Your message dated Sat, 21 Feb 2026 20:07:34 +0000
with message-id <[email protected]>
and subject line Bug#1127566: fixed in libpng1.6 1.6.39-2+deb12u3
has caused the Debian Bug report #1127566,
regarding libpng16-16t64: CVE-2026-25646 (with alleged code exection)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127566: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127566
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpng16-16t64
Version: 1.6.54-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Hey.
As per oss-security, a fix for CVE-2026-25646 is out:
https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
or.
https://github.com/pnggroup/libpng/releases/tag/v1.6.55
Cheers
Chris.
-- System Information:
Debian Release: forky/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.18.9+deb14-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libpng16-16t64 depends on:
ii libc6 2.42-12
ii zlib1g 1:1.3.dfsg+really1.3.1-2
libpng16-16t64 recommends no packages.
libpng16-16t64 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libpng1.6
Source-Version: 1.6.39-2+deb12u3
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Feb 2026 18:58:09 +0100
Source: libpng1.6
Architecture: source
Version: 1.6.39-2+deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Maintainers of libpng1.6 packages <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1127566
Changes:
libpng1.6 (1.6.39-2+deb12u3) bookworm-security; urgency=medium
.
* Security upload targeting boowkorm.
* Backport fix for CVE-2026-25646 - Heap buffer overflow (Closes: #1127566)
Checksums-Sha1:
95c063c85033f19f7d4fec2a29cfd193440bc9c1 2292 libpng1.6_1.6.39-2+deb12u3.dsc
d384c4526a84d213f697108258c490adc99b4cdb 1519415 libpng1.6_1.6.39.orig.tar.gz
57eed0c32157bac02fdbe483a9fc7b772f7ec6b3 39752
libpng1.6_1.6.39-2+deb12u3.debian.tar.xz
118ac57c3b0ab25f40e1af4628c2bfb8be0377b6 6387
libpng1.6_1.6.39-2+deb12u3_source.buildinfo
Checksums-Sha256:
4f5e97c47006358f1d749164d899eba56680956ad98ffa21795772612506e70d 2292
libpng1.6_1.6.39-2+deb12u3.dsc
a00e9d2f2f664186e4202db9299397f851aea71b36a35e74910b8820e380d441 1519415
libpng1.6_1.6.39.orig.tar.gz
92e2c156f9be57eab8bc6cbe8c07ad1fc8323e1945bfa284da8592d749faa962 39752
libpng1.6_1.6.39-2+deb12u3.debian.tar.xz
cf5110cee1b3cf1b07184a0bda68667a60312dd743eb97d637e6d4e34f4ae508 6387
libpng1.6_1.6.39-2+deb12u3_source.buildinfo
Files:
e0cb52bf59f71afcb87c0a87a58fd726 2292 libs optional
libpng1.6_1.6.39-2+deb12u3.dsc
a704977d681a40d8223d8b957fd41b29 1519415 libs optional
libpng1.6_1.6.39.orig.tar.gz
9225c851c9fd8c55c649ff9e8581f10b 39752 libs optional
libpng1.6_1.6.39-2+deb12u3.debian.tar.xz
9ff3470b5f408222dca4179bacb413d5 6387 libs optional
libpng1.6_1.6.39-2+deb12u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmmULn0ACgkQkWT6HRe9
XTZicQ//YREIutF/EBw1uBprkGykQFnqg3iz0yX1PIotJdnUwdB2PDA81IT1oPNG
iR08BUo1zKewqng96sPaQ7xJX+JVmPnEXklggTmkRztyC3ZaIvDQP0pmyJMFxXSq
1kRQsGv2YcUTK7l3E+mpHMvyaOieLSMeHe+Y+cR+B0IACGSTlwZbw/lBz+tVnL8c
jcdTwV2zpi8ABCH8nJjPBuMn9x8c73xGL7i+3Wi6DtCWSlYHiTtqC21vZM89jbpC
o43TraCeB9rvpgVLRnlc9EbxxO8+YpF484ddK01Z+6kEh/XuLvfdBHnACUCdcIcB
n1da08iKe9UfKiAuyp+HmTdEwoV/2QLgxt8aLmgWe9uuDjtOYg5dZ+IYzV+HKPtl
cZtmUolTx1Io+chQCL/w01EWlnKhXRgezv19iWBO/W7DOTWuZRfgo2BUsvqomVQv
6P9NN/g4TRpi9tDP4Xxg6HAD1bgVpxgQRgBbnIaViswJ86v0wZEgMQYVD5nsjI/D
smg6qRMs8lBLowXowu5iQvumOKZBCME4IhhU7twVLwzd6Ete2BNCihxdiFMbtf0M
gBN4ej6rxEuFs0zmjCRr72t6r6WFqkTL6IXY9tYAFOwzXoTQXXHN7O2hFLP2ujOB
Tvt9JEvS0dPazdV6pPRgHVwhRBod8rb9jZ9Yx4D9BTTFllGV8kA=
=AjgC
-----END PGP SIGNATURE-----
pgpVetfWLfi3n.pgp
Description: PGP signature
--- End Message ---
