Libpng 1.6.51: Four buffer overflow vulnerabilities fixed

Summary

[<prev] [day] [month] [year] [list] Message-ID: <CAAoVtZw-pkvsSTaXAHjDdUC3NRDwvwVNT8D4BpO5z3d79W-FVg@mail.gmail.com> Date: Sat, 22 Nov 2025 03:27:35 +0200 From: Cosmin Truta <ctruta@...il.com> To: oss-security@...ts.openwall.com Subject: libpng 1.6.51: Four buffer overflow vulnerabilities fixed: CVE-2025-64505, CVE-2025-64506, CVE-2025-64720, CVE-2025-65018 Hello, everyone, libpng 1.6.51 has been released to address four buffer overflow vulnerabilities discovered through fuzzing and security research. This release fixes two high-severity and two moderate-severity CVEs affecting libpng 1.6.0 through 1.6.50. CVE-2025-64505 (CVSS 6.1, Moderate): Heap buffer over-read in png_do_quantize via malformed palette index. CVE-2025-64506 (CVSS 6.1, Moderate): Heap buffer over-read in png_write_image_8bit with 8-bit input and convert_to_8bit enabled. CVE-2025-64720 (CVSS 7.1, High): Out-of-bounds read in png_image_read_composite via palette premultiplication with PNG_FLAG_OPTIMIZE_ALPHA. CVE-2025-65018 (CVSS 7.1, High): Heap buffer overflow in png_combine_row triggered via png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. All vulnerabilities require user interaction (processing a malicious PNG file) and can result in information disclosure and/or denial of service. CVE-2025-65018 may enable arbitrary code execution via heap corruption in certain heap configurations. GitHub Security Advisories: - CVE-2025-64505: https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42 - CVE-2025-64506: https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6 - CVE-2025-64720: https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww - CVE-2025-65018: https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g Fixes: - CVE-2025-64505: https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37 - CVE-2025-64506: https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e81...