rpms/libpng

Fork 0

[security][HIGH] libpng 1.6.53: 5 CVE require triage #1

New issue

Closed

opened 2026-04-29 04:37:47 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:37:47 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: libpng
Version: 1.6.53
EVR: 1.6.53-1
Category: library
Policy class: library
NiceOS policy class: -
Owner: base-team
Severity: HIGH
Max CVSS: 8.3
CVE count: 5

LLM recommendation / Рекомендация LLM

RU

Установлена уязвимость переполнения буфера (CVE-2026-22801, CVE-2026-22695) и потенциальные проблемы с памятью (CVE-2026-33416) в libpng 1.6.53. Эти уязвимости затрагивают чтение и запись PNG-изображений и могут привести к выполнению произвольного кода. Также выявлен кандидат CVE-2026-33636, требующий проверки архитектуры.

Немедленно обновите пакет libpng до версии 1.6.54 или новее для устранения критических уязвимостей переполнения буфера. Если обновление невозможно, рассмотрите возможность отката на стабильную ветку или применения патчей вручную.

Рекомендуемое действие: update_package

Подсказка по целевой версии: 1.6.54

Проверки: 1. Проверить версию пакета: rpm -q --queryformat '%{VERSION}' libpng. 2. Убедиться, что версия >= 1.6.54. 3. Протестировать приложения, использующие libpng, на предмет корректности обработки PNG-файлов с нестандартными параметрами (отрицательный stride, специфические палитры).

Риски: Выполнение произвольного кода (RCE) при обработке специально сконструированных PNG-изображений. Уязвимости затрагивают как чтение, так и запись изображений, что делает систему уязвимой при работе с любыми внешними источниками изображений.

EN

Buffer overflow vulnerabilities (CVE-2026-22801, CVE-2026-22695) and potential memory issues (CVE-2026-33416) exist in libpng 1.6.53 affecting PNG image processing and potentially leading to arbitrary code execution. CVE-2026-33636 is a candidate requiring architecture verification.

Immediately update the libpng package to version 1.6.54 or later to mitigate critical buffer overflow vulnerabilities. If an update is not feasible, consider rolling back to a stable branch or applying patches manually.

Recommended action: update_package

Target version hint: 1.6.54

Tests: 1. Check package version: rpm -q --queryformat '%{VERSION}' libpng. 2. Ensure version >= 1.6.54. 3. Test applications using libpng for correct handling of PNG files with non-standard parameters (negative stride, specific palettes).

Risks: Arbitrary code execution (RCE) when processing specially crafted PNG images. Vulnerabilities affect both reading and writing images, making the system vulnerable when working with any external image sources.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2026-25646	HIGH	8.3	cpe-range	needs_triage	package version is inside version range
CVE-2026-22801	HIGH	7.8	cpe-range	needs_triage	package version is inside version range
CVE-2026-33636	HIGH	7.6	cpe-range	needs_triage	package version is inside version range
CVE-2026-33416	HIGH	7.5	cpe-range	needs_triage	package version is inside version range
CVE-2026-22695	HIGH	7.1	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2026-25646

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

CVE-2026-22801

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

CVE-2026-33636

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

CVE-2026-33416

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, png_set_tRNS and png_set_PLTE each alias a heap-allocated buffer between png_struct and png_info, sharing a single allocation across two structs with independent lifetimes. The trans_alpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines png_set_tRNS sets png_ptr->trans_alpha = info_ptr->trans_alpha (256-byte buffer) and png_set_PLTE sets info_ptr->palette = png_ptr->palette (768-byte buffer). In both cases, calling png_free_data (with PNG_FREE_TRNS or PNG_FREE_PLTE) frees the buffer through info_ptr while the corresponding png_ptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to png_set_tRNS or png_set_PLTE has the same effect, because both functions call png_free_data internally before reallocating the info_ptr buffer. Version 1.6.56 fixes the issue.

CVE-2026-22695

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-22695",
    "CVE-2026-22801",
    "CVE-2026-25646",
    "CVE-2026-33416",
    "CVE-2026-33636"
  ],
  "fingerprint": "8e8c8bb6952a994c461a",
  "generated_at": "2026-04-29T01:37:47Z",
  "package": "libpng",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "1.6.53"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `libpng` - Version: `1.6.53` - EVR: `1.6.53-1` - Category: `library` - Policy class: `library` - NiceOS policy class: `-` - Owner: `base-team` - Severity: `HIGH` - Max CVSS: `8.3` - CVE count: `5` ## LLM recommendation / Рекомендация LLM ### RU Установлена уязвимость переполнения буфера (CVE-2026-22801, CVE-2026-22695) и потенциальные проблемы с памятью (CVE-2026-33416) в libpng 1.6.53. Эти уязвимости затрагивают чтение и запись PNG-изображений и могут привести к выполнению произвольного кода. Также выявлен кандидат CVE-2026-33636, требующий проверки архитектуры. Немедленно обновите пакет libpng до версии 1.6.54 или новее для устранения критических уязвимостей переполнения буфера. Если обновление невозможно, рассмотрите возможность отката на стабильную ветку или применения патчей вручную. **Рекомендуемое действие:** `update_package` **Подсказка по целевой версии:** `1.6.54` **Проверки:** 1. Проверить версию пакета: rpm -q --queryformat '%{VERSION}' libpng. 2. Убедиться, что версия >= 1.6.54. 3. Протестировать приложения, использующие libpng, на предмет корректности обработки PNG-файлов с нестандартными параметрами (отрицательный stride, специфические палитры). **Риски:** Выполнение произвольного кода (RCE) при обработке специально сконструированных PNG-изображений. Уязвимости затрагивают как чтение, так и запись изображений, что делает систему уязвимой при работе с любыми внешними источниками изображений. ### EN Buffer overflow vulnerabilities (CVE-2026-22801, CVE-2026-22695) and potential memory issues (CVE-2026-33416) exist in libpng 1.6.53 affecting PNG image processing and potentially leading to arbitrary code execution. CVE-2026-33636 is a candidate requiring architecture verification. Immediately update the libpng package to version 1.6.54 or later to mitigate critical buffer overflow vulnerabilities. If an update is not feasible, consider rolling back to a stable branch or applying patches manually. **Recommended action:** `update_package` **Target version hint:** `1.6.54` **Tests:** 1. Check package version: rpm -q --queryformat '%{VERSION}' libpng. 2. Ensure version >= 1.6.54. 3. Test applications using libpng for correct handling of PNG files with non-standard parameters (negative stride, specific palettes). **Risks:** Arbitrary code execution (RCE) when processing specially crafted PNG images. Vulnerabilities affect both reading and writing images, making the system vulnerable when working with any external image sources. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-25646 | HIGH | 8.3 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-22801 | HIGH | 7.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-33636 | HIGH | 7.6 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-33416 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-22695 | HIGH | 7.1 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-25646 LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55. ### CVE-2026-22801 LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. ### CVE-2026-33636 LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue. ### CVE-2026-33416 LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue. ### CVE-2026-22695 LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-22695", "CVE-2026-22801", "CVE-2026-25646", "CVE-2026-33416", "CVE-2026-33636" ], "fingerprint": "8e8c8bb6952a994c461a", "generated_at": "2026-04-29T01:37:47Z", "package": "libpng", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "1.6.53" } ```

sbelikov added the

labels

2026-04-29 04:37:47 +03:00

sbelikov commented

2026-04-29 20:42:53 +03:00

Author

Owner

Closing as fixed by the libpng 1.6.58 update in niceos-5.2.

Security triage result:

libpng was updated within the same stable ABI series:

libpng 1.6.53 → 1.6.58
ABI line preserved: libpng16.so.16

Installed library layout confirms the same SONAME line:

libpng16.so -> libpng16.so.16.58.0
libpng16.so.16 -> libpng16.so.16.58.0
libpng16.so.16.58.0

CVE status with 1.6.58:

CVE-2026-22695: fixed upstream in 1.6.54.
CVE-2026-22801: fixed upstream in 1.6.54.
CVE-2026-25646: fixed upstream in 1.6.55.
CVE-2026-33416: fixed upstream in 1.6.56.
CVE-2026-33636: fixed upstream in 1.6.56.

The final target was moved past 1.6.56 to 1.6.58 because 1.6.57 fixed CVE-2026-34757, a use-after-free regression related to the CVE-2026-33416 fix, and 1.6.58 is the current public 1.6.x release with an additional bugfix after 1.6.57.

ABI assessment:

This update stays inside the libpng 1.6.x / libpng16.so.16 ABI line, so it should not require an ABI transition or mass rebuild. Reverse-dependency smoke testing is still recommended for packages linked against libpng16.so.16.

Validation checklist:

rpm -q libpng
pkg-config --modversion libpng16
readelf -d /usr/lib64/libpng16.so.16* | grep SONAME
rpm -q --whatrequires 'libpng16.so.16()(64bit)' || true

Result: fixed by libpng 1.6.58 in niceos-5.2.

Closing as fixed by the `libpng 1.6.58` update in `niceos-5.2`. Security triage result: `libpng` was updated within the same stable ABI series: * `libpng 1.6.53 → 1.6.58` * ABI line preserved: `libpng16.so.16` Installed library layout confirms the same SONAME line: ```text libpng16.so -> libpng16.so.16.58.0 libpng16.so.16 -> libpng16.so.16.58.0 libpng16.so.16.58.0 ``` CVE status with `1.6.58`: * `CVE-2026-22695`: fixed upstream in `1.6.54`. * `CVE-2026-22801`: fixed upstream in `1.6.54`. * `CVE-2026-25646`: fixed upstream in `1.6.55`. * `CVE-2026-33416`: fixed upstream in `1.6.56`. * `CVE-2026-33636`: fixed upstream in `1.6.56`. The final target was moved past `1.6.56` to `1.6.58` because `1.6.57` fixed `CVE-2026-34757`, a use-after-free regression related to the `CVE-2026-33416` fix, and `1.6.58` is the current public `1.6.x` release with an additional bugfix after `1.6.57`. ABI assessment: This update stays inside the `libpng 1.6.x` / `libpng16.so.16` ABI line, so it should not require an ABI transition or mass rebuild. Reverse-dependency smoke testing is still recommended for packages linked against `libpng16.so.16`. Validation checklist: ```bash rpm -q libpng pkg-config --modversion libpng16 readelf -d /usr/lib64/libpng16.so.16* | grep SONAME rpm -q --whatrequires 'libpng16.so.16()(64bit)' || true ``` Result: fixed by `libpng 1.6.58` in `niceos-5.2`.

sbelikov closed this issue

2026-04-29 20:42:53 +03:00