From: Peter Marko <[email protected]>
Handles CVE-2025-64505, CVE-2025-64506, CVE-2025-64720 and CVE-2025-65018
Relase notes [1]:
Version 1.6.51 [November 21, 2025]
Fixed CVE-2025-64505 (moderate severity):
Heap buffer overflow in `png_do_quantize` via malformed palette index.
(Reported by Samsung; analyzed by Fabio Gritti.)
Fixed CVE-2025-64506 (moderate severity):
Heap buffer over-read in `png_write_image_8bit` with 8-bit input and
`convert_to_8bit` enabled.
(Reported by Samsung and <[email protected]>;
analyzed by Fabio Gritti.)
Fixed CVE-2025-64720 (high severity):
Buffer overflow in `png_image_read_composite` via incorrect palette
premultiplication.
(Reported by Samsung; analyzed by John Bowler.)
Fixed CVE-2025-65018 (high severity):
Heap buffer overflow in `png_combine_row` triggered via
`png_image_finish_read`.
(Reported by <[email protected]>.)
Fixed a memory leak in `png_set_quantize`.
(Reported by Samsung; analyzed by Fabio Gritti.)
Removed the experimental and incomplete ERROR_NUMBERS code.
(Contributed by Tobias Stoeckmann.)
Improved the RISC-V vector extension support; required RVV 1.0 or newer.
(Contributed by Filip Wasil.)
Added GitHub Actions workflows for automated testing.
Performed various refactorings and cleanups.
[1] https://github.com/pnggroup/libpng/blob/v1.6.51/CHANGES#L6281C1-L6305C47
Signed-off-by: Peter Marko <[email protected]>
---
v2: reverted SRC_URI/MIRRORS update which was caused by some
temporary or local network issue.
.../libpng/{libpng_1.6.50.bb => libpng_1.6.51.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-multimedia/libpng/{libpng_1.6.50.bb => libpng_1.6.51.bb}
(97%)
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.50.bb
b/meta/recipes-multimedia/libpng/libpng_1.6.51.bb
similarity index 97%
rename from meta/recipes-multimedia/libpng/libpng_1.6.50.bb
rename to meta/recipes-multimedia/libpng/libpng_1.6.51.bb
index aa2dc99f10..e499f61ff4 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.50.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.51.bb
@@ -14,7 +14,7 @@ SRC_URI =
"${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
file://run-ptest \
"
-SRC_URI[sha256sum] =
"4df396518620a7aa3651443e87d1b2862e4e88cad135a8b93423e01706232307"
+SRC_URI[sha256sum] =
"a050a892d3b4a7bb010c3a95c7301e49656d72a64f1fc709a90b8aded192bed2"
MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/
${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/"
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#227359):
https://lists.openembedded.org/g/openembedded-core/message/227359
Mute This Topic: https://lists.openembedded.org/mt/116643066/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
