[Png-mng-security] security bug in png_handle_tRNS

Glenn Randers-Pehrson glennrp at comcast.net
Mon May 7 21:50:04 UTC 2007


At 01:42 PM 5/7/2007 -0700, Andreas Dilger wrote:
>On May 07, 2007  13:53 -0400, Glenn Randers-Pehrson wrote:
>> I just got a reply from CERT:
>> 
>>   Thank you for the report, we are tracking this as VU#684664.
>>   We will follow up with our established contacts at libpng.
>> 
>> Greg or maybe Andreas Dilger is probably the "established contact".
>
>I haven't gotten anything from CERT either.

I have (the "established contact" turns out to be glennrp at imagemagick.org),
but they insist on using encrypted commo so I could not read
it.  They called me at home a while ago but I was outside watching the
grass grow.

I guess the only thing really to discuss is how long to wait before
disclosing the problem, and whether to release a fixed libpng and
mozilla quietly before disclosure.

Glenn



More information about the png-mng-security-archive mailing list