Source: libpng1.6 Version: 1.6.55-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/pnggroup/libpng/pull/824 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libpng1.6. CVE-2026-33416[0]: | LIBPNG is a reference library for use in applications that read, | create, and manipulate PNG (Portable Network Graphics) raster image | files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and | `png_set_PLTE` each alias a heap-allocated buffer between | `png_struct` and `png_info`, sharing a single allocation across two | structs with independent lifetimes. The `trans_alpha` aliasing has | been present since at least libpng 1.0, and the `palette` aliasing | since at least 1.2.1. Both affect all prior release lines | `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` | (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = | png_ptr->palette` (768-byte buffer). In both cases, calling | `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the | buffer through `info_ptr` while the corresponding `png_ptr` pointer | remains dangling. Subsequent row-transform functions dereference | and, in some code paths, write to the freed memory. A second call to | `png_set_tRNS` or `png_set_PLTE` has the same effect, because both | functions call `png_free_data` internally before reallocating the | `info_ptr` buffer. Version 1.6.56 fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33416 https://www.cve.org/CVERecord?id=CVE-2026-33416 [1] https://github.com/pnggroup/libpng/pull/824 [2] https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j Please adjust the affected versions in the BTS as needed. Regards, Salvatore
