> -----Original Message----- > From: [email protected] <openembedded- > [email protected]> On Behalf Of Peter Marko via > lists.openembedded.org > Sent: Tuesday, February 17, 2026 22:06 > To: [email protected] > Cc: Marko, Peter (FT D EU SK BFS1) <[email protected]> > Subject: [OE-core][kirkstone][PATCH] libpng: patch CVE-2026-25646 > > From: Peter Marko <[email protected]> > > Backport patch mentioned in NVD CVE report. > > Signed-off-by: Peter Marko <[email protected]> > --- > .../libpng/files/CVE-2026-25646.patch | 61 +++++++++++++++++++ > .../libpng/libpng_1.6.39.bb | 1 + > 2 files changed, 62 insertions(+) > create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch > > diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch > b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch > new file mode 100644 > index 0000000000..e97c5078b0 > --- /dev/null > +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch > @@ -0,0 +1,61 @@ > +From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 > 2001 > +From: Cosmin Truta <[email protected]> > +Date: Fri, 6 Feb 2026 19:11:54 +0200 > +Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize` > + > +The color distance hash table stored the current palette indices, but > +the color-pruning loop assumed the original indices. When colors were > +eliminated and indices changed, the stored indices became stale. This > +caused the loop bound `max_d` to grow past the 769-element hash array. > + > +The fix consists in storing the original indices via `palette_to_index` > +to match the pruning loop's expectations. > + > +Reported-by: Joshua Inscoe <[email protected]> > +Co-authored-by: Joshua Inscoe <[email protected]> > +Signed-off-by: Cosmin Truta <[email protected]> > + > +CVE: CVE-2026-25646 > +Upstream-Status: Backport > [https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a > 1c7277d88] > +Signed-off-by: Peter Marko <[email protected]> > +--- > + AUTHORS | 1 + > + pngrtran.c | 6 +++--- > + 2 files changed, 4 insertions(+), 3 deletions(-) > + > +diff --git a/AUTHORS b/AUTHORS > +index b9c0fffcf..4094f4a57 100644 > +--- a/AUTHORS > ++++ b/AUTHORS > +@@ -14,6 +14,7 @@ Authors, for copyright and licensing purposes. > + * Guy Eric Schalnat > + * James Yu > + * John Bowler > ++ * Joshua Inscoe > + * Kevin Bracey > + * Magnus Holmgren > + * Mandar Sahastrabuddhe > +diff --git a/pngrtran.c b/pngrtran.c > +index fe8f9d32c..1fce9af12 100644 > +--- a/pngrtran.c > ++++ b/pngrtran.c > +@@ -1,7 +1,7 @@ > + > + /* pngrtran.c - transforms the data in a row for PNG readers > + * > +- * Copyright (c) 2018-2019 Cosmin Truta > ++ * Copyright (c) 2018-2026 Cosmin Truta > + * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson > + * Copyright (c) 1996-1997 Andreas Dilger > + * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. > +@@ -647,8 +647,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp > palette, > + break; > + > + t->next = hash[d]; > +- t->left = (png_byte)i; > +- t->right = (png_byte)j; > ++ t->left = png_ptr->palette_to_index[i]; > ++ t->right = png_ptr->palette_to_index[j]; > + hash[d] = t; > + } > + } > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes- > multimedia/libpng/libpng_1.6.39.bb > index c4347a6715..448594e0d7 100644 > --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb > @@ -24,6 +24,7 @@ SRC_URI = "\ > file://CVE-2025-66293-02.patch \ > file://CVE-2026-22695.patch \ > file://CVE-2026-22801.patch \
Looking at the stable/kirkstone-nut branch, this patch was applied without the two above. So there needed to be conflict resolution, which is usually a no-go for accepting patches. I'm wondering if I should resend those 2 on top of the third (and revert patch order) or if all 3 patches can be re-applied in correct order. Peter > + file://CVE-2026-25646.patch \ > " > > SRC_URI[sha256sum] = > "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231687): https://lists.openembedded.org/g/openembedded-core/message/231687 Mute This Topic: https://lists.openembedded.org/mt/117864477/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
