From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Bernd Kuhls <bernd@kuhls.net>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/libpng: security bump to version 1.6.56
Date: Fri, 3 Apr 2026 12:28:13 +0200 [thread overview]
Message-ID: <20260403102813.210570-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260327175743.1982788-1-bernd@kuhls.net>
In reply of:
> Fixes the following security vulnerabilities:
>
> CVE-2026-33416 (high):
> Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
>
> CVE-2026-33636 (high):
> Out-of-bounds read/write in the palette expansion on ARM Neon.
>
> For more details, see the advisories:
> https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
> https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
>
> Release notes:
> https://github.com/pnggroup/libpng/blob/v1.6.56/ANNOUNCE
>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Applied to 2025.02.x & 2026.02.x. Thanks
> ---
> package/libpng/libpng.hash | 6 +++---
> package/libpng/libpng.mk | 2 +-
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/package/libpng/libpng.hash b/package/libpng/libpng.hash
> index 7901f82c3a..ae28eee087 100644
> --- a/package/libpng/libpng.hash
> +++ b/package/libpng/libpng.hash
> @@ -1,5 +1,5 @@
> -# From https://sourceforge.net/projects/libpng/files/libpng16/1.6.55/
> -sha1 13f7bedf27009e59961f823cc779a5f9f5341a91 libpng-1.6.55.tar.xz
> +# From https://sourceforge.net/projects/libpng/files/libpng16/1.6.56/
> +sha1 71eb3636e60b6ea66f2f670cdf1f7160b7a1fa8b libpng-1.6.56.tar.xz
> # Locally computed:
> -sha256 d925722864837ad5ae2a82070d4b2e0603dc72af44bd457c3962298258b8e82d libpng-1.6.55.tar.xz
> +sha256 f7d8bf1601b7804f583a254ab343a6549ca6cf27d255c302c47af2d9d36a6f18 libpng-1.6.56.tar.xz
> sha256 bdb0a645ea18c60507d0368379b1ac5474b92255fcc2d115e07486a7672ba526 LICENSE
> diff --git a/package/libpng/libpng.mk b/package/libpng/libpng.mk
> index 01c1cbbec7..7c5bc35a77 100644
> --- a/package/libpng/libpng.mk
> +++ b/package/libpng/libpng.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -LIBPNG_VERSION = 1.6.55
> +LIBPNG_VERSION = 1.6.56
> LIBPNG_SERIES = 16
> LIBPNG_SOURCE = libpng-$(LIBPNG_VERSION).tar.xz
> LIBPNG_SITE = https://downloads.sourceforge.net/project/libpng/libpng$(LIBPNG_SERIES)/$(LIBPNG_VERSION)
> --
> 2.47.3
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2026-04-03 10:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 17:57 [Buildroot] [PATCH 1/1] package/libpng: security bump to version 1.6.56 Bernd Kuhls
2026-03-27 18:57 ` Julien Olivain via buildroot
2026-04-03 10:28 ` Thomas Perale via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403102813.210570-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=bernd@kuhls.net \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox