[arch-dev-public] APNG patch in libpng

Jan de Groot jan at jgc.homeip.net
Thu May 1 06:04:05 EDT 2008

On Wed, 2008-04-30 at 15:44 -0400, Travis Willard wrote:
> Hey guys,
> Recent exploit found in libpng < 1.2.27
> (http://bugs.archlinux.org/task/10192#comment27550) is getting a lot
> of attention in our forums and bugtrackers, however since the APNG
> patch (included for firefox3's sake -
> http://bugs.archlinux.org/task/9570) isn't updated for the new libpng
> version yet, I'm blocked on updating this.
> If I drop APNG from libpng to ensure we get updates as quick as
> possible, this means firefox3 will need to be rebuilt without system
> PNG.  If this happens, that means firefox3 will be using a vulnerable
> version of the library, but I can react quicker to vulnerabilities
> like this in the future.
> I'm not sure what is the best course of action.  Wait until a new APNG
> patch is released? Update and force firefox3 to rebuild?
> >From the libpng website: "The pngtest  sample application distributed
> with libpng, pngcrush, and certain versions of ImageMagick are known
> to be affected, but the bug is otherwise believed to be quite rare." -
> if the bug is quite rare, can we put it off?
> Any input?

I tried to build libpng 1.2.27 with apng patch, this is what I did to
get a working package:

- apply the 1.2.25-apng patch, ignore the reject: the rejected patch
adds checks that don't make sense with 1.2.27 as the variables should be
NULL anyways.
- Generate a new patch out of this, so we have a clean patch against
- Run the whole libtoolize --force --copy, aclocal, autoconf, automake
- Run every make command with "ECHO=echo" appended, as libtool 2.2
doesn't export this variable anymore (it's lt_ECHO now)

This resulted in a 1.2.27 package that still works with animated PNGs in
firefox 3.0b5.

OK to commit to testing?

More information about the arch-dev-public mailing list