Your message dated Sun, 29 Mar 2026 07:04:37 +0000
with message-id <[email protected]>
and subject line Bug#1132012: fixed in libpng1.6 1.6.56-1
has caused the Debian Bug report #1132012,
regarding libpng1.6: CVE-2026-33416
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132012: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132012
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpng1.6
Version: 1.6.55-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/pnggroup/libpng/pull/824
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libpng1.6.
CVE-2026-33416[0]:
| LIBPNG is a reference library for use in applications that read,
| create, and manipulate PNG (Portable Network Graphics) raster image
| files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and
| `png_set_PLTE` each alias a heap-allocated buffer between
| `png_struct` and `png_info`, sharing a single allocation across two
| structs with independent lifetimes. The `trans_alpha` aliasing has
| been present since at least libpng 1.0, and the `palette` aliasing
| since at least 1.2.1. Both affect all prior release lines
| `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha`
| (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette =
| png_ptr->palette` (768-byte buffer). In both cases, calling
| `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the
| buffer through `info_ptr` while the corresponding `png_ptr` pointer
| remains dangling. Subsequent row-transform functions dereference
| and, in some code paths, write to the freed memory. A second call to
| `png_set_tRNS` or `png_set_PLTE` has the same effect, because both
| functions call `png_free_data` internally before reallocating the
| `info_ptr` buffer. Version 1.6.56 fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33416
https://www.cve.org/CVERecord?id=CVE-2026-33416
[1] https://github.com/pnggroup/libpng/pull/824
[2] https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpng1.6
Source-Version: 1.6.56-1
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Mar 2026 08:36:13 +0200
Source: libpng1.6
Architecture: source
Version: 1.6.56-1
Distribution: unstable
Urgency: high
Maintainer: Maintainers of libpng1.6 packages <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1132012 1132013
Changes:
libpng1.6 (1.6.56-1) unstable; urgency=high
.
* New upstream release 1.6.56
- .CVE-2026-33416 - Use after free (Closes: #1132012)
- CVE-2026-33636 - OOB read/write (Closes: #1132013)
Checksums-Sha1:
c9d10553502681786009e14548a4974cfecf1607 2273 libpng1.6_1.6.56-1.dsc
dee52516426834e512a11aa094bf64491fd21f9d 1590073 libpng1.6_1.6.56.orig.tar.gz
cc1dbcc86ecb16e7512c4988edf3377986ee1213 33696 libpng1.6_1.6.56-1.debian.tar.xz
b4ae5d401d9dfb5792a4872b82f287557dbe5356 8337
libpng1.6_1.6.56-1_amd64.buildinfo
Checksums-Sha256:
e5edd482d1dfd2a9fee1c744807f29ae80cab2f18ffeac16f913b0902dfb71cd 2273
libpng1.6_1.6.56-1.dsc
41d74ffe235cb7e8bab40bcad2167f7bb25edbf2231dcfff57ccf4305dc0bfae 1590073
libpng1.6_1.6.56.orig.tar.gz
58ae26e6422cc2f0934b1b6cbacdd8744a2e8a52f9042a91b66ba5ee503e5cdc 33696
libpng1.6_1.6.56-1.debian.tar.xz
128aff5b9186ed1df6cb4880d82ed92bd0e776334807eb6761909ac84841ac36 8337
libpng1.6_1.6.56-1_amd64.buildinfo
Files:
42410c93af6e30f3700db039eaa660db 2273 libs optional libpng1.6_1.6.56-1.dsc
b4293a47e5a59fffc1c0ad196bb78ea2 1590073 libs optional
libpng1.6_1.6.56.orig.tar.gz
ccc263b2ff2039690a6fac1d9aaaac0e 33696 libs optional
libpng1.6_1.6.56-1.debian.tar.xz
41d50b09e58128f57630767319f4d9f0 8337 libs optional
libpng1.6_1.6.56-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmnIylgACgkQkWT6HRe9
XTaS5A//XBvpzPso52rx68ImkWPHjb0sYRgNRHKu9suEoQDMBBo3L7NNDdRLi5Uo
0R+jLCm62q8SDmy3c2/cDb4CJnTvCenxNMhAO/LUPexKKnJ+ucetGCMvnbKjWvrK
G9VCMBAzX8bTlXQP0nRNbazPwRDRJJJPZSt3jdV5W4IqoblhHCPyOL/lOFRRJVMX
S0uagosilPh+0SYo479GQzv4dvlQr7KajJh5zjOV6EzQJiXvKEIgCgG4LhF4Pt+9
VNX403Wi8bki/jPuWPVVR0b+HJNJ5Xpf11iJ6lr0yXcN8EZr20UmN+rnHNEEXf7U
8/FdpmhqaS1jwS+nnWQ55E8Y1NPctOcfT0uaX84j1KTIYnKwlWJqYXl87ILu9sQy
13w0OuayTCjPb08tNXBtQgKt6t0uKilGj4oaVTa6Omu96SpTcSZT9tmGUhUidlzp
adX/gKVC4Z3/gZfmSBXzFZlb54Hzgg9wP2rbiwMyvk5dRPQbDjJJArZSzJtHZEiQ
4HIN5uNGCd/8Hx6VFdt22tG+FqlAnc83yPpO/CBYNeLG4hFtyUBBQy4c/KOMBGiG
rqh7feoC3bhRJ2bDTkR5tyZscIExdK8eh1QSG+/SUWgYlKSqCjrcZk1M1Mg+rzXy
iH/PdA+MsF94+cgvWlGYO8JTGjt3Zlple6WaEl5P+vuYG+5pA2k=
=mWQP
-----END PGP SIGNATURE-----
pgpZTmE1mIuRV.pgp
Description: PGP signature
--- End Message ---
