First, my apologies for letting the project stagnate for so long, and my thanks to everyone on the libsixel/libsixel project who continued to deliver security fixes and improvements during my absence.

This repository (saitoha/libsixel) does not yet incorporate everything from libsixel/libsixel. In particular, I am still evaluating whether to adopt Meson for the build system. Reasons include: I currently have no Meson expertise; importing it as-is would eliminate a large number of #ifdefs and likely reduce portability; and I am considering a future port to OpenVMS. I know many people dislike GNU Autotools, so I will keep revisiting the build system choice. The slow ./configure on Windows is a major pain point, but predefining CONFIG_SITE should mitigate it substantially.

On security fixes, my understanding is that the majority are already addressed. A summary of overall progress appears further below in this post. We deferred CVE-2021-46700 (#158), which we have not been able to reproduce, as well as certain Dependabot alerts that appear to have limited impact, for a later release.

📢 What's New in libsixel-1.8.7

• fix invalid pointer access in encoder.c (#193, #195)
  Thanks to @momo-trip, @akinomyoga

• fix wrong HLS to RGB conversion. (#191)
  Thanks to @gnachman, @j4james

• fix NULL pointer dereference problem in img2sixel.c (#192)
  Thanks to @momo-trip, @akinomyoga

• fix double free problem in encoder.c (#194)
  Thanks to @momo-trip

• Serucity fix for #200, heap buffer overflow in debug palette function.
  Thanks to @err2zero

• add EXTRA_DIST for LICENSE files (#129)
  Thanks to @ttdoda

• Travis-ci: added support for ppc64le (#140)
  Thanks to @dthadi3

• export sixel_allocator_new to dll (#151)
  Thanks to @johnnychen94

• README: Add Idris 2 language bindings (#155)
  Thanks to @Kaiepi

• performance: If width and height are unchanged, nothing to do. (#170)
  Thanks to @rokuyama

• README: add MacPorts to install options (#183)
  Thanks to @barracuda156

• fix for bash completion (#189)
  Thanks to @rcorre

• Add backport feature (nanosleep) for windows, github actions CI (#202)
  Thanks to @Kreijstal

• README: update NixOS link (#204)
  Thanks to @max-amb

• build: Remove override of $LIBJPEG_CFLAGS and $LIBJPEG_LIBS set by PKG_CHECK_MODULES()

• fix Problems with the dithering palette calculation (#188)
  Thanks to @gnachman, @j4james

• fix SEGV error in sixel_encoder_setopt (#174)
  Thanks to @shinibufa , @j4james

• curl: send original UserAgent header: "libsixel/${LIBSIXEL_VERSION}"

• fix heap-buffer-overflow in error_diffuse, quant.c:876 #172
  Thanks to @waugustus

• fix Heap-buffer-overflow in scale.c:214 #179
  Thanks to @chameleon10712, @j4james

• build: fallback support for environments without pkg-config.

• fix double-free problem in loader.c (#150)
  Thanks to @duytai, @ctrlcctrlv

• fix an assertion issue in stbi__create_png_image_raw (#163)
  Thanks to @kdsjZh, @dankamongmen

• Update stb_image.h from upstream to version 2.30
  THanks to @hzeller

• Update examples/drawing: add SGR-Pixels mode

• fix a problem on monochromatic encoded (-e) output (#112)
  Thanks to @interkosmos, @j4james

• fix a FPE issue (#166, #167)
  Thanks to @waugustus, @j4james

• cli: fix a scaling issue introduced in v1.6.1, which is caused
  when one of -w/-h is a percentage and the other is unset or "auto"

• fix a memory leak ploblem (#164)
  Thanks to @muetzenmann, @j4james

🛡️ libsixel Security Overview (CVE + Dependabot)

All CVEs reported for libsixel (2018–2025, including stb_image leftovers)

Build/Dev Dependencies (Dependabot alerts)

Notes

• ✅ = fixed, ❌ = still open, 🟡 = uninvestigated / in progress.
• Debian switched from saitoha/libsixel to the fork (libsixel/libsixel) starting at 1.10.3-1.
• The fork itself is archived (2025-02-12), so new CVEs are no longer addressed there.
• The Dependabot alerts relate only to dev/test tooling (Ruby rake, minitest, etc.) and do not affect the runtime library, but they matter for GitHub’s security signals and downstream packaging.