Reference: https://www.openwall.com/lists/oss-security/2025/12/03/5
Source RPM: (none) => libpng-1.6.51-2.mga10.src.rpm, libpng-1.6.38-1.1.mga9.src.rpmStatus comment: (none) => Fixed upstream in 1.6.52 and patches available from upstreamWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2025-66293
Suggested advisory: ======================== The updated packages fix a security vulnerability: LIBPNG has an out-of-bounds read in png_image_read_composite. (CVE-2025-66293) References: https://www.openwall.com/lists/oss-security/2025/12/03/5 ======================== Updated packages in core/updates_testing: ======================== lib(64)png-devel-1.6.38-1.2.mga9 lib(64)png16_16-1.6.38-1.2.mga9 from SRPM: libpng-1.6.38-1.2.mga9.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 9Status comment: Fixed upstream in 1.6.52 and patches available from upstream => (none)Whiteboard: MGA9TOO => (none)Assignee: bugsquad => qa-bugsSource RPM: libpng-1.6.51-2.mga10.src.rpm, libpng-1.6.38-1.1.mga9.src.rpm => libpng-1.6.38-1.1.mga9.src.rpm
MGA9-64 Plasma, i5-7500, Nvidia Quadro K620 graphics. No installation issues. Used Image Magick commands to convert a png image to jpg, and a different image from jpg to png, then used Gwenview to display each. No issues noted. Looks good to me.
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OK
Keywords: (none) => advisory
Does libpng12 need to be patched as well? The CVE says "Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API…" which implies that.
CC: (none) => dan
Hi, If you follow the thread from the link given above, the answer is that none of the CVEs fixed in version 1.6.51 nor in 1.6.52 affect 1.2. Best regards,
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0323.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED