Created attachment 265690 [details] patch to update png to 1.6.51 upgrade to 1.6.51 fixes 4 vulnerabilities: - CVE-2025-64505 (moderate severity): Heap buffer overflow in png_do_quantize() via malformed palette index - CVE-2025-64506 (moderate severity): Heap buffer over-read in png_write_image_8bit() with 8-bit input and convert_to_8bit enabled - CVE-2025-64720 (high severity): Buffer overflow in png_image_read_composite() via incorrect palette - CVE-2025-65018 (high severity): Heap buffer overflow in png_combine_row() triggered via png_image_finish_read() build works, haven't installed it anywhere yet.
Changes from version 1.6.50 to version 1.6.51 https://www.libpng.org/pub/png/src/libpng-1.6.51-README.txt
Compiled and installed on my local system, thanks for the patch :)
LGTM, please push given "poudriere testport" passes.
Patch works for me, too; 14.3-RELEASE-p5. Thanks!
At least do it the proper way, Make sure that "make test" passes at least on ONE platform, request an exp-run run.
Comment on attachment 265690 [details] patch to update png to 1.6.51 make test passes on -CURRENT amd64, there are no API/ABI changes so no exp-run is needed. This is good to go as is.
There have been multiple issues where "it's all fine" argument has proven to be incorrect so just do it. See also https://cgit.freebsd.org/ports/commit/?id=03ac41951fa0bd09789183204293b5b4ac03dc1f
Exp-run request
Created attachment 265815 [details] Patch for png Fixes CVE-2025-66293 (listed as high severity by upstream) Compile and runtime tested on FreeBSD 14.3-RELEASE (amd64) (make, make check-plist, make test) Poudriere testport OK 13.5-RELEASE (amd64) Poudriere testport OK 13.5-RELEASE (i386) Poudriere testport OK 14.3-RELEASE (amd64) VuXML entry should also be added
Thanks for the patch (again), make test passes. As there is no vuxml for this on phab or bugzilla, I have submitted bug 291410
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=df1135a895c37fcc13ad9e435f48cfb3f5df5c49 commit df1135a895c37fcc13ad9e435f48cfb3f5df5c49 Author: Polarian <polarian@polarian.dev> AuthorDate: 2025-12-05 02:36:48 +0000 Commit: Charlie Li <vishwin@FreeBSD.org> CommitDate: 2025-12-05 06:14:17 +0000 security/vuxml: Out of bounds read in graphics/png PR: 291266, 291410 security/vuxml/vuln/2025.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)
Whatever got committed to the ports tree DOES NOT upgrade to 1.6.52, but rather 1.6.50. Can we perhaps try again? Also, of course, version 1.6.52 doesn't seem to exist yet.
(In reply to George Mitchell from comment #12) 1.6.52 does exist: https://sourceforge.net/projects/libpng/files/libpng16/1.6.52/ and I think, only the vuxml entry got committed, not diizzy's actual patch to upgrade the port
(In reply to George Mitchell from comment #12) Please read the commit message again, it was for the vuxml (security disclosure file), not the port itself. This is relatively common procedure to separately commit the vuxml entry on the subject whilst referencing the bug that would update or fix the subject. What does not exist yet is the matching libpng-apng patchset, but I suppose one is not strictly necessary apart from consistency.
My bad ... sorry for the noise.
(In reply to Daniel Engberg from comment #8) Let's stop that nonsense. We'll get pkg-fallout mail, and if things are fine, we MFH. We need to get the fix out. This is high profile.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f1bbe43c186c567cd96c0a5c6fd0c1a159accaf9 commit f1bbe43c186c567cd96c0a5c6fd0c1a159accaf9 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2025-12-05 20:15:37 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2025-12-05 20:18:14 +0000 graphics/png: security update to 1.6.52 Note this isn't the offered patch from the PR, but one that instead puts the APNG patch version into a variable. Reported by: FiLiS Approved by: desktop@ (vishwin) PR: 291266 MFH: 2025Q4 (after a few days) png -- Multiple vulnerabilities Security: CVE-2025-64505 Security: CVE-2025-64506 Security: CVE-2025-64720 Security: CVE-2025-65018 Security: 4b297f5a-cbad-11f0-ac9f-b42e991fc52e png -- Out-of-bounds read Security: CVE-2025-66293 Security: f323f148-d181-11f0-841f-843a4b343614 graphics/png/Makefile | 7 ++++--- graphics/png/distinfo | 10 +++++----- graphics/png/pkg-plist | 2 +- 3 files changed, 10 insertions(+), 9 deletions(-)
(In reply to Matthias Andree from comment #16) Can we to have some kind of (QA) Quality Assurance instead of just pushing stuff randomly without any testing at all? If you're in a rush just import the patch in your local tree. Bypassing any kind of testing because you find it unnecessary is not the way to go.
Over to desktop@ - please test thoroughly (ask diizzy@ for help) and when we're good, MFH to 2025Q4. I'll send my poudriere 14.3-amd64 to build shy of 700 ports in parallel, let's see how far that comes.
Self-tests pass and if downstream ports break due to upstream bugfixes, we need to sort it out without leaving the ports that are good out in the rain.
The issue has been cooking since more than four weeks, see https://cveawg.mitre.org/api/cve/CVE-2025-64505 - we can't delay such things. We've seen enough attacks and other scaretales through b0tched images before.
(In reply to Matthias Andree from comment #20) I'd argue that the "to exp-run or not" is up to portmgr@, not desktop@. My reply is "yes, just MFH it", FWIW.
A commit in branch 2025Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b6cf7cefbe981400d989aa5f0d000e3b49f8ce50 commit b6cf7cefbe981400d989aa5f0d000e3b49f8ce50 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2025-12-05 20:15:37 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2025-12-07 12:15:28 +0000 graphics/png: security update to 1.6.52 Note this isn't the offered patch from the PR, but one that instead puts the APNG patch version into a variable. Reported by: FiLiS Approved by: desktop@ (vishwin) PR: 291266 MFH: 2025Q4 (after a few days) png -- Multiple vulnerabilities Security: CVE-2025-64505 Security: CVE-2025-64506 Security: CVE-2025-64720 Security: CVE-2025-65018 Security: 4b297f5a-cbad-11f0-ac9f-b42e991fc52e png -- Out-of-bounds read Security: CVE-2025-66293 Security: f323f148-d181-11f0-841f-843a4b343614 (cherry picked from commit f1bbe43c186c567cd96c0a5c6fd0c1a159accaf9) graphics/png/Makefile | 7 ++++--- graphics/png/distinfo | 10 +++++----- graphics/png/pkg-plist | 2 +- 3 files changed, 10 insertions(+), 9 deletions(-)
Shitloads of ports have failed my test build due to underdeclared requisites ports, X11 and otherwise, but I haven't found errors related to PNG, so, MFH also done.
Thanks for the fix!