oss-sec mailing list archives
Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 3 Dec 2025 13:09:49 -0800
On 12/3/25 12:51, Cosmin Truta wrote:
Hello, everyone, libpng 1.6.52 has been released to address an out-of-bounds read vulnerability in the simplified API. This release fixes one high-severity CVE affecting libpng 1.6.0 through 1.6.51.
Does this bug (and the recent bugs fixed in 1.6.51) not affect the older branches of libpng, or is the statement that "libpng 1.2.x continues to get security fixes, as has 1.0.x for well over a decade" on https://libpng.org/pub/png/libpng.html no longer correct? Is the statement on https://libpng.sourceforge.io/index.html that the older branches "ARE NO LONGER UPDATED" and were frozen in 2017 the correct one now? -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
- Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Alan Coopersmith (Dec 03)
- Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
- Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Greg Roelofs (Dec 03)
- Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
- Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Alan Coopersmith (Dec 03)