libpng1.6 - Debian Package Tracker

general

source: libpng1.6 (main)
version: 1.6.53-1
maintainer: Maintainers of libpng1.6 packages (DMD)
uploaders: Nobuhiro Iwamatsu [DMD] – Tobias Frost [DMD] – Gianfranco Costamagna [DMD]
arch: any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.6.37-3
o-o-sec: 1.6.37-3+deb11u1
oldstable: 1.6.39-2
old-sec: 1.6.39-2+deb12u1
stable: 1.6.48-1
stable-sec: 1.6.48-1+deb13u1
testing: 1.6.53-1
unstable: 1.6.53-1

versioned links

1.6.37-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.37-3+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.39-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.39-2+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.48-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.48-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.53-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libpng-dev (1 bugs: 0, 0, 1, 0)
libpng-tools
libpng16-16-udeb
libpng16-16t64

action needed

A new upstream version is available: 1.6.54 high

A new upstream version 1.6.54 is available, you should consider packaging it.

Created: 2026-01-15 Last update: 2026-01-20 10:32

2 security issues in trixie high

There are 2 open security issues in trixie.

1 important issue:

CVE-2026-22695: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

1 issue left for the package maintainer to handle:

CVE-2026-22801: (needs triaging) LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-01-13 Last update: 2026-01-18 22:00

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-22695: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
CVE-2026-22801: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Created: 2026-01-13 Last update: 2026-01-18 22:00

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-22695: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
CVE-2026-22801: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Created: 2026-01-13 Last update: 2026-01-18 22:00

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2026-22695: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
CVE-2026-22801: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Created: 2026-01-13 Last update: 2026-01-18 22:00

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2026-22695: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

1 issue left for the package maintainer to handle:

CVE-2026-22801: (needs triaging) LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-01-13 Last update: 2026-01-18 22:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-12-16 Last update: 2026-01-20 10:31

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.6.54-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit ea624ba87bd6ba22d5e3f3a20ae264705d6139b9
Merge: 5853386 4a1c884
Author: Gianfranco Costamagna <locutusofborg@debian.org>
Date:   Sat Jan 17 12:40:30 2026 +0100

    Merge remote-tracking branch 'origin/master'

commit 5853386f6eacbaa8c4cd4aefc64dbcfa8f949650
Author: Gianfranco Costamagna <locutusofborg@debian.org>
Date:   Fri Jan 16 17:05:55 2026 +0100

    Drop whitespace in changelog

commit 6762887337bd940d47083c9c23b96ba12193437f
Author: Gianfranco Costamagna <locutusofborg@debian.org>
Date:   Fri Jan 16 17:05:49 2026 +0100

    Bump copyright years

commit 4a1c8840dded8cdb8f7a5f7b5d41db2f4b6f8ea3
Author: Tobias Frost <tobi@debian.org>
Date:   Fri Jan 16 08:58:18 2026 +0100

    Bump d/copyright years.

commit a0f439a073c0c19836b146baf331694c470ca34a
Author: Tobias Frost <tobi@debian.org>
Date:   Fri Jan 16 08:49:19 2026 +0100

    * New upstream version 1.6.54.
      - CVE-2026-22695 - Heap buffer overread. Closes: #1125443
      - CVE-2026-22801 - Heap buffer overread. Closes: #1125444

commit d6c2d42d47a54ecf1cdf1c00ee9c587557ade85c
Merge: 7ef5cc0 f6f48bf
Author: Tobias Frost <tobi@debian.org>
Date:   Fri Jan 16 08:44:03 2026 +0100

    Update upstream source from tag 'upstream/1.6.54'
    
    Update to upstream version '1.6.54'
    with Debian dir 9e06ef9fe3711c808b351a3d73b273da8a362534

commit f6f48bff6df4ddae5c191b5c82fc01486aa9b6e9
Author: Tobias Frost <tobi@debian.org>
Date:   Fri Jan 16 08:43:55 2026 +0100

    New upstream version 1.6.54

Created: 2026-01-16 Last update: 2026-01-17 13:02

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-01-16 Last update: 2026-01-16 06:01

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 1.6.53-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-12-10 20:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-12-23 20:00

news

[rss feed]

[2026-01-03] Accepted libpng1.6 1.6.39-2+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Tobias Frost)
[2026-01-03] Accepted libpng1.6 1.6.48-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Tobias Frost)
[2025-12-16] libpng1.6 1.6.53-1 MIGRATED to testing (Debian testing watch)
[2025-12-10] Accepted libpng1.6 1.6.53-1 (source) into unstable (Tobias Frost)
[2025-12-10] Accepted libpng1.6 1.6.39-2+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Tobias Frost)
[2025-12-10] Accepted libpng1.6 1.6.48-1+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Tobias Frost)
[2025-12-09] libpng1.6 1.6.52-1 MIGRATED to testing (Debian testing watch)
[2025-12-07] Accepted libpng1.6 1.6.37-3+deb11u1 (source) into oldoldstable-security (Tobias Frost)
[2025-12-04] Accepted libpng1.6 1.6.52-1 (source) into unstable (Tobias Frost)
[2025-11-27] libpng1.6 1.6.51-1 MIGRATED to testing (Debian testing watch)
[2025-11-24] Accepted libpng1.6 1.6.51-1 (source) into unstable (Tobias Frost)
[2025-08-19] libpng1.6 1.6.50-1 MIGRATED to testing (Debian testing watch)
[2025-08-10] Accepted libpng1.6 1.6.50-1 (source) into unstable (Gianfranco Costamagna)
[2025-07-15] Accepted libpng1.6 1.6.50-1~exp1 (source) into experimental (Gianfranco Costamagna)
[2025-06-15] Accepted libpng1.6 1.6.49-1~exp1 (source) into experimental (Gianfranco Costamagna)
[2025-05-17] libpng1.6 1.6.48-1 MIGRATED to testing (Debian testing watch)
[2025-05-05] Accepted libpng1.6 1.6.48-1 (source) into unstable (Gianfranco Costamagna)
[2025-03-17] libpng1.6 1.6.47-1.1 MIGRATED to testing (Debian testing watch)
[2025-03-14] Accepted libpng1.6 1.6.47-1.1 (source) into unstable (Cyril Brulebois)
[2025-03-01] libpng1.6 1.6.47-1 MIGRATED to testing (Debian testing watch)
[2025-02-21] Accepted libpng1.6 1.6.47-1 (source) into unstable (Gianfranco Costamagna)
[2025-02-07] libpng1.6 1.6.46-4 MIGRATED to testing (Debian testing watch)
[2025-02-01] Accepted libpng1.6 1.6.46-4 (source) into unstable (Gianfranco Costamagna)
[2025-02-01] Accepted libpng1.6 1.6.46-3 (source) into unstable (Gianfranco Costamagna)
[2025-01-31] Accepted libpng1.6 1.6.46-2 (source) into unstable (Gianfranco Costamagna)
[2025-01-27] Accepted libpng1.6 1.6.46-1 (source) into unstable (Gianfranco Costamagna)
[2025-01-08] Accepted libpng1.6 1.6.45-1 (source) into unstable (Gianfranco Costamagna)
[2024-12-16] libpng1.6 1.6.44-3 MIGRATED to testing (Debian testing watch)
[2024-12-10] Accepted libpng1.6 1.6.44-3 (source) into unstable (Gianfranco Costamagna)
[2024-10-03] libpng1.6 1.6.44-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 3
RC: 0
I&N: 0
M&W: 1
F&P: 2
patch: 1

links

homepage
lintian (0, 2)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.6.53-1
1 bug