On Tue, Feb 10, 2026 at 07:17:29AM +0100, Matthieu Herrb wrote:
> Trivial update to png 1.6.55
>
> No API/ABI changes.
>
> libpng 1.6.55 has been released to address a heap buffer overflow
> vulnerability in the low-level API. This release fixes one
> high-severity CVE affecting all versions of libpng.
>
> CVE-2026-25646 (High): Heap buffer overflow in png_set_quantize
> when called with no histogram and a palette larger than twice the
> requested maximum number of colors.
>
> ok (also for -stable)?
>
> PS : the embedded copy in xenocara will be updated too, altough
> freetype does not use the png_set_quantize() function that is affected
> by the CVE.
ok for all of this.
>
> Index: Makefile
> ===================================================================
> RCS file: /local/cvs/ports/graphics/png/Makefile,v
> diff -u -p -u -r1.146 Makefile
> --- Makefile 14 Jan 2026 06:23:48 -0000 1.146
> +++ Makefile 10 Feb 2026 06:13:53 -0000
> @@ -4,7 +4,7 @@
>
> COMMENT= library for manipulating PNG images
>
> -VERSION= 1.6.54
> +VERSION= 1.6.55
> DISTNAME= libpng-${VERSION}
> PKGNAME= png-${VERSION}
> CATEGORIES= graphics
> Index: distinfo
> ===================================================================
> RCS file: /local/cvs/ports/graphics/png/distinfo,v
> diff -u -p -u -r1.75 distinfo
> --- distinfo 14 Jan 2026 06:23:48 -0000 1.75
> +++ distinfo 10 Feb 2026 06:13:53 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (libpng-1.6.54.tar.xz) = AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU=
> -SIZE (libpng-1.6.54.tar.xz) = 1064472
> +SHA256 (libpng-1.6.55.tar.xz) = 2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0=
> +SIZE (libpng-1.6.55.tar.xz) = 1064676
>
> --
> Matthieu Herrb
>
