On Tue, Dec 19, 2006 at 08:57:12AM +0100, Andreas Barth wrote: >* Steve Langasek ([EMAIL PROTECTED]) [061219 08:27]: >>On Sun, Dec 17, 2006 at 08:13:05AM +1100, Aníbal Monsalve Salazar wrote: >>>Just for the record. The libpng security issues were communicated >>>to the security team twice on Nov 9 and 15 2006. On Nov 15 2006 >>>both vorlon and aba were made aware of the security problems. >> >>Well no, I'm not aware of these. Presumably you mean that an email was >>sent, but I don't seem to have this mail now. > >JFTR, I also don't seem to have this mail now.
I'm attaching the email I sent. >Cheers, >Andi >-- > http://home.arcor.de/andreas-barth/ Best Regards, Aníbal Monsalve Salazar -- http://v7w.com/anibal
From [EMAIL PROTECTED] Sun Nov 19 10:06:30 2006
Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: by elida.v7w.com (Postfix, from userid 1000)
id E51E7646037; Sun, 19 Nov 2006 10:06:30 +1100 (EST)
Date: Sun, 19 Nov 2006 10:06:30 +1100
From: =?iso-8859-1?Q?An=EDbal?= Monsalve Salazar <[EMAIL PROTECTED]>
To: Steve Langasek <[EMAIL PROTECTED]>, Andreas Barth <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], Mike Hommey <[EMAIL PROTECTED]>,
Sam Hocevar <[EMAIL PROTECTED]>
Subject: Re: libpng and mozilla
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="BQKTRrfB4lCwWW5L"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.11+cvs20060403
Status: RO
Content-Length: 2821
Lines: 89
--BQKTRrfB4lCwWW5L
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Nov 15, 2006 at 12:53:30PM +1100, Anibal Monsalve Salazar wrote:
>On Tue, Nov 14, 2006 at 05:32:14PM -0500, Glenn Randers-Pehrson wrote:
>>Anibal, I gather that you are the debian libpng maintainer now, or
>>at least one of them.
>>
>>There is a new security issue regarding malformed sPLT chunks. We
>>are discussing it on a private list
>>
>>[EMAIL PROTECTED]
>>Visit
>>http://www.simplesystems.org/mailman/listinfo/png-mng-security
>>to subscribe. Once subscribed you can look at the archives.
>>
>>Is there another person at debian who should be on the list?
>>
>>Glenn
>
>According to Glenn Randers-Pehrson:
>
> This bug has been reported to the authorities. The CVE project
> assigned CVE-2006-5793 for this bug. The suggested date for
> release of advisories is November 14.
>
> A copy of the PNG file is at
> http://www.simplesystems.org/users/glennrp/hidden/crashers/
>
> The directory contains the PNG file itself (865 kb)
> bad_sPLT.png and a gzipped tarball (1.6 kb) for easy
> downloading. bad_sPLT.png.tar.gz
>
>On Thu, Nov 09, 2006 at 12:27:00AM +0100, Mike Hommey wrote:
>>Hi,
>>
>>Part of the latest security updates on Mozilla are some changes to
>>libpng, that I'd like to know if they have been adressed in security
>>updates of ours.
>>
>>Here is the upstream (Mozilla) bug:
>>https://bugzilla.mozilla.org/show_bug.cgi?id=3D334110
>>
>>Since our mozilla-based packages use the system library, we only
>>need to apply the really mozilla specific part of the patch
>>provided, but we need the libpng part to be fixed as well...
>>which is why I'm asking if it is ;)
>
>I packaged libpng-1.2.12 and was trying to fix a FTBFS on my amd64
>machine. It builds perfectly on i386 and sparc. That is using the
>upstream package without the configure script.
>
>I also built libpng-1.2.12 using the upstream package with the
>configure script.
>
>Now I have downloaded libpng-1.2.13 and I'll package it when I
>get home this evening.
>
>libpng-1.2.13 fixes CVE-2006-5793.
I'm about to upload libpng 1.2.13-0. I have run pngtest on i386
amd64 and sparc successfully and firebox 1.5.dfsg+1.5.0.4-1
didn't crash when I pointed it to:
http://www.simplesystems.org/users/glennrp/hidden/crashers/bad_sPLT.png
Best Regards,
An=EDbal Monsalve Salazar
--=20
http://v7w.com/anibal
--BQKTRrfB4lCwWW5L
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFX5H2gY5NIXPNpFURAq8fAJ9gMNQhlC+XfJgMIQV/RfqiHxPh7gCfSrG+
LB5+ah4D3n13lfDIlgKI7HQ=
=Li37
-----END PGP SIGNATURE-----
--BQKTRrfB4lCwWW5L--
signature.asc
Description: Digital signature
