Re: pngcheck - use new upstream version?

[Salvatore Bonaccorso <carnil@debian.org>]

Hi Tobias,

On Fri, Dec 09, 2022 at 10:40:53AM +0100, Tobias Frost wrote:
> Hi,
> 
> I was analyzing pngcheck this morning and I'm unsure how to proceed so
> any advice would be appreciated :)
> 
> pngcheck has one CVE open [1], however it seems that there are multiple
> vulnerabilities, as upstream changelog [2] and homepage [3] mentions them.
> 
> Unfortuntatly upstream did major refactoring between 2.4 and 3.0.x, and as there
> is no upstream git repo it is very hard to isolate which bits are indeed the
> vulenarbility fixes and which are "just" bug fixes.
> 
> Suse e.g did "just" use the new upstream version [5] as resolution, however
> there is the caveat that 3.0.x dropped the "force" option, which would make
> pngcheck to try hard continuing even on very corrupt input files. Upstream's
> Changelog entry [4] explains that by "multiple security issues".
> 
> I'd propose also to package 3.0.3 for LTS, but instead of removing the force
> option making it a "NOP", so that the command line options are still compatible
> for e.g. existing scripts.
> 
> 3.0.x has only very few new features (more png checks) than 2.3.x.

Speaking of rebasing to 3.0.3, this is in fact what will happen for
pngcheck to be released as DSA by Moritz. He did rebuild pngcheck
3.0.3-1 for bullseye (versioned 3.0.3-1~deb11u1).

Regards,
Salvatore