Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN143
_____________________________________________________________________

DATE                : 10/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running libpng versions prior to 1.6.55.

=====================================================================
https://sourceforge.net/p/png-mng/mailman/png-mng-announce/?viewmonth=202602
_____________________________________________________________________

Hello, everyone,

Yep, it's another security release. Nope, I'm not happy about it either.
And yet, here we are, and here is libpng-1.6.55.

CVE-2026-25646 is a heap buffer overflow in png_set_quantize, the function
that reduces the number of colors in a palette. A logic error in the color
distance table, storing current palette indices where the rest of the code
expects original indices, causes the pruning loop to lose track of valid
candidates after colors get swapped. The search bound then grows past the
end of an internal heap buffer, and out-of-bounds reads occur. The
triggering images are valid per the PNG specification. The bug has existed
since the initial version of this function, back when it was still called
png_set_dither.

I mean...

That's about 30 years! In our defense, the code in question has been
sitting under a comment that literally says *"We don't understand this at
all, so if someone wants to work on improving it, be our guest."* Well,
Joshua Inscoe was our guest -- and he delivered!

Unlike the CVEs fixed in 1.6.51, 1.6.52 and 1.6.54, which all affected the
simplified API, this one is in the low-level API. If you use
png_set_quantize to reduce the number of colors in untrusted PNG images,
you need this update.

Many thanks to Joshua for reporting this issue, for analyzing it
thoroughly, AND for handing us the fix. Some of the best patches can be
printed on a business card, and this is one of those :-)

The gory details are available at:
https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3
https://www.openwall.com/lists/oss-security/2026/02/09/7

---

Also in this release: Philippe Antoine resolved an oss-fuzz build issue
involving nalloc.

---

In the good old tradition of file authentication, here are the SHA-2-256
checksums of the published archive files:

libpng-1.6.55.tar.gz
4b0abab6d219e95690ebe4db7fc9aa95f4006c83baaa022373c0c8442271283d

libpng-1.6.55.tar.xz
d925722864837ad5ae2a82070d4b2e0603dc72af44bd457c3962298258b8e82d

lpng1655.7z
12216980290bc4b5dc3e8914865f983a1b0739d6400573760ed953fedd098a6a

lpng1655.zip
aa45ef52ff7a4e61f34af866b3254b0b243ddc42fe2adb823b0843d2a57c2e86

Sincerely,
Cosmin

 
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================