Security update for libpng16

Announcement ID:	SUSE-SU-2025:4533-1
Release Date:	2025-12-29T16:11:25Z
Rating:	moderate
References:	bsc#1254157 bsc#1254158 bsc#1254159 bsc#1254160
Cross-References:	CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018
CVSS scores:	CVE-2025-64505 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-64505 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2025-64505 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2025-64506 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-64506 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2025-64506 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2025-64720 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-64720 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2025-64720 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2025-65018 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-65018 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2025-65018 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves four vulnerabilities can now be installed.

Description:

This update for libpng16 fixes the following issues:

• CVE-2025-64720: Fixed buffer overflow in png_image_read_composite via incorrect palette premultiplication (bsc#1254159)
• CVE-2025-64505: Fixed heap buffer over-read in png_do_quantize via malformed palette index (bsc#1254157)
• CVE-2025-64506: Fixed heap buffer over-read in png_write_image_8bit with 8-bit input and convert_to_8bit enabled (bsc#1254158)
• CVE-2025-65018: Fixed heap buffer overflow in png_combine_row triggered via png_image_finish_read (bsc#1254160)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-4533=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • libpng16-debugsource-1.6.8-15.9.1
  • libpng16-compat-devel-1.6.8-15.9.1
  • libpng16-16-1.6.8-15.9.1
  • libpng16-16-debuginfo-32bit-1.6.8-15.9.1
  • libpng16-16-32bit-1.6.8-15.9.1
  • libpng16-devel-1.6.8-15.9.1
  • libpng16-16-debuginfo-1.6.8-15.9.1

References:

• https://www.suse.com/security/cve/CVE-2025-64505.html
• https://www.suse.com/security/cve/CVE-2025-64506.html
• https://www.suse.com/security/cve/CVE-2025-64720.html
• https://www.suse.com/security/cve/CVE-2025-65018.html
• https://bugzilla.suse.com/show_bug.cgi?id=1254157
• https://bugzilla.suse.com/show_bug.cgi?id=1254158
• https://bugzilla.suse.com/show_bug.cgi?id=1254159
• https://bugzilla.suse.com/show_bug.cgi?id=1254160