libpng-1.6.34-9.el8_10

エラータID: AXSA:2026-006:01

リリース日: 
2026/01/08 Thursday - 11:27
題名: 
libpng-1.6.34-9.el8_10
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The libpng packages contain a library of functions for creating and manipulating Portable Network Graphics (PNG) image format files.

Security Fix(es):

* libpng: LIBPNG buffer overflow (CVE-2025-64720)
* libpng: LIBPNG heap buffer overflow (CVE-2025-65018)
* libpng: LIBPNG out-of-bounds read in png_image_read_composite (CVE-2025-66293)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2025-66293
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.

解決策: 

Update packages.

CVE: 
CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2025-66293
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. libpng-1.6.34-9.el8_10.src.rpm
    MD5: 9fa750638e81622915587a8a2b8a52e3
    SHA-256: 628968ec4366c8bc2ad07e012717de5fa34e3b52caf7492db485741e73b34d8b
    Size: 0.99 MB

Asianux Server 8 for x86_64
  1. libpng-1.6.34-9.el8_10.i686.rpm
    MD5: cad3e1668f3c32a90a8419f5c4b5e94e
    SHA-256: ec227856471b8d4e5d9ce50895e2776c58833e44bd375d613909f7109e2b8255
    Size: 135.62 kB
  2. libpng-1.6.34-9.el8_10.x86_64.rpm
    MD5: 0a693e2439098527353bb6080908707b
    SHA-256: c723a58e633bac139a27442b9e8333218008577ff768a870536725561a0a9b71
    Size: 125.77 kB
  3. libpng-devel-1.6.34-9.el8_10.i686.rpm
    MD5: f73755596cdef9127d1ed2b3da784381
    SHA-256: b8a25ce664c97a257f77a77128a1f900d850687746b5b4549e3ced9ab7dc0078
    Size: 327.26 kB
  4. libpng-devel-1.6.34-9.el8_10.x86_64.rpm
    MD5: 0103088569910ccb54a9dc0ee8d25a2f
    SHA-256: 76de36854e5bcb0869500933b8dafd833e0d08ac6564a5c5bf6f4ad4d8929d93
    Size: 326.92 kB