github saitoha/libsixel v1.8.7-r1
v1.8.7-r1 security update
on GitHub

7 hours ago

More than seven months have passed since our last release, so we are publishing this minor update. Thank you to everyone who submitted bug reports and security advisories.

Development is currently focused on the develop branch, where we are improving quality by generating a large number of tests with an AI agent.

The develop branch includes improvements to quantization and dithering, band-level parallelization, parallel and pipelined processing for encoding, decoding, and dithering, as well as loader enhancements. Because these significant additions broaden the attack surface, we are strengthening security with static analysis and fuzzing in GitHub Actions; however, stabilization is expected to take some time.

The Dependabot alert issue that was not addressed in v1.8.7 has already been resolved on the develop branch, and the fix is planned for release in v1.8.11.

📢 What's New in libsixel-1.9.7-r1

  • Security fix for CVE-2026-33023 (GHSA-hr25-g2j6-qjw6), use-after-free in load_with_gdkpixbuf().
    Thanks to @nicoppida

  • Security fix for CVE-2026-33018 (GHSA-w46f-jr9f-rgvp), use-after-free in load_gif().
    Thanks to @nicoppida

  • Security fix for CVE-2026-33019 (GHSA-c854-ffg9-g72c), integer overflow that leads to out-of-bounds read in img2sixel.
    Thanks to @nicoppida

  • Security fix for CVE-2026-33020 (GHSA-2xgm-4x47-2x2p), integer overflow in write_png_to_file() that leads to heap overflow.
    Thanks to @nicoppida

  • Security fix for CVE-2026-33021 (GHSA-j6m5-2cc7-3whc), use-after-free in sixel_encoder_encode_bytes().
    Thanks to @nicoppida

  • Security fix for #222, out-of-bounds memory access in packed pixel format copy path.
    Thanks to @xyzzy42

  • Security backports and hardening for #220:
    GIF transparent index OOB, per-frame palette compositing, DCS parameter overflow, resize/item5/quant integer overflows, and invalid PNG cleanup path.
    Thanks to @ShangzhiXu

  • fix memory leak issue in GIF loader callback path (#207).
    Thanks to @optionGo

  • python: fix bugs in sixel_encoder_encode_bytes (#223).
    Thanks to @xyzzy42

  • build: make distcheck pass by shipping required fixtures.

Check out latest releases or
releases around saitoha/libsixel v1.8.7-r1

Don't miss a new libsixel release

NewReleases is sending notifications on new releases.

Get notifications