Detections
Analytics

SUSE SLES12 Security Update : libpng15 (SUSE-SU-2026:2619-1)

high Nessus Plugin ID 323026

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLES12 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2026:2619-1 advisory.

 This update for libpng15 fixes the following issues

 Security issues:

 - CVE-2025-64720: buffer overflow in `png_image_read_composite` via incorrect palette premultiplication (bsc#1254159).

 Non security issue:

 - version update to 1.5.30 (jsc#PED-16191).

 Changes for libpng15:

 - Replaced 'unexpected' with an integer in pngset.c where a long was expected, to avoid a compiler warning when PNG_DEBUG > 1.
 - Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds.
 - Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds.
 - Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug report from Christopher Ferris).
 - Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the compiled library size. It never worked properly and as far as we can tell, no one uses it. The png_set_filter_heuristics() and png_set_filter_heuristics_fixed() APIs are retained but deprecated and do nothing.
 - Avoid potentially dereferencing NULL info_ptr in png_info_init_3().
 Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and PNG_WEIGHT_FACTOR macros.
 - Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
 - Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
 - Fixed some bad links in the man page.
 - Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert Seacord).
 - Fixed the recently reported 1's complement security issue by replacing the value that is illegal in the PNG spec, in both signed and unsigned values, with 0. Illegal unsigned values (anything greater than or equal to 0x80000000) can still pass through, but since these are not illegal in ANSI-C (unlike 0x80000000 in the signed case) the checking that occurs later can catch them (John Bowler).
 - Fixed png_save_int_32 when int is not 2's complement (John Bowler).
 - Fixed byte order in png_do_read_filler() with 16-bit input (previously fixed in libpng-1.6.17 and 1.7.0beta46). Previously the high and low bytes of the filler, from png_set_filler() or from png_set_add_alpha(), were read in the wrong order.
 - Merged pngvalid.c with version 1.6.19.
 - Added sPLT support to pngtest.c
 - Prevent writing over-length PLTE chunk (Cosmin Truta).
 - Libpng incorrectly calculated the output rowbytes when the application decreased either the number of channels or the bit depth (or both) in a user transform. This was safe; libpng overallocated buffer space (potentially by quite a lot; up to 4 times the amount required) but, from 1.5.4 on, resulted in a png_error (John Bowler).
 - Silently truncate over-length PLTE chunk while reading.
 - Fixed some inconsequential cut-and-paste typos in png_set_cHRM_XYZ_fixed().
 - Clarified COPYRIGHT information to state explicitly that versions are derived from previous versions.
 Removed much of the long list of previous versions from png.h and libpng.3.
 - Fixed new bug with CRC error after reading an over-length palette (bug report by Cosmin Truta) (CVE-2015-8126).
 - Cleaned up coding style in png_handle_PLTE().
 - Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(), png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
 - Fixed incorrect implementation of png_set_PLTE() that uses png_ptr not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 vulnerability. Fixes CVE-2015-8472.
 - Fixed an out-of-range read in png_check_keyword() (Bug report from
 - Qixue Xiao, CVE-2015-8540).
 - Corrected copyright dates in source files.
 - Moved png_check_keyword() from pngwutil.c to pngset.c
 - Added keyword checks to pngset.c (John Bowler).
 - Removed LE/BE dependencies in pngvalid, to 'fix' the current problem in the BigEndian tests by not testing it, making the BE code the same as the LE version.
 - Fixes to pngvalid for various reduced build configurations (eliminate unused statics) and a fix for the case in rgb_to_gray when the digitize option reduces graylo to 0, producing a large error.
 - Widened the 'limit' check on the internally calculated error limits in the 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error checks) and changed the check to only operate in non-release builds (base build type not RC or RELEASE.)
 - Fixed undefined behavior in pngvalid.c, undefined because (png_byte) << shift is undefined if it changes the signed bit (because png_byte is promoted to int). The libpng exported functions png_get_uint_32 and png_get_uint_16 handle this. (Bug reported by David Drysdale as a result of reports from UBSAN in clang 3.8).
 This changes pngvalid to use BE random numbers; this used to produce errors but these should not be fixed as a result of the previous changes.
 In projects/vstudio, combined readme.txt and WARNING into README.txt Worked around a false-positive Coverity issue in pngvalid.c.
 Only use exit(77) from pngvalid.c in configure builds.
 - Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in and test.cmake.in (Roger Leigh).
 - Added a common-law trademark notice and export control information to the LICENSE file, png.h, and the man page.
 - Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h (Robert C. Seacord).
 - Fixed some misleading indentation in pngvalid.c (Krishnaraj Bhat).
 - Fixed typo (missing underscore) in #define PNG_READ_16_TO_8_SUPPORTED Bug report by (Y.Ohashik).
 - Added PNG_FAST_FILTERS macro (defined as PNG_FILTER_NONE|PNG_FILTER_SUB|PNG_FILTER_UP).
 - Merged with current libpng16 gregbook, pngvalid.c, pngtest.c, pngminim, pngminus
 - Fixed undefined behavior in png_push_save_buffer(). Do not call memcpy() with a null source, even if count is zero (Leon Scroggins III).
 - Added 'Common linking failures' section to INSTALL.
 - Merge contrib/pngminim/*/makefile with libpng-1.6.24
 - Minor editing of INSTALL, (whitespace, added copyright line)
 - Removed the use of a macro containing the pre-processor 'defined' operator. It is unclear whether this is valid; a macro that 'generates' 'defined' is not permitted, but the use of the word 'generates' within the C90 standard seems to imply more than simple substitution of an expression itself containing a well-formed defined operation.
 Previously the pngtrans.c code always resulted in an unsigned arithmetic overflow. This is well defined but produces errors from clang with the option to detect unsigned overflow. As the expression only gets evaluated once per row in this version of libpng it is easier just to rewrite it.
 - The previous version of png.c produced a signed overflow as a result of both the '& 0xffff' on the most significant bits of a negative argument;
 this converted (-1) into 65535 which resulted in a subsequent overflow.
 Since signed overflow is undefined in C90 the code has been modified to correctly calculate a signed result. This requires changing the 'hi' result parameter to a signed value.
 This has been code reviewed solely by the author. A further code review is highly desireable. Nevertheless the code compiles without warnings from clang and without the prior detection of an overflow. Since it no longer truncates any of the intermediate values this should be enough to ensure that it is correct.
 - Fixed a potential null pointer dereference in png_set_text_2() (bug report and patch by Patrick Keshishian, CVE-2016-10087).
 - Suppress clang warnings about implicit sign changes in png.c
 - Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
 - Added missing '$(CPPFLAGS)' to the compile line for c.pic.o in makefile.linux and makefile.solaris-x86 (Cosmin).
 Silence clang -Wcomma warnings (Viktor Szakats).
 - Update Sourceforge URLs in documentation (https instead of http).
 - Added png_check_chunk_length() function (Fixes CVE-2017-12652).
 - Moved chunk-name and chunk-length checks into PNG_EXTERN private png_check_chunk_name() and png_check_chunk_length() functions (Suggested by Max Stepin).
 - Merged pngtest.c with libpng-1.6.32.
 - Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707).
 Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
 - Fixed off-by-one error in png_do_check_palette_indexes() (Bug report by Mick P., Source Forge Issue #269).
 - Compute a larger limit on IDAT because some applications write a deflate buffer for each row (Bug report by Andrew Church).
 - Fixed incorrect typecast of some arguments to png_malloc() and png_calloc() that were png_uint_32 instead of png_alloc_size_t (Bug report by 'irwir' in Github libpng issue #175).
 - Initialize memory allocated by png_inflate to zero, using memset, to stop an oss-fuzz 'use of uninitialized value' detection in png_set_text_2() due to truncated iTXt or zTXt chunk.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected libpng15-15 package.

See Also

https://bugzilla.suse.com/1254159

https://lists.suse.com/pipermail/sle-updates/2026-June/047603.html

https://www.suse.com/security/cve/CVE-2025-64720

Plugin Details

Severity: High

ID: 323026

File Name: suse_SU-2026-2619-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/26/2026

Updated: 6/26/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C

CVSS Score Source: CVE-2025-64720

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:libpng15-15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/24/2026

Vulnerability Publication Date: 11/11/2025

Reference Information

CVE: CVE-2025-64720

SuSE: SUSE-SU-2026:2619-1