On Wed, 2008-04-30 at 15:44 -0400, Travis Willard wrote:
Hey guys,
Recent exploit found in libpng < 1.2.27 (http://bugs.archlinux.org/task/10192#comment27550) is getting a lot of attention in our forums and bugtrackers, however since the APNG patch (included for firefox3's sake - http://bugs.archlinux.org/task/9570) isn't updated for the new libpng version yet, I'm blocked on updating this.
If I drop APNG from libpng to ensure we get updates as quick as possible, this means firefox3 will need to be rebuilt without system PNG. If this happens, that means firefox3 will be using a vulnerable version of the library, but I can react quicker to vulnerabilities like this in the future.
I'm not sure what is the best course of action. Wait until a new APNG patch is released? Update and force firefox3 to rebuild?
From the libpng website: "The pngtest sample application distributed with libpng, pngcrush, and certain versions of ImageMagick are known to be affected, but the bug is otherwise believed to be quite rare." - if the bug is quite rare, can we put it off?
Any input?
I tried to build libpng 1.2.27 with apng patch, this is what I did to get a working package: - apply the 1.2.25-apng patch, ignore the reject: the rejected patch adds checks that don't make sense with 1.2.27 as the variables should be NULL anyways. - Generate a new patch out of this, so we have a clean patch against 1.2.27 - Run the whole libtoolize --force --copy, aclocal, autoconf, automake crap - Run every make command with "ECHO=echo" appended, as libtool 2.2 doesn't export this variable anymore (it's lt_ECHO now) This resulted in a 1.2.27 package that still works with animated PNGs in firefox 3.0b5. OK to commit to testing?