[ubuntu/questing-security] libpng1.6 1.6.50-1ubuntu0.5 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu May 7 13:29:21 UTC 2026 

libpng1.6 (1.6.50-1ubuntu0.5) questing-security; urgency=medium

  * SECURITY UPDATE: use-after-free via shared buffers
    - debian/patches/CVE-2026-33416-1.patch: fix: Resolve use-after-free on
      `png_ptr->trans_alpha` in pngread.c, pngrutil.c, pngset.c, pngwrite.c.
    - debian/patches/CVE-2026-33416-2.patch: fix: Resolve use-after-free on
      `png_ptr->palette` in pngread.c, pngrtran.c, pngrutil.c, pngset.c,
      pngwrite.c.
    - debian/patches/CVE-2026-33416-3.patch: fix: Initialize tail bytes in
      `trans_alpha` buffers in pngset.c.
    - debian/patches/CVE-2026-33416-4.patch: fix: Sync `info_ptr->palette` after
      in-place transforms in pngrtran.c.
    - debian/patches/CVE-2026-33416-5.patch: fix: Sync `info_ptr->palette`
      unconditionally after in-place transforms in pngrtran.c.
    - CVE-2026-33416
  * SECURITY UPDATE: out-of-bounds access in ARM palette expansion path
    - debian/patches/CVE-2026-33636.patch: fix(arm): Resolve out-of-bounds
      read/write in NEON palette expansion in arm/palette_neon_intrinsics.c.
    - CVE-2026-33636
  * SECURITY UPDATE: getter-to-setter aliasing issues
    - debian/patches/CVE-2026-34757-1.patch: fix: Handle self-referencing
      pointers in getter-to-setter aliasing in CMakeLists.txt, Makefile.am,
      contrib/libtests/pnggetset.c, pngset.c, tests/pnggetset.
    - debian/patches/CVE-2026-34757-2.patch: fix: Handle getter-to-setter
      aliasing in append-style chunk setters in contrib/libtests/pnggetset.c,
      pngset.c.
    - CVE-2026-34757
  * SECURITY UPDATE: integer overflow in rowbytes computation
    - debian/patches/rowbytes_overflow.patch: fix: Prevent integer overflow in
      rowbytes computation in AUTHORS, pngrtran.c.
    - No CVE number

Date: 2026-05-05 20:40:21.712673+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/libpng1.6/1.6.50-1ubuntu0.5
-------------- next part --------------
Sorry, changesfile not available.

More information about the Questing-changes mailing list