[arch-dev-public] APNG patch in libpng

Travis Willard travis at archlinux.org
Wed Apr 30 15:44:35 EDT 2008

Hey guys,

Recent exploit found in libpng < 1.2.27
(http://bugs.archlinux.org/task/10192#comment27550) is getting a lot
of attention in our forums and bugtrackers, however since the APNG
patch (included for firefox3's sake -
http://bugs.archlinux.org/task/9570) isn't updated for the new libpng
version yet, I'm blocked on updating this.

If I drop APNG from libpng to ensure we get updates as quick as
possible, this means firefox3 will need to be rebuilt without system
PNG.  If this happens, that means firefox3 will be using a vulnerable
version of the library, but I can react quicker to vulnerabilities
like this in the future.

I'm not sure what is the best course of action.  Wait until a new APNG
patch is released? Update and force firefox3 to rebuild?

>From the libpng website: "The pngtest  sample application distributed
with libpng, pngcrush, and certain versions of ImageMagick are known
to be affected, but the bug is otherwise believed to be quite rare." -
if the bug is quite rare, can we put it off?

Any input?

More information about the arch-dev-public mailing list