Your message dated Sun, 10 May 2026 18:32:05 +0000
with message-id <[email protected]>
and subject line Bug#1133051: fixed in libpng1.6 1.6.48-1+deb13u5
has caused the Debian Bug report #1133051,
regarding libpng1.6: CVE-2026-34757
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133051: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133051
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpng1.6
Version: 1.6.56-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libpng1.6.
CVE-2026-34757[0]:
| Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST`
| leading to corrupted chunk data and potential heap information
| disclosure
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34757
https://www.cve.org/CVERecord?id=CVE-2026-34757
[1] https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpng1.6
Source-Version: 1.6.48-1+deb13u5
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 May 2026 14:19:08 +0200
Source: libpng1.6
Architecture: source
Version: 1.6.48-1+deb13u5
Distribution: trixie-security
Urgency: high
Maintainer: Maintainers of libpng1.6 packages <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1133051
Changes:
libpng1.6 (1.6.48-1+deb13u5) trixie-security; urgency=high
.
* Security upload targeting trixie.
* CVE-2026-34757 - Use after free. (Closes: #1133051)
* Cherry-pick upstream regression fix for previously fixed CVE 2026-33416.
Checksums-Sha1:
b1f1da5f3d882066c7aa0eb8aa3766644cea40ef 2305 libpng1.6_1.6.48-1+deb13u5.dsc
3c5d25ad75193405cfe8c79a202c39b7d099173f 52468
libpng1.6_1.6.48-1+deb13u5.debian.tar.xz
0f0955942beded53e2f055b7c53a930494ad0731 6953
libpng1.6_1.6.48-1+deb13u5_source.buildinfo
Checksums-Sha256:
746ec351ac044becb16725b903aee2c53815da9f89630767b6edbb317a50f98e 2305
libpng1.6_1.6.48-1+deb13u5.dsc
b38d5929b9a6139f2ce02a0e831d0f3f5365410b050dc429ea079a73253fe97a 52468
libpng1.6_1.6.48-1+deb13u5.debian.tar.xz
7ceb4cab686bcd39400c9943d16bbbc130b9a8e47e7992b32fd4b118fb873f83 6953
libpng1.6_1.6.48-1+deb13u5_source.buildinfo
Files:
e430036844276e32d12d8b9294d9e157 2305 libs optional
libpng1.6_1.6.48-1+deb13u5.dsc
e0f5538c85fde2b1d27247da54c44ed5 52468 libs optional
libpng1.6_1.6.48-1+deb13u5.debian.tar.xz
854aa4ee355008e39aa5a55b99bd88d1 6953 libs optional
libpng1.6_1.6.48-1+deb13u5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmn+BukACgkQkWT6HRe9
XTYKDQ//Q6RYk38nLIxeHm8jQjSEwvaNOY5f3+l52EJWEYV21j/iKECxmMAvjMlG
GFjVsNvouV/ZUSezY9GVyDX6Oy8uks/PNrF6vmeWDUCn+f9W3qfJmB2V7yxSNC65
rMgf0qikxlD6SmNfT3RGWpsKsbJLBw0UosZUD4nx7GRdaEdGCFRC8Lqoa6Ncxj6V
FXKcpzjUz3hGwTIUt1quFYWU+V1B57Il02q09wEsat78s9xwmSlIY4nJR+8rDp3Z
Sjs5+60TR8u/8LtMU7FYeTuYZT1hY8cniTxP0u3HVyc/fGtUOF6J2vviyuCOcOPO
2WhkR172oeqZgeY9YfWquNkg+M+G34wmhAp+v2g3f1xXtsBDBFJLD+k7FLcIC6JO
KySQZs0lAZqviw49XKPCdUka6PSlKA7cyXmArZoupQvCz0pjcTRLRqocPxH94Op2
lQJQgyayWf04c5v7Kfu3+Zua4p8ybntPqjq7ulL8IivGGGQBM8ZgERXT74zh4QkR
qDTsXDprs4vToCt17M+k02SM3OPTqFHSXvfd9a/NiLBiGe1CpfTQayxfT8taIvHd
iAds062JmV9MkdwXqIfgEF86hAjm95s/E3MT1PIiKclccakI5WyPM4JKynVh1tzQ
EPX0nEfLcGvbBo/TZiL3DA7ggjrvXsQNHYcNMGqGV/PsUMSabjM=
=umwr
-----END PGP SIGNATURE-----
pgp7dBFe8zZDV.pgp
Description: PGP signature
--- End Message ---
