On Wed, 2008-04-30 at 15:44 -0400, Travis Willard wrote: > Hey guys, > > Recent exploit found in libpng < 1.2.27 > (http://bugs.archlinux.org/task/10192#comment27550) is getting a lot > of attention in our forums and bugtrackers, however since the APNG > patch (included for firefox3's sake - > http://bugs.archlinux.org/task/9570) isn't updated for the new libpng > version yet, I'm blocked on updating this. > > If I drop APNG from libpng to ensure we get updates as quick as > possible, this means firefox3 will need to be rebuilt without system > PNG. If this happens, that means firefox3 will be using a vulnerable > version of the library, but I can react quicker to vulnerabilities > like this in the future. > > I'm not sure what is the best course of action. Wait until a new APNG > patch is released? Update and force firefox3 to rebuild? > > >From the libpng website: "The pngtest sample application distributed > with libpng, pngcrush, and certain versions of ImageMagick are known > to be affected, but the bug is otherwise believed to be quite rare." - > if the bug is quite rare, can we put it off? > > Any input?
I tried to build libpng 1.2.27 with apng patch, this is what I did to get a working package: - apply the 1.2.25-apng patch, ignore the reject: the rejected patch adds checks that don't make sense with 1.2.27 as the variables should be NULL anyways. - Generate a new patch out of this, so we have a clean patch against 1.2.27 - Run the whole libtoolize --force --copy, aclocal, autoconf, automake crap - Run every make command with "ECHO=echo" appended, as libtool 2.2 doesn't export this variable anymore (it's lt_ECHO now) This resulted in a 1.2.27 package that still works with animated PNGs in firefox 3.0b5. OK to commit to testing?
