CVE-2026-22695 (medium severity): Heap buffer over-read in
png_image_read_direct_scaled
CVE-2026-22801 (medium severity): Integer truncation causing heap
buffer over-read in png_image_write_*.
ok ?
I'll take care of the embedded copy in xenocara.
Index: Makefile
===================================================================
RCS file: /local/cvs/ports/graphics/png/Makefile,v
diff -u -p -u -r1.145 Makefile
--- Makefile 4 Dec 2025 15:34:39 -0000 1.145
+++ Makefile 13 Jan 2026 21:05:34 -0000
@@ -4,7 +4,7 @@
COMMENT= library for manipulating PNG images
-VERSION= 1.6.52
+VERSION= 1.6.54
DISTNAME= libpng-${VERSION}
PKGNAME= png-${VERSION}
CATEGORIES= graphics
Index: distinfo
===================================================================
RCS file: /local/cvs/ports/graphics/png/distinfo,v
diff -u -p -u -r1.74 distinfo
--- distinfo 4 Dec 2025 15:34:39 -0000 1.74
+++ distinfo 13 Jan 2026 21:05:34 -0000
@@ -1,2 +1,2 @@
-SHA256 (libpng-1.6.52.tar.xz) = Nr1yYijsk6O2wi/bSelKZ7FvL+mzm3i3y2V3KWZmHMw=
-SIZE (libpng-1.6.52.tar.xz) = 1063580
+SHA256 (libpng-1.6.54.tar.xz) = AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU=
+SIZE (libpng-1.6.54.tar.xz) = 1064472
--
Matthieu Herrb
