Hey guys, Recent exploit found in libpng < 1.2.27 (http://bugs.archlinux.org/task/10192#comment27550) is getting a lot of attention in our forums and bugtrackers, however since the APNG patch (included for firefox3's sake - http://bugs.archlinux.org/task/9570) isn't updated for the new libpng version yet, I'm blocked on updating this. If I drop APNG from libpng to ensure we get updates as quick as possible, this means firefox3 will need to be rebuilt without system PNG. If this happens, that means firefox3 will be using a vulnerable version of the library, but I can react quicker to vulnerabilities like this in the future. I'm not sure what is the best course of action. Wait until a new APNG patch is released? Update and force firefox3 to rebuild?
From the libpng website: "The pngtest sample application distributed with libpng, pngcrush, and certain versions of ImageMagick are known to be affected, but the bug is otherwise believed to be quite rare." - if the bug is quite rare, can we put it off?
Any input?