Debian alert DLA-4521-1 (libpng1.6)
| From: | Tobias Frost <tobi@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4521-1] libpng1.6 security update | |
| Date: | Thu, 02 Apr 2026 19:11:22 +0200 | |
| Message-ID: | <ac6jOo24uM8pBvl8@isildor2.loewenhoehle.ip> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4521-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 02, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : libpng1.6 Version : 1.6.37-3+deb11u3 CVE ID : CVE-2026-33416 CVE-2026-33636 Debian Bug : 1132012 1132013 Two security vulnerabilities were discovered in libpng, a library implementing an interface for reading and writing PNG (Portable Network Graphics) files, which could result in denial of service or potentially the execution of arbitrary code. CVE-2026-33416 Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`, potentially allowing arbitrary code execution CVE-2026-33636 Out-of-bounds read/write in the palette expansion on ARM Neon, potentially causing a crash (DoS) For Debian 11 bullseye, these problems have been fixed in version 1.6.37-3+deb11u3. We recommend that you upgrade your libpng1.6 packages. For the detailed security status of libpng1.6 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libpng1.6 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmnOozUACgkQkWT6HRe9 XTa1IA/9Ext4CSK0WlYw51ea1uEM9etfoNQ3irrKnIDCXrrzD3DVQ4S84FJKHDv5 Y6v64WJbYCIyikr5NqifCtBNJQK5g+dMhrsApZcxR9efYnl5N3rHRCnq4O8Tn79E 9OWdCP7iHmeuwUSa4+Izmu8ImpsCNQnrktAKzRUGnw/MKcKrctw3g4vec0W10eYn tRrqm2lOj5kVO9R2UrUy9UT2/Z85Fwv0WvjDRNwP2N8OTahwdWEexTqr7b364kEx zAfJ8wcKLNIB1vGlQObMhQIVHkMo7oOctV+EPRjj2DmQv2NYr/fyXWlhyf2nGmCA PJ2pVp4u8D6++T04yCksOgEEx0aLdDyLERR87jwJ2SR6SGm2K+/jaeX5rU3kwPUI WD2D15Ph91Hg9NqN67nH+vSRU85UjvvgFfhVPF0YUrvnSw8SrcUqYidPjXvaZcCe G8Kq+DKAHNGlUkdUDOk26FzPnXJMVYiSDfGnoD0slUkbPsYDMkOXWq8IQqsVgudN uJ3t6FqyG+5ilhUFlvKP14xmdauKBhHzfXHmBxcBJBNk1daou8kXOSROBSUFeD0D JEJCdTCaV9gJzjEihmPGd5wUDtXysnsDtjsJfEg6+0uTa5XG01GFSd6Qk8PygiU9 vyKGGmGs2cglCOgI81agmWxvtvz0qRAQKA61Monxgu1sccB+vDk= =snwF -----END PGP SIGNATURE-----