libpng1.6 - Debian Package Tracker

general

source: libpng1.6 (main)
version: 1.6.54-1
maintainer: Maintainers of libpng1.6 packages (DMD)
uploaders: Nobuhiro Iwamatsu [DMD] – Tobias Frost [DMD] – Gianfranco Costamagna [DMD]
arch: any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.6.37-3
o-o-sec: 1.6.37-3+deb11u1
oldstable: 1.6.39-2+deb12u1
old-sec: 1.6.39-2+deb12u1
stable: 1.6.48-1+deb13u1
stable-sec: 1.6.48-1+deb13u1
testing: 1.6.54-1
unstable: 1.6.54-1

versioned links

1.6.37-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.37-3+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.39-2+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.48-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.54-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libpng-dev (1 bugs: 0, 0, 1, 0)
libpng-tools
libpng16-16-udeb
libpng16-16t64

action needed

A new upstream version is available: 1.6.55 high

A new upstream version 1.6.55 is available, you should consider packaging it.

Created: 2026-02-10 Last update: 2026-02-11 07:30

3 security issues in trixie high

There are 3 open security issues in trixie.

1 important issue:

CVE-2026-25646: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

2 issues left for the package maintainer to handle:

CVE-2026-22695: (needs triaging) LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
CVE-2026-22801: (needs triaging) LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-01-24 Last update: 2026-02-11 05:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-25646: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Created: 2026-02-10 Last update: 2026-02-11 05:00

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-25646: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Created: 2026-02-10 Last update: 2026-02-11 05:00

3 security issues in bullseye high

There are 3 open security issues in bullseye.

1 important issue:

CVE-2026-25646: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

2 issues postponed or untriaged:

CVE-2026-22695: (postponed; to be fixed through a stable update) LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
CVE-2026-22801: (postponed; to be fixed through a stable update) LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Created: 2026-02-10 Last update: 2026-02-11 05:00

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-25646: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

2 issues that should be fixed with the next stable update:

CVE-2026-22695: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
CVE-2026-22801: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Created: 2026-02-10 Last update: 2026-02-11 05:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-12-16 Last update: 2026-02-11 10:00

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-01-22 Last update: 2026-01-22 10:30

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 1.6.54-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-01-22 08:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.0).

Created: 2025-02-21 Last update: 2026-01-21 23:37

news

[rss feed]

[2026-01-27] libpng1.6 1.6.54-1 MIGRATED to testing (Debian testing watch)
[2026-01-21] Accepted libpng1.6 1.6.54-1 (source) into unstable (Tobias Frost) (signed by: Gianfranco Costamagna)
[2026-01-03] Accepted libpng1.6 1.6.39-2+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Tobias Frost)
[2026-01-03] Accepted libpng1.6 1.6.48-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Tobias Frost)
[2025-12-16] libpng1.6 1.6.53-1 MIGRATED to testing (Debian testing watch)
[2025-12-10] Accepted libpng1.6 1.6.53-1 (source) into unstable (Tobias Frost)
[2025-12-10] Accepted libpng1.6 1.6.39-2+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Tobias Frost)
[2025-12-10] Accepted libpng1.6 1.6.48-1+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Tobias Frost)
[2025-12-09] libpng1.6 1.6.52-1 MIGRATED to testing (Debian testing watch)
[2025-12-07] Accepted libpng1.6 1.6.37-3+deb11u1 (source) into oldoldstable-security (Tobias Frost)
[2025-12-04] Accepted libpng1.6 1.6.52-1 (source) into unstable (Tobias Frost)
[2025-11-27] libpng1.6 1.6.51-1 MIGRATED to testing (Debian testing watch)
[2025-11-24] Accepted libpng1.6 1.6.51-1 (source) into unstable (Tobias Frost)
[2025-08-19] libpng1.6 1.6.50-1 MIGRATED to testing (Debian testing watch)
[2025-08-10] Accepted libpng1.6 1.6.50-1 (source) into unstable (Gianfranco Costamagna)
[2025-07-15] Accepted libpng1.6 1.6.50-1~exp1 (source) into experimental (Gianfranco Costamagna)
[2025-06-15] Accepted libpng1.6 1.6.49-1~exp1 (source) into experimental (Gianfranco Costamagna)
[2025-05-17] libpng1.6 1.6.48-1 MIGRATED to testing (Debian testing watch)
[2025-05-05] Accepted libpng1.6 1.6.48-1 (source) into unstable (Gianfranco Costamagna)
[2025-03-17] libpng1.6 1.6.47-1.1 MIGRATED to testing (Debian testing watch)
[2025-03-14] Accepted libpng1.6 1.6.47-1.1 (source) into unstable (Cyril Brulebois)
[2025-03-01] libpng1.6 1.6.47-1 MIGRATED to testing (Debian testing watch)
[2025-02-21] Accepted libpng1.6 1.6.47-1 (source) into unstable (Gianfranco Costamagna)
[2025-02-07] libpng1.6 1.6.46-4 MIGRATED to testing (Debian testing watch)
[2025-02-01] Accepted libpng1.6 1.6.46-4 (source) into unstable (Gianfranco Costamagna)
[2025-02-01] Accepted libpng1.6 1.6.46-3 (source) into unstable (Gianfranco Costamagna)
[2025-01-31] Accepted libpng1.6 1.6.46-2 (source) into unstable (Gianfranco Costamagna)
[2025-01-27] Accepted libpng1.6 1.6.46-1 (source) into unstable (Gianfranco Costamagna)
[2025-01-08] Accepted libpng1.6 1.6.45-1 (source) into unstable (Gianfranco Costamagna)
[2024-12-16] libpng1.6 1.6.44-3 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 1

links

homepage
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.6.54-1
1 bug