libpng-1.6.34-11.el8_10
エラータID: AXSA:2026-1091:12
The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files.
Security Fix(es):
* libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-33416
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
Update packages.
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
N/A
SRPMS
- libpng-1.6.34-11.el8_10.src.rpm
MD5: 80b9022169ebd6d4845dbfb9d4216b23
SHA-256: 0a476c977c6275b9b0761066d491653e6ae5c8dfb2dcb4f08ecb80d95a379e0e
Size: 0.99 MB
Asianux Server 8 for x86_64
- libpng-1.6.34-11.el8_10.i686.rpm
MD5: 8b684cf76d88ac211e8d2068ab37138c
SHA-256: 5559a07d8a238efdddf0c521ef326137b91705b182655e4aa74c61a4fc94294a
Size: 136.29 kB - libpng-1.6.34-11.el8_10.x86_64.rpm
MD5: 3b6ae356d2c9ec110672e92ca0d329d6
SHA-256: 9bfd708c68f71f705deaf4bb0bea42f147186eb85efec051e0acb180e5b172dc
Size: 126.49 kB - libpng-devel-1.6.34-11.el8_10.i686.rpm
MD5: 18a847d4787dfa67f076682492f97a43
SHA-256: b49b30e721f67b9ef4f5ae50f74a7e150149dcdd1b09c79d0d91c1655347d62a
Size: 327.73 kB - libpng-devel-1.6.34-11.el8_10.x86_64.rpm
MD5: 988e065e154eb991db405348f481e72e
SHA-256: 0549e67aa6b29f72b90ef95c41d9ae59908cd57f0d49b5b20e140e29652897c7
Size: 327.36 kB