Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAAoVtZwm9yLRV_DgvVTmir8-eEfLxksUshTQ-EBpPf1Cz_Vf=A@mail.gmail.com>
Date: Wed, 3 Dec 2025 23:33:28 +0200
From: Cosmin Truta <ctruta@...il.com>
To: Alan Coopersmith <alan.coopersmith@...cle.com>
Cc: oss-security@...ts.openwall.com, Greg Roelofs <newt@...ox.com>
Subject: Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293

[Cc-ing Greg Roelofs, who owns and maintains libpng.org]

On Wed, Dec 3, 2025 at 11:09 PM Alan Coopersmith <
alan.coopersmith@...cle.com> wrote:

> Does this bug (and the recent bugs fixed in 1.6.51) not affect the older
> branches of libpng, or is the statement that "libpng 1.2.x continues to
get
> security fixes, as has 1.0.x for well over a decade" on
> https://libpng.org/pub/png/libpng.html no longer correct?

The good news is this: neither this bug nor the ones in the previous
v1.6.51 release affect those ancient libpng releases. What these bugs DO
affect is a thing called "the simplified libpng API", which was added in
libpng-1.6.0.

The bad news is this:

> https://libpng.org/pub/png/libpng.html

I have seen that page a thousand times, and... yet... OOPSIE!!

> Is the statement on https://libpng.sourceforge.io/index.html that the
older
> branches "ARE NO LONGER UPDATED" and were frozen in 2017 the correct one
now?

Yes, that is correct.

Sincerely,
Cosmin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.