SUSE-SU-2026:2619-1: moderate: Security update for libpng15
SLE-UPDATES
null at suse.de
Wed Jun 24 16:31:20 UTC 2026
# Security update for libpng15
Announcement ID: SUSE-SU-2026:2619-1
Release Date: 2026-06-24T09:03:55Z
Rating: moderate
References:
* bsc#1254159
* jsc#PED-16191
Cross-References:
* CVE-2025-64720
CVSS scores:
* CVE-2025-64720 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-64720 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2025-64720 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Affected Products:
* SUSE Linux Enterprise Server 12 SP5
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
* SUSE Linux Enterprise Server for SAP Applications 12 SP5
An update that solves one vulnerability and contains one feature can now be
installed.
## Description:
This update for libpng15 fixes the following issues
Security issues:
* CVE-2025-64720: buffer overflow in `png_image_read_composite` via incorrect
palette premultiplication (bsc#1254159).
Non security issue:
* version update to 1.5.30 (jsc#PED-16191).
Changes for libpng15:
* Replaced "unexpected" with an integer in pngset.c where a long was expected,
to avoid a compiler warning when PNG_DEBUG > 1.
* Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a
compiler warning in PNG_DEBUG builds.
* Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds.
* Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug report
from Christopher Ferris).
* Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the compiled
library size. It never worked properly and as far as we can tell, no one
uses it. The png_set_filter_heuristics() and
png_set_filter_heuristics_fixed() APIs are retained but deprecated and do
nothing.
* Avoid potentially dereferencing NULL info_ptr in png_info_init_3().
Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and
PNG_WEIGHT_FACTOR macros.
* Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
* Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
* Fixed some bad links in the man page.
* Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
Seacord).
* Fixed the recently reported 1's complement security issue by replacing the
value that is illegal in the PNG spec, in both signed and unsigned values,
with 0. Illegal unsigned values (anything greater than or equal to
0x80000000) can still pass through, but since these are not illegal in
ANSI-C (unlike 0x80000000 in the signed case) the checking that occurs later
can catch them (John Bowler).
* Fixed png_save_int_32 when int is not 2's complement (John Bowler).
* Fixed byte order in png_do_read_filler() with 16-bit input (previously fixed
in libpng-1.6.17 and 1.7.0beta46). Previously the high and low bytes of the
filler, from png_set_filler() or from png_set_add_alpha(), were read in the
wrong order.
* Merged pngvalid.c with version 1.6.19.
* Added sPLT support to pngtest.c
* Prevent writing over-length PLTE chunk (Cosmin Truta).
* Libpng incorrectly calculated the output rowbytes when the application
decreased either the number of channels or the bit depth (or both) in a user
transform. This was safe; libpng overallocated buffer space (potentially by
quite a lot; up to 4 times the amount required) but, from 1.5.4 on, resulted
in a png_error (John Bowler).
* Silently truncate over-length PLTE chunk while reading.
* Fixed some inconsequential cut-and-paste typos in png_set_cHRM_XYZ_fixed().
* Clarified COPYRIGHT information to state explicitly that versions are
derived from previous versions. Removed much of the long list of previous
versions from png.h and libpng.3.
* Fixed new bug with CRC error after reading an over-length palette (bug
report by Cosmin Truta) (CVE-2015-8126).
* Cleaned up coding style in png_handle_PLTE().
* Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
* Fixed incorrect implementation of png_set_PLTE() that uses png_ptr not
info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 vulnerability.
Fixes CVE-2015-8472.
* Fixed an out-of-range read in png_check_keyword() (Bug report from
* Qixue Xiao, CVE-2015-8540).
* Corrected copyright dates in source files.
* Moved png_check_keyword() from pngwutil.c to pngset.c
* Added keyword checks to pngset.c (John Bowler).
* Removed LE/BE dependencies in pngvalid, to 'fix' the current problem in the
BigEndian tests by not testing it, making the BE code the same as the LE
version.
* Fixes to pngvalid for various reduced build configurations (eliminate unused
statics) and a fix for the case in rgb_to_gray when the digitize option
reduces graylo to 0, producing a large error.
* Widened the 'limit' check on the internally calculated error limits in the
'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error checks)
and changed the check to only operate in non-release builds (base build type
not RC or RELEASE.)
* Fixed undefined behavior in pngvalid.c, undefined because (png_byte) <<
shift is undefined if it changes the signed bit (because png_byte is
promoted to int). The libpng exported functions png_get_uint_32 and
png_get_uint_16 handle this. (Bug reported by David Drysdale as a result of
reports from UBSAN in clang 3.8). This changes pngvalid to use BE random
numbers; this used to produce errors but these should not be fixed as a
result of the previous changes. In projects/vstudio, combined readme.txt and
WARNING into README.txt Worked around a false-positive Coverity issue in
pngvalid.c. Only use exit(77) from pngvalid.c in configure builds.
* Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in and
test.cmake.in (Roger Leigh).
* Added a common-law trademark notice and export control information to the
LICENSE file, png.h, and the man page.
* Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h
(Robert C. Seacord).
* Fixed some misleading indentation in pngvalid.c (Krishnaraj Bhat).
* Fixed typo (missing underscore) in #define PNG_READ_16_TO_8_SUPPORTED Bug
report by (Y.Ohashik).
* Added PNG_FAST_FILTERS macro (defined as
PNG_FILTER_NONE|PNG_FILTER_SUB|PNG_FILTER_UP).
* Merged with current libpng16 gregbook, pngvalid.c, pngtest.c, pngminim,
pngminus
* Fixed undefined behavior in png_push_save_buffer(). Do not call memcpy()
with a null source, even if count is zero (Leon Scroggins III).
* Added "Common linking failures" section to INSTALL.
* Merge contrib/pngminim/*/makefile with libpng-1.6.24
* Minor editing of INSTALL, (whitespace, added copyright line)
* Removed the use of a macro containing the pre-processor 'defined' operator.
It is unclear whether this is valid; a macro that "generates" 'defined' is
not permitted, but the use of the word "generates" within the C90 standard
seems to imply more than simple substitution of an expression itself
containing a well-formed defined operation. Previously the pngtrans.c code
always resulted in an unsigned arithmetic overflow. This is well defined but
produces errors from clang with the option to detect unsigned overflow. As
the expression only gets evaluated once per row in this version of libpng it
is easier just to rewrite it.
* The previous version of png.c produced a signed overflow as a result of both
the "& 0xffff" on the most significant bits of a negative argument; this
converted (-1) into 65535 which resulted in a subsequent overflow. Since
signed overflow is undefined in C90 the code has been modified to correctly
calculate a signed result. This requires changing the 'hi' result parameter
to a signed value. This has been code reviewed solely by the author. A
further code review is highly desireable. Nevertheless the code compiles
without warnings from clang and without the prior detection of an overflow.
Since it no longer truncates any of the intermediate values this should be
enough to ensure that it is correct.
* Fixed a potential null pointer dereference in png_set_text_2() (bug report
and patch by Patrick Keshishian, CVE-2016-10087).
* Suppress clang warnings about implicit sign changes in png.c
* Avoid potential overflow of shift operations in png_do_expand() (Aaron
Boxer).
* Added missing "$(CPPFLAGS)" to the compile line for c.pic.o in
makefile.linux and makefile.solaris-x86 (Cosmin). Silence clang -Wcomma
warnings (Viktor Szakats).
* Update Sourceforge URLs in documentation (https instead of http).
* Added png_check_chunk_length() function (Fixes CVE-2017-12652).
* Moved chunk-name and chunk-length checks into PNG_EXTERN private
png_check_chunk_name() and png_check_chunk_length() functions (Suggested by
Max Stepin).
* Merged pngtest.c with libpng-1.6.32.
* Check for 0 return from png_get_rowbytes() in contrib/pngminus/_.c to stop
some Coverity issues (162705, 162706, and 162707). Added PNGMINUS_UNUSED
macro to contrib/pngminus/p_.c and added missing parenthesis in
contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
* Fixed off-by-one error in png_do_check_palette_indexes() (Bug report by Mick
P., Source Forge Issue #269).
* Compute a larger limit on IDAT because some applications write a deflate
buffer for each row (Bug report by Andrew Church).
* Fixed incorrect typecast of some arguments to png_malloc() and png_calloc()
that were png_uint_32 instead of png_alloc_size_t (Bug report by "irwir" in
Github libpng issue #175).
* Initialize memory allocated by png_inflate to zero, using memset, to stop an
oss-fuzz "use of uninitialized value" detection in png_set_text_2() due to
truncated iTXt or zTXt chunk.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-2619=1
## Package List:
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
* libpng15-15-debuginfo-1.5.30-10.13.1
* libpng15-debugsource-1.5.30-10.13.1
* libpng15-15-1.5.30-10.13.1
## References:
* https://www.suse.com/security/cve/CVE-2025-64720.html
* https://bugzilla.suse.com/show_bug.cgi?id=1254159
* https://jira.suse.com/browse/PED-16191
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260624/b76ab9fe/attachment-0001.htm>
More information about the sle-updates
mailing list