update vulnerable libpng to fixed version?

Chuck Swiger cswiger at mac.com
Thu Aug 5 09:09:41 PDT 2004

Andrey Chernov wrote:
> On Thu, Aug 05, 2004 at 07:29:15PM +0400, Andrey Chernov wrote:
>> Since CERT entry VU#388984 not points to any patch, I can only guess that 
>> this bug is fixed by official 0-11 patches I commit several hours ago.
[ ... ]
> "NOTE! This patch serves as demo purposes for the flaws only. An official
> v1.2.6 libpng with an official, slightly different fix will be released by
> the libpng team in parallel with this advisory."
> What is in 1.2.6 in that place is equal to 1.2.5 official patches. Patch 
> from CESA is not used.

Perhaps CERT jumped the gun on releasing the advisory, before the libpng 
people had a chance to fully test 1.2.6?  You seem to be suggesting so, and it 
wouldn't be the first time CERT has released something without full 
coordination with the authors.

Anyway, if the issues identified in 1.2.5 are updated by patches which you're 
commiting today, so much the better.  Thanks for responding so quickly.


More information about the freebsd-ports mailing list