6e45899945d9327e380cdfc38d888d5aa8caca 41976
libpng1.6_1.6.48-1+deb13u3.debian.tar.xz
598d160df9e30797768caaeab1eef7a634bf8109b5e1b9dc61ded1136e6fc9bf 7448
libpng1.6_1.6.48-1+deb13u3_source.buildinfo
Files:
056fcd170af595d20599454fe2867cbb 2305 libs optional
libpng1.6_1.6.48-1+deb13u3.dsc
be6cc9e411c26115db3b9eab1159a1d9 1572923 libs optional
libpng1.6_1.6.48.orig.tar.gz
93542c72961067354785bdde1a5c1625 41976 libs optional
libpng1.6_1.6.48-1+deb13u3.debian.tar.xz
f11866c0cf46d6f8d7066f8d2e0ec46e 7448 libs optional
libpng1.6_1.6.48-1+deb13u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmmULiQACgkQkWT6HRe9
XTZLehAAuLKSSkX5hM9RaFlXbVRUzIJAiXkzO1OoyVTkq6tHsgXf5KiZnmGkDx2E
6bHF6TLDMFbC+IuNW6djPHYJ4RXTwWgYsv1GBOhLldM9Xo0HBLCAiEHnXtPxULCB
ukHUdmuCg1tUKK7y9m04zZpdqIzgc3jk6oGXfZT6MpYkM/Sv6CMqoujiD689Iv8k
lyBbc0ii4B2nV3u3/dHljZ7t47sZ3FBHuG/Z9YToIr4iy3jJDva9PFWwWi4hKLXM
I96mK9n6NilyEEdywlrmz+HSwsbSZ3iTdFuxQkustJ8FFj7TIdbMao4+MuwM7jN7
ljED3KognfQ2nCtFPevQdb/CQbMjuQ+0rTIbyqAwIpoMI5LO7b3OEs5dHNRdVGA/
HXOCHBZPCAGBFQSuTf5tLlP0GhOXNgBIAcNAtVvrb63IqIbX+Qh3/k0d3wMu53KS
tYSnj8yw5QuI3fXm0HxmY63lU83Aq6dKO9hlZJGQd1nvoxnREgmQFUdma4PKyKwU
agujGsGHifkfowBoVYme8L1BpeVFZ42MKaiB8Vxwe+1XpyR+1bE0qJgUFc9g+swK
9uN5Fr6XL4VHian+aRBGbFtyJrgU5gHmx1dmAejJs/3MySebcKVEMEalExQ5aOOv
iVtSJ0KQRWXQgi3BRJAJWCkzy3F76bRTMN8b/c9dnn9I/sbyzfI=
=/lCV
-----END PGP SIGNATURE-----
pgpHVwMzr0Qet.pgp
Description: PGP signature
--- End Message ---
