|
|
Log in / Subscribe / Register

SUSE alert openSUSE-SU-2026:20017-1 (libpng16)



From:
              meissner@suse.com


To:
              security-announce@lists.opensuse.org


Subject:
              openSUSE-SU-2026:20017-1: important: Security update for libpng16


Date:
              Tue, 13 Jan 2026 17:51:53 +0100


Message-ID:
              <20260113165153.DE987FBA1@maintenance.suse.de>


Archive-link:
              Article


openSUSE security update: security update for libpng16
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20017-1
Rating: important
References:

  * bsc#1254157
  * bsc#1254158
  * bsc#1254159
  * bsc#1254160
  * bsc#1254480



Cross-References:

  * CVE-2025-64505
  * CVE-2025-64506
  * CVE-2025-64720
  * CVE-2025-65018
  * CVE-2025-66293



CVSS scores:

  * CVE-2025-64505 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
  * CVE-2025-64505 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-64506 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
  * CVE-2025-64506 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-64720 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
  * CVE-2025-64720 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-65018 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
  * CVE-2025-65018 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-66293 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
  * CVE-2025-66293 ( SUSE ): 6 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

         openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 5 vulnerabilities and has 5 bug fixes can now be installed.

Description:

This update for libpng16 fixes the following issues:

- CVE-2025-64505: heap buffer over-read in `png_do_quantize` when processing PNG files malformed
palette indices
  (bsc#1254157).
- CVE-2025-64506: heap buffer over-read in `png_write_image_8bit` when processing 8-bit input with
`convert_to_8bit`
  enabled (bsc#1254158).
- CVE-2025-64720: out-of-bounds read in `png_image_read_composite` when processing palette images
with
  `PNG_FLAG_OPTIMIZE_ALPHA` enabled (bsc#1254159).
- CVE-2025-65018: heap buffer overflow in `png_image_finish_read` when processing specially crafted
16-bit interlaced
  PNGs with 8-bit output format (bsc#1254160).
- CVE-2025-66293: out-of-bounds read of the `png_sRGB_base` array when processing palette PNG
images with partial
  transparency and gamma correction (bsc#1254480).


Patch instructions:

   To install this openSUSE security update use the suse recommended installation methods
   like YaST online_update or "zypper patch".
   Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

   zypper in -t patch openSUSE-Leap-16.0-131=1

Package List:

- openSUSE Leap 16.0:

  libpng16-16-1.6.44-160000.3.1
  libpng16-16-x86-64-v3-1.6.44-160000.3.1
  libpng16-compat-devel-1.6.44-160000.3.1
  libpng16-compat-devel-x86-64-v3-1.6.44-160000.3.1
  libpng16-devel-1.6.44-160000.3.1
  libpng16-devel-x86-64-v3-1.6.44-160000.3.1
  libpng16-tools-1.6.44-160000.3.1

References:

  * https://www.suse.com/security/cve/CVE-2025-64505.html
  * https://www.suse.com/security/cve/CVE-2025-64506.html
  * https://www.suse.com/security/cve/CVE-2025-64720.html
  * https://www.suse.com/security/cve/CVE-2025-65018.html
  * https://www.suse.com/security/cve/CVE-2025-66293.html
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds