Date: Thu, 09 Apr 2026 06:36:04 +0000 From: bugzilla-noreply@freebsd.org To: desktop@FreeBSD.org Subject: maintainer-feedback requested: [Bug 294349] graphics/png: update to 1.6.57 - Use-after-free vulnerability fixed: CVE-2026-34757 Message-ID: <bug-294349-39348-fDAkTxu56m@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-294349-39348@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-desktop (Team) <desktop@FreeBSD.org> for maintainer-feedback: Bug 294349: graphics/png: update to 1.6.57 - Use-after-free vulnerability fixed: CVE-2026-34757 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294349 --- Description --- libpng 1.6.57 has been released, fixing a medium-severity use-after-free vulnerability in the chunk setter API, including a long-standing defect in png_set_hIST present since at least 1.0.9 and regressions in png_set_PLTE and png_set_tRNS introduced in 1.6.56. Users should either upgrade to libpng 1.6.57 or apply the fixes described below. === CVE-2026-34757 === Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure Security advisory: https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645 Fixes: https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684 e8a https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6 bcc CVSS 3.1: 5.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CWE: CWE-416 (Use-After-Free) Affected (png_set_PLTE, png_set_tRNS): libpng 1.6.56 only Affected (png_set_hIST): all versions since at least libpng 1.0.9 Fixed: libpng 1.6.57 Passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to free the internal buffer before copying from the caller-supplied pointer, which now dangles. The subsequent copy reads from freed memory, producing corrupted chunk data or leaking unrelated heap contents into the chunk struct. The png_set_PLTE and png_set_tRNS defects are regressions introduced by the CVE-2026-33416 fix in libpng 1.6.56; earlier versions tolerated the aliased pointer by accident. The png_set_hIST defect has been present since at least libpng 1.0.9. The defect cannot be triggered by a crafted PNG file alone; it requires the application to call the getter and setter in sequence on the same struct pair. Any valid image carrying the relevant chunk suffices to populate the internal pointer that the application then aliases. Impact: - Corrupted chunk data: the setter copies stale or reallocated heap contents into the replacement buffer, silently corrupting chunk metadata - Information disclosure: unrelated heap data may become visible through subsequent getter calls The same release also hardens the append-style setters (png_set_text, png_set_sPLT, png_set_unknown_chunks) against a theoretical variant of the same aliasing pattern. Workaround: applications that pass a getter's return value back to the corresponding setter on the same struct pair can simply remove the redundant setter call, or copy the getter's output into a caller-owned buffer before passing it to the setter. Credits: - @Iv4n550 (discovery of PLTE and tRNS defects) - Cosmin Truta (discovery of hIST defect and fix of all defects) === References === - Release: https://github.com/pnggroup/libpng/releases/tag/v1.6.57 - libpng homepage: http://www.libpng.org/pub/png/libpng.htmlhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-294349-39348-fDAkTxu56m>