public inbox for buildroot@busybox.net
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/libpng: security bump to version 1.6.56
@ 2026-03-27 17:57 Bernd Kuhls
  2026-03-27 18:57 ` Julien Olivain via buildroot
  2026-04-03 10:28 ` Thomas Perale via buildroot
  0 siblings, 2 replies; 3+ messages in thread
From: Bernd Kuhls @ 2026-03-27 17:57 UTC (permalink / raw)
  To: buildroot

Fixes the following security vulnerabilities:

CVE-2026-33416 (high):
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.

CVE-2026-33636 (high):
Out-of-bounds read/write in the palette expansion on ARM Neon.

For more details, see the advisories:
https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2

Release notes:
https://github.com/pnggroup/libpng/blob/v1.6.56/ANNOUNCE

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
 package/libpng/libpng.hash | 6 +++---
 package/libpng/libpng.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libpng/libpng.hash b/package/libpng/libpng.hash
index 7901f82c3a..ae28eee087 100644
--- a/package/libpng/libpng.hash
+++ b/package/libpng/libpng.hash
@@ -1,5 +1,5 @@
-# From https://sourceforge.net/projects/libpng/files/libpng16/1.6.55/
-sha1  13f7bedf27009e59961f823cc779a5f9f5341a91  libpng-1.6.55.tar.xz
+# From https://sourceforge.net/projects/libpng/files/libpng16/1.6.56/
+sha1  71eb3636e60b6ea66f2f670cdf1f7160b7a1fa8b  libpng-1.6.56.tar.xz
 # Locally computed:
-sha256  d925722864837ad5ae2a82070d4b2e0603dc72af44bd457c3962298258b8e82d  libpng-1.6.55.tar.xz
+sha256  f7d8bf1601b7804f583a254ab343a6549ca6cf27d255c302c47af2d9d36a6f18  libpng-1.6.56.tar.xz
 sha256  bdb0a645ea18c60507d0368379b1ac5474b92255fcc2d115e07486a7672ba526  LICENSE
diff --git a/package/libpng/libpng.mk b/package/libpng/libpng.mk
index 01c1cbbec7..7c5bc35a77 100644
--- a/package/libpng/libpng.mk
+++ b/package/libpng/libpng.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBPNG_VERSION = 1.6.55
+LIBPNG_VERSION = 1.6.56
 LIBPNG_SERIES = 16
 LIBPNG_SOURCE = libpng-$(LIBPNG_VERSION).tar.xz
 LIBPNG_SITE = https://downloads.sourceforge.net/project/libpng/libpng$(LIBPNG_SERIES)/$(LIBPNG_VERSION)
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libpng: security bump to version 1.6.56
  2026-03-27 17:57 [Buildroot] [PATCH 1/1] package/libpng: security bump to version 1.6.56 Bernd Kuhls
@ 2026-03-27 18:57 ` Julien Olivain via buildroot
  2026-04-03 10:28 ` Thomas Perale via buildroot
  1 sibling, 0 replies; 3+ messages in thread
From: Julien Olivain via buildroot @ 2026-03-27 18:57 UTC (permalink / raw)
  To: Bernd Kuhls; +Cc: buildroot

On 27/03/2026 18:57, Bernd Kuhls wrote:
> Fixes the following security vulnerabilities:
> 
> CVE-2026-33416 (high):
> Use-after-free via pointer aliasing in `png_set_tRNS` and 
> `png_set_PLTE`.
> 
> CVE-2026-33636 (high):
> Out-of-bounds read/write in the palette expansion on ARM Neon.
> 
> For more details, see the advisories:
> https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
> https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
> 
> Release notes:
> https://github.com/pnggroup/libpng/blob/v1.6.56/ANNOUNCE
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libpng: security bump to version 1.6.56
  2026-03-27 17:57 [Buildroot] [PATCH 1/1] package/libpng: security bump to version 1.6.56 Bernd Kuhls
  2026-03-27 18:57 ` Julien Olivain via buildroot
@ 2026-04-03 10:28 ` Thomas Perale via buildroot
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-04-03 10:28 UTC (permalink / raw)
  To: Bernd Kuhls; +Cc: Thomas Perale, buildroot

In reply of:
> Fixes the following security vulnerabilities:
> 
> CVE-2026-33416 (high):
> Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
> 
> CVE-2026-33636 (high):
> Out-of-bounds read/write in the palette expansion on ARM Neon.
> 
> For more details, see the advisories:
> https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
> https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2
> 
> Release notes:
> https://github.com/pnggroup/libpng/blob/v1.6.56/ANNOUNCE
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/libpng/libpng.hash | 6 +++---
>  package/libpng/libpng.mk   | 2 +-
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/libpng/libpng.hash b/package/libpng/libpng.hash
> index 7901f82c3a..ae28eee087 100644
> --- a/package/libpng/libpng.hash
> +++ b/package/libpng/libpng.hash
> @@ -1,5 +1,5 @@
> -# From https://sourceforge.net/projects/libpng/files/libpng16/1.6.55/
> -sha1  13f7bedf27009e59961f823cc779a5f9f5341a91  libpng-1.6.55.tar.xz
> +# From https://sourceforge.net/projects/libpng/files/libpng16/1.6.56/
> +sha1  71eb3636e60b6ea66f2f670cdf1f7160b7a1fa8b  libpng-1.6.56.tar.xz
>  # Locally computed:
> -sha256  d925722864837ad5ae2a82070d4b2e0603dc72af44bd457c3962298258b8e82d  libpng-1.6.55.tar.xz
> +sha256  f7d8bf1601b7804f583a254ab343a6549ca6cf27d255c302c47af2d9d36a6f18  libpng-1.6.56.tar.xz
>  sha256  bdb0a645ea18c60507d0368379b1ac5474b92255fcc2d115e07486a7672ba526  LICENSE
> diff --git a/package/libpng/libpng.mk b/package/libpng/libpng.mk
> index 01c1cbbec7..7c5bc35a77 100644
> --- a/package/libpng/libpng.mk
> +++ b/package/libpng/libpng.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LIBPNG_VERSION = 1.6.55
> +LIBPNG_VERSION = 1.6.56
>  LIBPNG_SERIES = 16
>  LIBPNG_SOURCE = libpng-$(LIBPNG_VERSION).tar.xz
>  LIBPNG_SITE = https://downloads.sourceforge.net/project/libpng/libpng$(LIBPNG_SERIES)/$(LIBPNG_VERSION)
> -- 
> 2.47.3
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-03 10:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-27 17:57 [Buildroot] [PATCH 1/1] package/libpng: security bump to version 1.6.56 Bernd Kuhls
2026-03-27 18:57 ` Julien Olivain via buildroot
2026-04-03 10:28 ` Thomas Perale via buildroot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox