Libpng1.6 and FFmpeg updates for Debian

Debian 10697 Published by

Debian has released security updates for several packages: libpng1.6, ffmpeg, and their respective vulnerabilities. The libpng1.6 update fixes multiple vulnerabilities that allow information disclosure or denial of service via out-of-bounds reads, heap corruption, or buffer overflows. The ffmpeg update tackles a vulnerability that could lead to denial of service or arbitrary code execution when processing malformed files. Users are recommended to upgrade their packages to the latest versions for security patches: 1.6.37-3+deb11u1 for libpng1.6 and 7:7.1.3-0+deb13u1 for ffmpeg.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1589-1 libpng1.6 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4396-1] libpng1.6 security update

Debian GNU/Linux 13 (Trixie):
[DSA 6073-1] ffmpeg security update




[SECURITY] [DLA 4396-1] libpng1.6 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4396-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 07, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libpng1.6
Version : 1.6.37-3+deb11u1
CVE ID : CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018
CVE-2025-66293
Debian Bug : 1121216 1121217 1121218 1121219 1121877

Multiple vulnerabilties have been found in libpng, the official PNG
reference library, allowing information disclosure via out-of-bounds
read, denial of service via application crash, or heap corruption with
potential for arbitrary code execution.

CVE-2025-64505

Heap buffer over-read in png_do_quantize via malformed palette index.

CVE-2025-64506

Heap buffer over-read in png_write_image_8bit

CVE-2025-64720

Buffer overflow in png_image_read_composite via incorrect palette
premultiplication

CVE-2025-65018

Heap buffer overflow in png_combine_row triggered via
png_image_finish_read

CVE-2025-66293

An out-of-bounds read vulnerability in libpng's simplified API allows
reading up to 1012 bytes beyond the png_sRGB_base[512] array when
processing palette PNG images with partial transparency and gamma
correction

For Debian 11 bullseye, these problems have been fixed in version
1.6.37-3+deb11u1.

We recommend that you upgrade your libpng1.6 packages.

For the detailed security status of libpng1.6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1589-1 libpng1.6 security update


Package : libpng1.6
Version : 1.6.28-1+deb9u2 (stretch), 1.6.36-6+deb10u1 (buster)

Related CVEs :
CVE-2025-64505
CVE-2025-64506
CVE-2025-64720
CVE-2025-65018
CVE-2025-66293

Multiple vulnerabilties have been found in libpng, the official PNG reference
library, allowing information disclosure via out-of-bounds read, denial of
service via application crash, or heap corruption with potential for arbitrary
code execution.

CVE-2025-64505
Heap buffer over-read in png_do_quantize via malformed palette index.

CVE-2025-64506
Heap buffer over-read in png_write_image_8bit

CVE-2025-64720
Buffer overflow in png_image_read_composite via incorrect palette
premultiplication

CVE-2025-65018
Heap buffer overflow in png_combine_row triggered via png_image_finish_read

CVE-2025-66293
An out-of-bounds read vulnerability in libpng's simplified API allows
reading up to 1012 bytes beyond the png_sRGB_base[512] array when
processing palette PNG images with partial transparency and gamma correction


ELA-1589-1 libpng1.6 security update



[SECURITY] [DSA 6073-1] ffmpeg security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6073-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 07, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ffmpeg
CVE ID : CVE-2025-25473

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (trixie), this problem has been fixed in
version 7:7.1.3-0+deb13u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Kernel, Webkit2GTK3, OpenSSL, Thunderbird updates for RHEL

WSL2 Distro Manager 1.9.0 released

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...