Your message dated Sun, 10 May 2026 18:32:31 +0000
with message-id <[email protected]>
and subject line Bug#1133051: fixed in libpng1.6 1.6.39-2+deb12u5
has caused the Debian Bug report #1133051,
regarding libpng1.6: CVE-2026-34757
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133051: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133051
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpng1.6
Version: 1.6.56-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libpng1.6.
CVE-2026-34757[0]:
| Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST`
| leading to corrupted chunk data and potential heap information
| disclosure
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34757
https://www.cve.org/CVERecord?id=CVE-2026-34757
[1] https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpng1.6
Source-Version: 1.6.39-2+deb12u5
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 May 2026 14:30:14 +0200
Source: libpng1.6
Architecture: source
Version: 1.6.39-2+deb12u5
Distribution: bookworm-security
Urgency: high
Maintainer: Maintainers of libpng1.6 packages <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1133051
Changes:
libpng1.6 (1.6.39-2+deb12u5) bookworm-security; urgency=high
.
* Security upload targeting bookworm.
* CVE-2026-34757 - Use after free. (Closes: #1133051)
* Cherry-pick upstream regression fix for previously fixed CVE 2026-33416.
Checksums-Sha1:
4aa146ce1549fdc6618098528cadc97effbaf8c7 2292 libpng1.6_1.6.39-2+deb12u5.dsc
e3b5da765bd94a2fbe47e06fd0d34155835f0aad 49904
libpng1.6_1.6.39-2+deb12u5.debian.tar.xz
121709c404d0e215bac54ff5eaddd8f12c7afaaf 6066
libpng1.6_1.6.39-2+deb12u5_source.buildinfo
Checksums-Sha256:
7b86211030a34deb6b0a2cd7e1d9db0fe92443fd30cab537fb89b1e7f7c9f188 2292
libpng1.6_1.6.39-2+deb12u5.dsc
ab14906eda9fddf14cbb1e589b9ba7439c22e233dc3c5e3cf9356c9625565a82 49904
libpng1.6_1.6.39-2+deb12u5.debian.tar.xz
32f53571ccefc7ee60c83fc9aa032471d27642d8f9c81ababf66d1b6d77c05ba 6066
libpng1.6_1.6.39-2+deb12u5_source.buildinfo
Files:
6f829786ac37c5299ccf3193dbab754d 2292 libs optional
libpng1.6_1.6.39-2+deb12u5.dsc
284b50ba1839267c7a74e7c1ca1227fc 49904 libs optional
libpng1.6_1.6.39-2+deb12u5.debian.tar.xz
a05fa282ef9a36b6f6750ce2d487976a 6066 libs optional
libpng1.6_1.6.39-2+deb12u5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmn+Bq8ACgkQkWT6HRe9
XTb6xw/8DUgJrE61QqCeMl2wotpP8K/XzjmaRWOomoMUXSIgSR9snEhKcHcq9ZP5
oHKcJq+P4CMpcVrJ9eXTvSq69Ilt6xmoeQ0ZrYatwbx8rzkLn+26WAU1UN0BIG68
visbWaxYljq85Ml64NYz1ou6Y6AwsHZeEIByg2AsZbkTqSyyrH3Ykhz2/HBEMkMz
23k8iUFcS3PXn1HTR+z0UnBpn0cJhTjE2uUL6fDGpRU8UrAd17tZ7jIMq2M07qvj
lTPWVSNjlhGFPweIUPdFrOBqtGAESagYOwGGiyJE1rk3W4b5kaXTI/TL0I0GGO8h
wQL8O7nIQYCOJ8FFTXRpUKGMG+OkHMgZbr4ssqYmwoiFXP+5zT4XRHpdFhGwOuVG
JIyhOEEbZUpspNXWxtpST6CCMQeWdWwvOXjTBZTd81kg0IxUmV1va13O8BzpyCc6
4JccQE1AmY7znU6KnLVHrbp6INJ5jlv+d2PFCSrkBJl6sm3LlGk5vwIjfSnuCCP9
0M56VF0en5N7FHmgXbIH2z3znnhL55e1+q8MFeLUfil0Ejy/bpMAf3/ERVVzj8mt
VyNbLWQIXoE+PKrVfz1w3ksc1iDMn1kpTVAmVzSTQjqiSG44cIitkGic402HA13G
4q+TtTXbw9LD7x0RrsBhrLIaMac7Y68GQtq4uQ/mYfwcK4EKb+Q=
=HSjT
-----END PGP SIGNATURE-----
pgp4PC7OtR9sV.pgp
Description: PGP signature
--- End Message ---
