[Git][security-tracker-team/security-tracker][master] Update status for CVE-2025-2816{2,4}/libpng1.6

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Jan 28 07:45:09 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cbb043f4 by Salvatore Bonaccorso at 2026-01-28T08:44:58+01:00
Update status for CVE-2025-2816{2,4}/libpng1.6

Track the fixing commit from upstream and annotate the unstable version
including the fix.

The affected range given in the description is odd, as the code in
question did not change in v1.6.43. Mark bookworm to err on safe side as
no-dsa.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -286,15 +286,17 @@ CVE-2025-41726 (A low privileged remote attacker can execute arbitrary code by s
 CVE-2025-33234 (NVIDIA runx contains a vulnerability where an attacker could cause a c ...)
 	TODO: check
 CVE-2025-28164 (Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local a ...)
-	- libpng1.6 <unfixed>
+	- libpng1.6 1.6.47-1
+	[bookworm] - libpng1.6 <no-dsa> (Minor issue)
 	NOTE: https://github.com/pnggroup/libpng/issues/655
 	NOTE: https://github.com/pnggroup/libpng/pull/657
-	TODO: check details, negligible impact
+	NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/b20e6fb31479868f1d5f5cd268d4776767016941 (v1.6.47)
 CVE-2025-28162 (Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local a ...)
-	- libpng1.6 <unfixed>
+	- libpng1.6 1.6.47-1
+	[bookworm] - libpng1.6 <no-dsa> (Minor issue)
 	NOTE: https://github.com/pnggroup/libpng/issues/656
 	NOTE: https://github.com/pnggroup/libpng/pull/657
-	TODO: check, negligible impact
+	NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/b20e6fb31479868f1d5f5cd268d4776767016941 (v1.6.47)
 CVE-2025-14911 (User-controlled chunkSize metadata from MongoDB lacks appropriate vali ...)
 	- mongodb <removed>
 CVE-2025-12810 (Improper Authentication vulnerability in Delinea Inc. Secret Server On ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb043f49ac82bfaeb890afb6b70fb594e608e13

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb043f49ac82bfaeb890afb6b70fb594e608e13
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260128/c9a82a35/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list