Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libpng12 for openSUSE:Factory checked in at 2025-12-04 11:24:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libpng12 (Old) and /work/SRC/openSUSE:Factory/.libpng12.new.1939 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libpng12" Thu Dec 4 11:24:58 2025 rev:42 rq:1320952 version:1.2.59 Changes: -------- --- /work/SRC/openSUSE:Factory/libpng12/libpng12.changes 2024-03-01 23:37:18.421151101 +0100 +++ /work/SRC/openSUSE:Factory/.libpng12.new.1939/libpng12.changes 2025-12-04 11:27:30.000091370 +0100 @@ -1,0 +2,11 @@ +Wed Dec 3 09:31:58 UTC 2025 - Petr Gajdos <[email protected]> + +- security update +- modified patches + * libpng-1.2.51-CVE-2013-7353.patch (-p1) + * libpng-1.2.51-CVE-2013-7354.patch (-p1) +- added patches + CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index + * libpng12-CVE-2025-64505.patch + +------------------------------------------------------------------- New: ---- libpng12-CVE-2025-64505.patch ----------(New B)---------- New: CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index * libpng12-CVE-2025-64505.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libpng12.spec ++++++ --- /var/tmp/diff_new_pack.50DPam/_old 2025-12-04 11:27:30.540114222 +0100 +++ /var/tmp/diff_new_pack.50DPam/_new 2025-12-04 11:27:30.544114391 +0100 @@ -34,6 +34,8 @@ Source2: baselibs.conf Patch0: libpng-1.2.51-CVE-2013-7353.patch Patch1: libpng-1.2.51-CVE-2013-7354.patch +# CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index +Patch2: libpng12-CVE-2025-64505.patch BuildRequires: libtool BuildRequires: pkg-config BuildRequires: zlib-devel @@ -97,7 +99,7 @@ about libpng version. %prep -%autosetup -p0 -n libpng-%{version} +%autosetup -p1 -n libpng-%{version} %build # PNG_SAFE_LIMITS_SUPPORTED: http://www.openwall.com/lists/oss-security/2015/01/10/1 ++++++ libpng-1.2.51-CVE-2013-7353.patch ++++++ --- /var/tmp/diff_new_pack.50DPam/_old 2025-12-04 11:27:30.580115915 +0100 +++ /var/tmp/diff_new_pack.50DPam/_new 2025-12-04 11:27:30.588116254 +0100 @@ -3,8 +3,8 @@ http://sourceforge.net/p/libpng/code/ci/bec9ca9b8aa0cf16d2cde1757379afbe9adbe7d9 Index: pngset.c =================================================================== ---- pngset.c.orig 2014-04-22 16:08:23.458978035 +0200 -+++ pngset.c 2014-04-22 16:09:15.921977136 +0200 +--- a/pngset.c 2014-04-22 16:08:23.458978035 +0200 ++++ b/pngset.c 2014-04-22 16:09:15.921977136 +0200 @@ -986,9 +986,17 @@ if (png_ptr == NULL || info_ptr == NULL || num_unknowns == 0) return; ++++++ libpng-1.2.51-CVE-2013-7354.patch ++++++ --- /var/tmp/diff_new_pack.50DPam/_old 2025-12-04 11:27:30.604116930 +0100 +++ /var/tmp/diff_new_pack.50DPam/_new 2025-12-04 11:27:30.608117099 +0100 @@ -2,8 +2,8 @@ http://sourceforge.net/p/libpng/code/ci/77a0a2ea113e699c7021caf1a530d2e2dd90b497 Index: pngset.c =================================================================== ---- pngset.c.orig 2014-04-24 14:13:43.144134631 +0200 -+++ pngset.c 2014-04-24 14:23:31.461124549 +0200 +--- a/pngset.c 2014-04-24 14:13:43.144134631 +0200 ++++ b/pngset.c 2014-04-24 14:23:31.461124549 +0200 @@ -19,6 +19,7 @@ #define PNG_INTERNAL #define PNG_NO_PEDANTIC_WARNINGS ++++++ libpng12-CVE-2025-64505.patch ++++++ >From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00 2001 From: Cosmin Truta <[email protected]> Date: Sat, 8 Nov 2025 23:58:26 +0200 Subject: [PATCH] Fix a buffer overflow in `png_do_quantize` Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes) instead of num_palette bytes. This approach matches the allocation pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which were similarly oversized in libpng 1.2.1 to prevent buffer overflows from malformed PNG files with out-of-range palette indices. Out-of-range palette indices `index >= num_palette` will now read identity-mapped values from the `quantize_index` array (where index N maps to palette entry N). This prevents undefined behavior while avoiding runtime bounds checking overhead in the performance-critical pixel processing loop. Reported-by: Samsung-PENTEST <[email protected]> Analyzed-by: degrigis <[email protected]> --- pngrtran.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) Index: libpng-1.2.59/pngrtran.c =================================================================== --- libpng-1.2.59.orig/pngrtran.c +++ libpng-1.2.59/pngrtran.c @@ -176,8 +176,8 @@ png_set_dither(png_structp png_ptr, png_ int i; png_ptr->dither_index = (png_bytep)png_malloc(png_ptr, - (png_uint_32)(num_palette * png_sizeof(png_byte))); - for (i = 0; i < num_palette; i++) + (png_uint_32)(PNG_MAX_PALETTE_LENGTH * png_sizeof(png_byte))); + for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++) png_ptr->dither_index[i] = (png_byte)i; }
