Your message dated Mon, 24 Nov 2025 20:35:42 +0000
with message-id <[email protected]>
and subject line Bug#1121216: fixed in libpng1.6 1.6.51-1
has caused the Debian Bug report #1121216,
regarding libpng1.6: CVE-2025-65018
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121216: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121216
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpng1.6
Version: 1.6.50-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/pnggroup/libpng/issues/755
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libpng1.6.
CVE-2025-65018[0]:
| Heap buffer overflow in `png_combine_row` triggered via
| `png_image_finish_read`
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-65018
https://www.cve.org/CVERecord?id=CVE-2025-65018
[1] https://github.com/pnggroup/libpng/issues/755
[2] https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g
[3] https://www.openwall.com/lists/oss-security/2025/11/22/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpng1.6
Source-Version: 1.6.51-1
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 24 Nov 2025 21:06:25 +0100
Source: libpng1.6
Architecture: source
Version: 1.6.51-1
Distribution: unstable
Urgency: high
Maintainer: Maintainers of libpng1.6 packages <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1121216 1121217 1121218 1121219
Changes:
libpng1.6 (1.6.51-1) unstable; urgency=high
.
* New upstream version 1.6.51.
- CVE-2025-64505 - Heap buffer overflow. Closes: #1121219
- CVE-2025-64506 - Heap buffer overread. Closes: #1121218
- CVE-2025-64720 - Buffer overflow. Closes: #1121217
- CVE-2025-65018 - Heap buffer. Closes: #1121216
* Enable salsa-ci.
* Update d/copyright years, remove unused section.
* udeb: install library into usr/lib
Checksums-Sha1:
ce175e6fbac769cb21be525b52324a6f577eeef4 2254 libpng1.6_1.6.51-1.dsc
1ef0acdf7b4a5bebdff2548025a238a3c7771e98 1579500 libpng1.6_1.6.51.orig.tar.gz
c5b7514c609a0d1db51c080299fe007dd34de12a 33468 libpng1.6_1.6.51-1.debian.tar.xz
431043587d5e7b689558da625869582ec589e8b1 8223
libpng1.6_1.6.51-1_amd64.buildinfo
Checksums-Sha256:
904d8a5bcdeaf9194137f3b6f629ca0f64eeac24fa6969e532fe19c713d44049 2254
libpng1.6_1.6.51-1.dsc
b1872484c1c5c70acc79cbb15fb366df954fa8d5dacbe7f729d858902d17933c 1579500
libpng1.6_1.6.51.orig.tar.gz
d46eb4217f5ed321b25dcd7ded15131c9ff487b6ae4aa69909a64d3d43459832 33468
libpng1.6_1.6.51-1.debian.tar.xz
4ce8587fdbbb41cf77547d81ffa603ae57255b90460144e41260b503668da9c2 8223
libpng1.6_1.6.51-1_amd64.buildinfo
Files:
faa5fb3450125d5bd7c41975c3b141c6 2254 libs optional libpng1.6_1.6.51-1.dsc
825228e441d0d0d5cf48a80b6a52277b 1579500 libs optional
libpng1.6_1.6.51.orig.tar.gz
531eecc81aa5cab0f90ba1edd54a1ffd 33468 libs optional
libpng1.6_1.6.51-1.debian.tar.xz
1c3dc8b9c2fe87ce9b9e585c325373cf 8223 libs optional
libpng1.6_1.6.51-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmkkvPcACgkQkWT6HRe9
XTavARAAyywqvZNzznf92LsKhCmMsKwG4ukP3A3ZBQQ1wLz3etH4oDu2BaZSyJ41
NIbWynDevbvM0WALHcXqrJeA/N3tY3zYENISgop05alwQlfsHiWBdz36PXapTMJV
SQwlYBgib5zgEQ2rbJdeaFYAF9eP2TAfomTomdo0EG9NW8XApfbm2LSVT7krbZGu
nVFDA39y+T7VN+ewzj7B9Lni+gkVbzoh7k8Za/s3H5XWXL2wIPMqfgOgNUVHSUEh
MoBYheWJOTfN0nd03kVcxy42JqUkZY9bFT4FI9xnGUQl5veXKbM0a2hg9ehSK5Pe
T4fiiXOiwMAX2qYl8WT0C1Zv9TY2ZntPCqqfOvcYZBGtufwDoN9E+kM1C0ayTyWe
qwvWmUns2OaUaHRAoHMCe0um7mtZfAPXky/tsq091V0wj5TxMfr2o3nD9hzgmcHv
gdc/o6fNxoafBmSHRktRtqMK7qUZu6D/x8kIeoJh4frwtjvxtmAcjVxDI4wqgFzG
6S2lq52k+u4Q/3lWpsBCQ5sJYtbtqogoS/iFiLAYzjwvrCt6rf1uALgGnKA3VAFJ
wL8VDwN5bCkgaV2rjAbevXgtJIsVQ/wI/BFp3BeQPH3FDvW1S2Oj3k5laSZ8gLFo
S7HuT24dMhr9+OeEoK38iDwP7+oIGeMjvSdeDBU6R4Huf/43D3U=
=egDw
-----END PGP SIGNATURE-----
pgp2Oyg7gJ8p5.pgp
Description: PGP signature
--- End Message ---
