On Tue, Dec 19, 2006 at 08:57:12AM +0100, Andreas Barth wrote: >* Steve Langasek (vorlon@debian.org) [061219 08:27]: >>On Sun, Dec 17, 2006 at 08:13:05AM +1100, Aníbal Monsalve Salazar wrote: >>>Just for the record. The libpng security issues were communicated >>>to the security team twice on Nov 9 and 15 2006. On Nov 15 2006 >>>both vorlon and aba were made aware of the security problems. >> >>Well no, I'm not aware of these. Presumably you mean that an email was >>sent, but I don't seem to have this mail now. > >JFTR, I also don't seem to have this mail now. I'm attaching the email I sent. >Cheers, >Andi >-- > http://home.arcor.de/andreas-barth/ Best Regards, Aníbal Monsalve Salazar -- http://v7w.com/anibal
From anibal@elida.v7w.com Sun Nov 19 10:06:30 2006 Return-Path: <anibal@elida.v7w.com> X-Original-To: anibal@v7w.com Delivered-To: anibal@v7w.com Received: by elida.v7w.com (Postfix, from userid 1000) id E51E7646037; Sun, 19 Nov 2006 10:06:30 +1100 (EST) Date: Sun, 19 Nov 2006 10:06:30 +1100 From: =?iso-8859-1?Q?An=EDbal?= Monsalve Salazar <anibal@debian.org> To: Steve Langasek <vorlon@debian.org>, Andreas Barth <aba@debian.org> Cc: team@security.debian.org, Mike Hommey <mh@glandium.org>, Sam Hocevar <sho@debian.org> Subject: Re: libpng and mozilla Message-ID: <20061118230630.GE7578@debianrules.debiancolombia.org> References: <20061108232700.GB8448@glandium.org> <20061115015330.GD7578@debianrules.debiancolombia.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BQKTRrfB4lCwWW5L" Content-Disposition: inline In-Reply-To: <20061115015330.GD7578@debianrules.debiancolombia.org> User-Agent: Mutt/1.5.11+cvs20060403 Status: RO Content-Length: 2821 Lines: 89 --BQKTRrfB4lCwWW5L Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 15, 2006 at 12:53:30PM +1100, Anibal Monsalve Salazar wrote: >On Tue, Nov 14, 2006 at 05:32:14PM -0500, Glenn Randers-Pehrson wrote: >>Anibal, I gather that you are the debian libpng maintainer now, or >>at least one of them. >> >>There is a new security issue regarding malformed sPLT chunks. We >>are discussing it on a private list >> >>png-mng-security@simplesystems.org >>Visit >>http://www.simplesystems.org/mailman/listinfo/png-mng-security >>to subscribe. Once subscribed you can look at the archives. >> >>Is there another person at debian who should be on the list? >> >>Glenn > >According to Glenn Randers-Pehrson: > > This bug has been reported to the authorities. The CVE project > assigned CVE-2006-5793 for this bug. The suggested date for > release of advisories is November 14. > > A copy of the PNG file is at > http://www.simplesystems.org/users/glennrp/hidden/crashers/ > > The directory contains the PNG file itself (865 kb) > bad_sPLT.png and a gzipped tarball (1.6 kb) for easy > downloading. bad_sPLT.png.tar.gz > >On Thu, Nov 09, 2006 at 12:27:00AM +0100, Mike Hommey wrote: >>Hi, >> >>Part of the latest security updates on Mozilla are some changes to >>libpng, that I'd like to know if they have been adressed in security >>updates of ours. >> >>Here is the upstream (Mozilla) bug: >>https://bugzilla.mozilla.org/show_bug.cgi?id=3D334110 >> >>Since our mozilla-based packages use the system library, we only >>need to apply the really mozilla specific part of the patch >>provided, but we need the libpng part to be fixed as well... >>which is why I'm asking if it is ;) > >I packaged libpng-1.2.12 and was trying to fix a FTBFS on my amd64 >machine. It builds perfectly on i386 and sparc. That is using the >upstream package without the configure script. > >I also built libpng-1.2.12 using the upstream package with the >configure script. > >Now I have downloaded libpng-1.2.13 and I'll package it when I >get home this evening. > >libpng-1.2.13 fixes CVE-2006-5793. I'm about to upload libpng 1.2.13-0. I have run pngtest on i386 amd64 and sparc successfully and firebox 1.5.dfsg+1.5.0.4-1 didn't crash when I pointed it to: http://www.simplesystems.org/users/glennrp/hidden/crashers/bad_sPLT.png Best Regards, An=EDbal Monsalve Salazar --=20 http://v7w.com/anibal --BQKTRrfB4lCwWW5L Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFX5H2gY5NIXPNpFURAq8fAJ9gMNQhlC+XfJgMIQV/RfqiHxPh7gCfSrG+ LB5+ah4D3n13lfDIlgKI7HQ= =Li37 -----END PGP SIGNATURE----- --BQKTRrfB4lCwWW5L--
Attachment:
signature.asc
Description: Digital signature