Skip to content

CVE-2025-66293: Document affected versions and patch workflow-tests #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

CVE-2025-66293: Document affected versions and patch workflow-tests #60

Copilot wants to merge 3 commits into from
+172 −41

Conversation

Copy link
Contributor

Copilot AI commented Feb 6, 2026
edited
Loading

CVE-2025-66293 is an out-of-bounds read in libpng < 1.6.52. Main repo was already patched (1.6.54 since Jan 2026), but workflow-tests remained vulnerable and no historical analysis existed.

Historical Impact Analysis

Traced git history to identify affected periods:

Development environment (pixi.lock):

  • Jun 2025 - Nov 2025: libpng 1.6.47 (commits 37f5d14 to fcd9069)
  • Nov 2025 - Jan 2026: libpng 1.6.50 (commits cf0f5a8 to ee11f38)
  • Jan 2026+: libpng 1.6.54 ✓

Workflow tests (workflow-tests/test-extension/pixi.lock):

  • Sep 2025 - Feb 2026: libpng 1.6.50 (commit adbd584 onwards)
  • Feb 2026+: libpng 1.6.54 ✓ (this PR)

Changes

  • SECURITY-ADVISORY-CVE-2025-66293.md: Timeline of affected versions, risk assessment, remediation steps
  • workflow-tests/test-extension/: Updated libpng 1.6.50 → 1.6.54, added libpng >= 1.6.52 constraint
  • README.md: Added security section reference

Risk Profile

High: Processing untrusted PNG files
Medium: Dev/test environments with trusted input
Low: No PNG processing

Developers who cloned Jun 2025 - Feb 2026 should rebuild environments: pixi clean && pixi install

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@HedgehogCode
Update libpng to 1.6.54 to fix CVE-2025-66293
99587b2 
Co-authored-by: HedgehogCode <6631116+HedgehogCode@users.noreply.github.com>
Copilot AI changed the title [WIP] Investigate repository for CVE-2025-66293 impact Fix CVE-2025-66293: Update libpng to 1.6.54 in workflow-tests Feb 6, 2026
Copilot AI requested a review from HedgehogCode February 6, 2026 13:23
@HedgehogCode
Add comprehensive CVE-2025-66293 security advisory
145f6f9 
Co-authored-by: HedgehogCode <6631116+HedgehogCode@users.noreply.github.com>
Copilot AI changed the title Fix CVE-2025-66293: Update libpng to 1.6.54 in workflow-tests CVE-2025-66293: Document affected versions and patch workflow-tests Feb 6, 2026
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 6, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HedgehogCode HedgehogCode Awaiting requested review from HedgehogCode

Assignees

@HedgehogCode HedgehogCode

Copilot code review Copilot

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HedgehogCode