VDB

ESB-2026.7014

ESB-2026.7014 PUBLISHED CVSS 8.600000381469727 HIGH

=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.7014 Security update for libpng15 25 June 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: libpng15 Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2025-64720 CVE-2015-8472 CVE-2017-12652 CVE-2015-8126 CVE-2016-10087 CVE-2015-8540 Original Bulletin: https://www.suse.com/support/update/announcement/2026/suse-su-20262619-1 Comment: CVSS (Max): 8.8* CVE-2015-8540 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: [NIST], SUSE Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * Not all CVSS available when published EPSS (Max): 10.3% (95th) CVE-2015-8126 2026-06-24 - --------------------------BEGIN INCLUDED TEXT-------------------- Security update for libpng15 Announcement ID: SUSE-SU-2026:2619-1 Release Date: 2026-06-24T09:03:55Z Rating: moderate o bsc#1254159 References: o jsc#PED-16191 Cross-References: o CVE-2025-64720 o CVE-2025-64720 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L /UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2025-64720 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N CVSS scores: /S:U/C:L/I:N/A:H o CVE-2025-64720 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:L/I:N/A:H o SUSE Linux Enterprise Server 12 SP5 Affected o SUSE Linux Enterprise Server 12 SP5 LTSS Extended Products: Security o SUSE Linux Enterprise Server for SAP Applications 12 SP5 An update that solves one vulnerability and contains one feature can now be installed. Description: This update for libpng15 fixes the following issues Security issues: o CVE-2025-64720: buffer overflow in png_image_read_composite via incorrect palette premultiplication (bsc#1254159). Non security issue: o version update to 1.5.30 (jsc#PED-16191). Changes for libpng15: o Replaced "unexpected" with an integer in pngset.c where a long was expected, to avoid a compiler warning when PNG_DEBUG > 1. o Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds. o Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds. o Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug report from Christopher Ferris). o Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the compiled library size. It never worked properly and as far as we can tell, no one uses it. The png_set_filter_heuristics() and png_set_filter_heuristics_fixed() APIs are retained but deprecated and do nothing. o Avoid potentially dereferencing NULL info_ptr in png_info_init_3(). Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and PNG_WEIGHT_FACTOR macros. o Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c o Fixed uninitialized variable in contrib/gregbook/rpng2-x.c o Fixed some bad links in the man page. o Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert Seacord). o Fixed the recently reported 1's complement security issue by replacing the value that is illegal in the PNG spec, in both signed and unsigned values, with 0. Illegal unsigned values (anything greater than or equal to 0x80000000) can still pass through, but since these are not illegal in ANSI-C (unlike 0x80000000 in the signed case) the checking that occurs later can catch them (John Bowler). o Fixed png_save_int_32 when int is not 2's complement (John Bowler). o Fixed byte order in png_do_read_filler() with 16-bit input (previously fixed in libpng-1.6.17 and 1.7.0beta46). Previously the high and low bytes of the filler, from png_set_filler() or from png_set_add_alpha(), were read in the wrong order. o Merged pngvalid.c with version 1.6.19. o Added sPLT support to pngtest.c o Prevent writing over-length PLTE chunk (Cosmin Truta). o Libpng incorrectly calculated the output rowbytes when the application decreased either the number of channels or the bit depth (or both) in a user transform. This was safe; libpng overallocated buffer space (potentially by quite a lot; up to 4 times the amount required) but, from 1.5.4 on, resulted in a png_error (John Bowler). o Silently truncate over-length PLTE chunk while reading. o Fixed some inconsequential cut-and-paste typos in png_set_cHRM_XYZ_fixed(). o Clarified COPYRIGHT information to state explicitly that versions are derived from previous versions. Removed much of the long list of previous versions from png.h and libpng.3. o Fixed new bug with CRC error after reading an over-length palette (bug report by Cosmin Truta) (CVE-2015-8126). o Cleaned up coding style in png_handle_PLTE(). o Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(), png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr). o Fixed incorrect implementation of png_set_PLTE() that uses png_ptr not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 vulnerability. Fixes CVE-2015-8472. o Fixed an out-of-range read in png_check_keyword() (Bug report from o Qixue Xiao, CVE-2015-8540). o Corrected copyright dates in source files. o Moved png_check_keyword() from pngwutil.c to pngset.c o Added keyword checks to pngset.c (John Bowler). o Removed LE/BE dependencies in pngvalid, to 'fix' the current problem in the BigEndian tests by not testing it, making the BE code the same as the LE version. o Fixes to pngvalid for various reduced build configurations (eliminate unused statics) and a fix for the case in rgb_to_gray when the digitize option reduces graylo to 0, producing a large error. o Widened the 'limit' check on the internally calculated error limits in the 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error checks) and changed the check to only operate in non-release builds (base build type not RC or RELEASE.) o Fixed undefined behavior in pngvalid.c, undefined because (png_byte) << shift is undefined if it changes the signed bit (because png_byte is promoted to int). The libpng exported functions png_get_uint_32 and png_get_uint_16 handle this. (Bug reported by David Drysdale as a result of reports from UBSAN in clang 3.8). This changes pngvalid to use BE random numbers; this used to produce errors but these should not be fixed as a result of the previous changes. In projects/vstudio, combined readme.txt and WARNING into README.txt Worked around a false-positive Coverity issue in pngvalid.c. Only use exit(77) from pngvalid.c in configure builds. o Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in and test.cmake.in (Roger Leigh). o Added a common-law trademark notice and export control information to the LICENSE file, png.h, and the man page. o Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h (Robert C. Seacord). o Fixed some misleading indentation in pngvalid.c (Krishnaraj Bhat). o Fixed typo (missing underscore) in #define PNG_READ_16_TO_8_SUPPORTED Bug report by (Y.Ohashik). o Added PNG_FAST_FILTERS macro (defined as PNG_FILTER_NONE|PNG_FILTER_SUB| PNG_FILTER_UP). o Merged with current libpng16 gregbook, pngvalid.c, pngtest.c, pngminim, pngminus o Fixed undefined behavior in png_push_save_buffer(). Do not call memcpy() with a null source, even if count is zero (Leon Scroggins III). o Added "Common linking failures" section to INSTALL. o Merge contrib/pngminim/*/makefile with libpng-1.6.24 o Minor editing of INSTALL, (whitespace, added copyright line) o Removed the use of a macro containing the pre-processor 'defined' operator. It is unclear whether this is valid; a macro that "generates" 'defined' is not permitted, but the use of the word "generates" within the C90 standard seems to imply more than simple substitution of an expression itself containing a well-formed defined operation. Previously the pngtrans.c code always resulted in an unsigned arithmetic overflow. This is well defined but produces errors from clang with the option to detect unsigned overflow. As the expression only gets evaluated once per row in this version of libpng it is easier just to rewrite it. o The previous version of png.c produced a signed overflow as a result of both the "& 0xffff" on the most significant bits of a negative argument; this converted (-1) into 65535 which resulted in a subsequent overflow. Since signed overflow is undefined in C90 the code has been modified to correctly calculate a signed result. This requires changing the 'hi' result parameter to a signed value. This has been code reviewed solely by the author. A further code review is highly desireable. Nevertheless the code compiles without warnings from clang and without the prior detection of an overflow. Since it no longer truncates any of the intermediate values this should be enough to ensure that it is correct. o Fixed a potential null pointer dereference in png_set_text_2() (bug report and patch by Patrick Keshishian, CVE-2016-10087). o Suppress clang warnings about implicit sign changes in png.c o Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer). o Added missing "$(CPPFLAGS)" to the compile line for c.pic.o in makefile.linux and makefile.solaris-x86 (Cosmin). Silence clang -Wcomma warnings (Viktor Szakats). o Update Sourceforge URLs in documentation (https instead of http). o Added png_check_chunk_length() function (Fixes CVE-2017-12652). o Moved chunk-name and chunk-length checks into PNG_EXTERN private png_check_chunk_name() and png_check_chunk_length() functions (Suggested by Max Stepin). o Merged pngtest.c with libpng-1.6.32. o Check for 0 return from png_get_rowbytes() in contrib/pngminus/ .c to stop some Coverity issues (162705, 162706, and 162707). Added PNGMINUS_UNUSED macro to contrib/pngminus/p .c and added missing parenthesis in contrib/ pngminus/pnm2png.c (bug report by Christian Hesse). o Fixed off-by-one error in png_do_check_palette_indexes() (Bug report by Mick P., Source Forge Issue #269). o Compute a larger limit on IDAT because some applications write a deflate buffer for each row (Bug report by Andrew Church). o Fixed incorrect typecast of some arguments to png_malloc() and png_calloc() that were png_uint_32 instead of png_alloc_size_t (Bug report by "irwir" in Github libpng issue #175). o Initialize memory allocated by png_inflate to zero, using memset, to stop an oss-fuzz "use of uninitialized value" detection in png_set_text_2() due to truncated iTXt or zTXt chunk. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-2619= 1 Package List: o SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64) libpng15-15-debuginfo-1.5.30-10.13.1 libpng15-debugsource-1.5.30-10.13.1 libpng15-15-1.5.30-10.13.1 References: o https://www.suse.com/security/cve/CVE-2025-64720.html o https://bugzilla.suse.com/show_bug.cgi?id=1254159 o https://jira.suse.com/browse/PED-16191 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================

Risk Scores

CVSS 4.0
8.600000381469727
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
SUSElibpng15

Timeline

  • Jun 25, 2026 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›