fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148411)

Resolves: RHEL-148411
2026-03-03 11:15:29 +01:00 · 2026-03-03 11:15:29 +01:00 · 3587652aaf
commit 3587652aaf
parent e15db0d2dc
2 changed files with 23 additions and 1 deletions
--- a/libpng-1.6-cve-2026-25646.patch
+++ b/libpng-1.6-cve-2026-25646.patch
@ -0,0 +1,15 @@
+diff --git a/pngrtran.c b/pngrtran.c
+index fe8f9d32c9..1fce9af121 100644
+--- a/pngrtran.c
+++ b/pngrtran.c
+@@ -708,8 +708,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+                          break;
+ 
+                      t->next = hash[d];
+-                     t->left = (png_byte)i;
+-                     t->right = (png_byte)j;
+                     t->left = png_ptr->palette_to_index[i];
+                     t->right = png_ptr->palette_to_index[j];
+                      hash[d] = t;
+                   }
+                }
--- a/libpng.spec
+++ b/libpng.spec
@ -4,7 +4,7 @@ Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
 Version:       1.6.37
-Release:       14%{?dist}
+Release:       15%{?dist}
 License:       zlib
 URL:           http://www.libpng.org/pub/png/

@ -31,6 +31,9 @@ Patch7:        libpng-1.6-cve-2026-22695.patch
 # from upstream, for <1.6.54, RHEL-149000
 # https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
 Patch8:        libpng-1.6-cve-2026-22801.patch
+# from upstream, for <1.6.55, RHEL-148328
+# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
+Patch9:        libpng-1.6-cve-2026-25646.patch

 BuildRequires: gcc
 BuildRequires: zlib-devel
@ -90,6 +93,7 @@ cp -p %{SOURCE1} .
 %patch -P 6 -p1 -b .CVE-2025-66293_p2of2
 %patch -P 7 -p1 -b .cve-2026-22695
 %patch -P 8 -p1 -b .cve-2026-22801
+%patch -P 9 -p1 -b .cve-2026-25646

 %build
 autoreconf -vif
@ -130,6 +134,9 @@ make check
 %{_bindir}/pngfix

 %changelog
+* Tue Mar 03 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-15
+- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148411)
+
 * Thu Feb 19 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-14
 - fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-147356)
 - fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-149000)