From 2d355d1abaa61f5d60dc524c3645c4d6cbb980be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <v@cunat.cz>
Date: Fri, 5 Jun 2026 12:52:54 +0200
Subject: [PATCH] libpng: 1.6.56 -> 1.6.58

Fixes: CVE-2026-34757 and CVE-2026-40930 (#528286)
(cherry picked from commit 316db7c96c1096ae2bf0a40bdec1fc630e1498a2)
---
 pkgs/by-name/li/libpng/package.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/by-name/li/libpng/package.nix b/pkgs/by-name/li/libpng/package.nix
index d533f3ed56bb..7d52bcffb378 100644
--- a/pkgs/by-name/li/libpng/package.nix
+++ b/pkgs/by-name/li/libpng/package.nix
@@ -11,10 +11,10 @@
 assert zlib != null;
 
 let
-  patchVersion = "1.6.56";
+  patchVersion = "1.6.58";
   patch_src = fetchurl {
     url = "mirror://sourceforge/libpng-apng/libpng-${patchVersion}-apng.patch.gz";
-    hash = "sha256-nOMtSidjoqxfJYcmui9J6QETJ8HujDCGKjLQ8wiJ++g=";
+    hash = "sha256-7ufeoi7VAoaAF5cchsY8TtHmCF3guuv9zD0zIvAPPrA=";
   };
   whenPatched = lib.optionalString apngSupport;
 
@@ -24,11 +24,11 @@ let
 in
 stdenv'.mkDerivation (finalAttrs: {
   pname = "libpng" + whenPatched "-apng";
-  version = "1.6.56";
+  version = "1.6.58";
 
   src = fetchurl {
     url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz";
-    hash = "sha256-99i/FgG3gE9YOiVKs0OmVJymzyfSVcMCxHry2dNqbxg=";
+    hash = "sha256-KOtAP1Hw90BSSRMs7P6C6lwO+X8bMsWmWCiBSuDTR3U=";
   };
   postPatch =
     whenPatched "gunzip < ${patch_src} | patch -Np1"