Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libpng1.6
User: [email protected]
Usertags: pu
Upstream has released a new upstream version fixing two CVEs:
- CVE-2026-22801 - Heap buffer over-read (Closes: #1125444
- CVE-2026-22695 - Heap buffer over-read (Closes: #1125443)
CVE-2026-22695 has been introduced by CVE-2025-65018, fixed in trixie
via 1.6.48-1+deb13u1.
I've coordinated with the security team and we've settled on updating
the issues via s-p-u.
[ Tests ]
CVE-2026-22801 is covered by the upstream test-suite,
CVE-2026-22695's is quite a small fix, and upstream throughly analysed
the change, see https://github.com/pnggroup/libpng/issues/778.
(We're cherry-picking e4f7ad4, as suggested by upstream):
"Fixed in commit e4f7ad4, to be cherry-picked by downstream libpng
package maintainers.")
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
I'll upload the package after sending this bug.
--
tobi
