oss-sec mailing list archives

Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293

From: Greg Roelofs <roelofs () panix com>
Date: Wed, 03 Dec 2025 15:09:25 -0800

Fixed now, and many thanks to Alan! That oversight had been there sinceGlenn's death 7+ years ago.


Greg

On 2025-12-03 13:33, Cosmin Truta wrote:

[Cc-ing Greg Roelofs, who owns and maintains libpng.org [1]]

On Wed, Dec 3, 2025 at 11:09 PM Alan Coopersmith
<alan.coopersmith () oracle com> wrote:

Does this bug (and the recent bugs fixed in 1.6.51) not affect the

older> branches of libpng, or is the statement that "libpng 1.2.x
continues to get

security fixes, as has 1.0.x for well over a decade" on
https://libpng.org/pub/png/libpng.html no longer correct?


The good news is this: neither this bug nor the ones in the previous
v1.6.51 release affect those ancient libpng releases. What these bugs
DO affect is a thing called "the simplified libpng API", which was
added in libpng-1.6.0.

The bad news is this:

https://libpng.org/pub/png/libpng.html


I have seen that page a thousand times, and... yet... OOPSIE!!

Is the statement on https://libpng.sourceforge.io/index.html that

the older

branches "ARE NO LONGER UPDATED" and were frozen in 2017 the correct

one now?

Yes, that is correct.

Sincerely,
Cosmin

Links:
------
[1] http://libpng.org

Current thread:

libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
- Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Alan Coopersmith (Dec 03)
  - Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta (Dec 03)
    - Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Greg Roelofs (Dec 03)