From owner-freebsd-ports@FreeBSD.ORG Thu Aug 5 15:16:12 2004 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 479DF16A4CE for ; Thu, 5 Aug 2004 15:16:12 +0000 (GMT) Received: from out012.verizon.net (out012pub.verizon.net [206.46.170.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id D829C43D53 for ; Thu, 5 Aug 2004 15:16:11 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.100.95]) by out012.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040805151611.NTFI22270.out012.verizon.net@[192.168.1.3]>; Thu, 5 Aug 2004 10:16:11 -0500 Message-ID: <41124F36.6080506@mac.com> Date: Thu, 05 Aug 2004 11:16:06 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrey Chernov References: <20040804190855.GA69872@iib.unsam.edu.ar> <2E7293C8-E656-11D8-91D1-003065ABFD92@mac.com> <20040805015904.GA27667@nagual.pp.ru> In-Reply-To: <20040805015904.GA27667@nagual.pp.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out012.verizon.net from [68.161.100.95] at Thu, 5 Aug 2004 10:16:11 -0500 cc: FreeBSD Ports Subject: Re: update vulnerable libpng to fixed version? X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 15:16:12 -0000 Andrey Chernov wrote: > On Wed, Aug 04, 2004 at 04:38:02PM -0400, Charles Swiger wrote: [ ... ] >> Here's a diff which updates the png port to 1.2.6rc1: > > We can't make public what is intentionally non-public, from > libpng-1.2.6rc1-README.txt: > > Libpng 1.2.6rc1 - August 4, 2004 > > This is not intended to be a public release. It will be replaced > within a few weeks by a public version or by another test version. Certainly it is OK by me if you want to wait for a few weeks; I've already updated my systems which are using libpng. What you've said about the README is topical and I acknowledge the point you make. However, having 1.2.6rc1 listed as the recommended upgrade path in a CERT advisory probably makes 1.2.6rc1 more public than it would have been, otherwise. Speaking of which, the CERT advisory reads: In the case of VU#388984, an attacker with the ability to introduce a malformed PNG image to a vulnerable application could cause the application to crash or could potentially execute arbitrary code with the privileges of the user running the affected application. I believe this means that the severity of the bug is critical in terms of security, and that the exploit is as easy as having someone browse past a malicious website containing a PNG image and/or opening a mail message containing one (for someone running Mozilla, KDE's Mailwhichamacallit, etc). I don't know that any exploits exist today which try to take advantage of the issue, and I would expect the bad guys to target Windows first, Linux second, and other platforms third-- but please, let's fix this sooner rather than later by finding out the hard way that I was wrong. -- -Chuck