[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of pngquant?

Hi Andreas,

On 31/05/17 08:31, Andreas Tille wrote:
> Hi Raphael,
> thanks for working on Debian LTS.
> On Thu, May 25, 2017 at 01:02:27PM +0200, Raphael Hertzog wrote:
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of pngquant:
>> https://security-tracker.debian.org/tracker/CVE-2016-5735
>> Would you like to take care of this yourself?
>> If yes, please follow the workflow we have defined here:
>> https://wiki.debian.org/LTS/Development
>> If that workflow is a burden to you, feel free to just prepare an
>> updated source package and send it to debian-lts@lists.debian.org
>> (via a debdiff, or with an URL pointing to the source package,
>> or even with a pointer to your packaging repository), and the members
>> of the LTS team will take care of the rest. Indicate clearly whether you
>> have tested the updated package or not.
> I admit pngquant is a too unimportant package for me to schedule extra
> time for this.
>> If you don't want to take care of this update, it's not a problem, we
>> will do our best with your package. Just let us know whether you would
>> like to review and/or test the updated package before it gets released.
>> You can also opt-out from receiving future similar emails in your
>> answer and then the LTS Team will take care of pngquant updates
>> for the LTS releases.
> I do not want to opt-out in general but please do not expect any action
> from my side for this specific package.

No worries. I already updated pngquant in wheezy. I also found another possible
buffer overflow and reported it upstream, but it's not confirmed yet (and I
don't have a test case to confirm it).

BTW if you can fix this in sid that'd be nice. Or if you're too busy I can fix
it for you there. The fix is pretty simple:



Reply to: