oss-sec mailing list archives

Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293

From: Cosmin Truta <ctruta () gmail com>
Date: Wed, 3 Dec 2025 23:33:28 +0200

[Cc-ing Greg Roelofs, who owns and maintains libpng.org]

On Wed, Dec 3, 2025 at 11:09 PM Alan Coopersmith <
alan.coopersmith () oracle com> wrote:

Does this bug (and the recent bugs fixed in 1.6.51) not affect the older
branches of libpng, or is the statement that "libpng 1.2.x continues to

get

security fixes, as has 1.0.x for well over a decade" on
https://libpng.org/pub/png/libpng.html no longer correct?


The good news is this: neither this bug nor the ones in the previous
v1.6.51 release affect those ancient libpng releases. What these bugs DO
affect is a thing called "the simplified libpng API", which was added in
libpng-1.6.0.

The bad news is this:

https://libpng.org/pub/png/libpng.html


I have seen that page a thousand times, and... yet... OOPSIE!!

Is the statement on https://libpng.sourceforge.io/index.html that the

older

branches "ARE NO LONGER UPDATED" and were frozen in 2017 the correct one

now?

Yes, that is correct.

Sincerely,
Cosmin

Current thread:

libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
- Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Alan Coopersmith (Dec 03)
  - Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
    - Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Greg Roelofs (Dec 03)