Thanks, applied as 608d2eff648dc176ef9166d7b6426ea32d0c5f74. Michael
[sent from post-receive hook] On Thu, 04 Dec 2025 14:14:56 +0100, Christian Melki <[email protected]> wrote: > Security fixes. > https://sourceforge.net/p/libpng/code/ci/libpng16/tree/CHANGES > > Plugs CVEs: > CVE-2025-64505: Heap buffer overflow in `png_do_quantize` via malformed > palette index. > CVE-2025-64506: Heap buffer over-read in `png_write_image_8bit` with 8-bit > input and `convert_to_8bit` enabled. > CVE-2025-64720: Buffer overflow in `png_image_read_composite` via incorrect > palette premultiplication. > CVE-2025-65018: Heap buffer overflow in `png_combine_row` triggered via > `png_image_finish_read`. > > Pretty bad, suggest update. > > Signed-off-by: Christian Melki <[email protected]> > Message-Id: <[email protected]> > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git a/rules/libpng.make b/rules/libpng.make > index a842038a41d7..86eed1ae5891 100644 > --- a/rules/libpng.make > +++ b/rules/libpng.make > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_LIBPNG) += libpng > # > # Paths and names > # > -LIBPNG_VERSION := 1.6.50 > -LIBPNG_MD5 := e583e61455c4f40d565d85c0e9a2fbf9 > +LIBPNG_VERSION := 1.6.51 > +LIBPNG_MD5 := 8781d5eb8285ac70100b75a1d2a5fc5e > LIBPNG := libpng-$(LIBPNG_VERSION) > LIBPNG_SUFFIX := tar.xz > LIBPNG_URL := $(call ptx/mirror, SF, libpng/$(LIBPNG).$(LIBPNG_SUFFIX))
