On Sat, Nov 22, 2025 at 10:49:48AM +0100, Matthieu Herrb wrote:
> Hi,
> 
> This is for the embedded libpng in xenocara. The matching port update
> was sent to ports@.
> 
> CVE-2025-64505 (CVSS 6.1, Moderate): Heap buffer over-read in
> png_do_quantize via malformed palette index.
> 
> CVE-2025-64506 (CVSS 6.1, Moderate): Heap buffer over-read in
> png_write_image_8bit with 8-bit input and convert_to_8bit enabled.
> 
> CVE-2025-64720 (CVSS 7.1, High): Out-of-bounds read in
> png_image_read_composite via palette premultiplication with
> PNG_FLAG_OPTIMIZE_ALPHA.
> 
> CVE-2025-65018 (CVSS 7.1, High): Heap buffer overflow in
> png_combine_row triggered via png_image_finish_read when processing
> 16-bit interlaced PNGs with 8-bit output format.
> 
> All vulnerabilities require user interaction (processing a malicious
> PNG file) and can result in information disclosure and/or denial of
> service. CVE-2025-65018 may enable arbitrary code execution via heap
> corruption in certain heap configurations.
> 
> ok ?

Test-built on sparc64 and riscv64, check_sym says "No dynamic export
changes" and the include files show no compat concern.

ok jca@

-- 
jca