Trivial update to png 1.6.55
No API/ABI changes.
libpng 1.6.55 has been released to address a heap buffer overflow
vulnerability in the low-level API. This release fixes one
high-severity CVE affecting all versions of libpng.
CVE-2026-25646 (High): Heap buffer overflow in png_set_quantize
when called with no histogram and a palette larger than twice the
requested maximum number of colors.
ok (also for -stable)?
PS : the embedded copy in xenocara will be updated too, altough
freetype does not use the png_set_quantize() function that is affected
by the CVE.
Index: Makefile
===================================================================
RCS file: /local/cvs/ports/graphics/png/Makefile,v
diff -u -p -u -r1.146 Makefile
--- Makefile 14 Jan 2026 06:23:48 -0000 1.146
+++ Makefile 10 Feb 2026 06:13:53 -0000
@@ -4,7 +4,7 @@
COMMENT= library for manipulating PNG images
-VERSION= 1.6.54
+VERSION= 1.6.55
DISTNAME= libpng-${VERSION}
PKGNAME= png-${VERSION}
CATEGORIES= graphics
Index: distinfo
===================================================================
RCS file: /local/cvs/ports/graphics/png/distinfo,v
diff -u -p -u -r1.75 distinfo
--- distinfo 14 Jan 2026 06:23:48 -0000 1.75
+++ distinfo 10 Feb 2026 06:13:53 -0000
@@ -1,2 +1,2 @@
-SHA256 (libpng-1.6.54.tar.xz) = AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU=
-SIZE (libpng-1.6.54.tar.xz) = 1064472
+SHA256 (libpng-1.6.55.tar.xz) = 2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0=
+SIZE (libpng-1.6.55.tar.xz) = 1064676
--
Matthieu Herrb
