[Png-mng-security] security bug in png_handle_tRNS

Glenn Randers-Pehrson glennrp at comcast.net
Sat May 12 04:47:49 UTC 2007


At 12:11 AM 5/12/2007 -0400, you wrote:
>Glenn Randers-Pehrson <glennrp at comcast.net> writes:
>> I guess the only thing really to discuss is how long to wait before
>> disclosing the problem, and whether to release a fixed libpng and
>> mozilla quietly before disclosure.
>
>Do we have an agreement on the release date?  Red Hat's security guys
>seem to think that May 15th is the date, but I missed where that was
>agreed to.  Once the erratum-release train starts rolling it's hard
>to stop, so if anyone doesn't like that date please speak up.
>
>(Personally I could do with a different date because I'll be off
>poll-watching on Tuesday...)

The CERT guy said that if he didn't call me Friday May 15 is OK.
He didn't call.  We had talked about May 15 but that was only
approximate.  Your guy might have gotten the date from CERT. I don't
know what is going on elsewhere in the vulnerability community.

I haven't got a response from Firefox about whether they want to
squeeze the fix in to their next release or not, or exactly when
is that next release.  As long as it is just a DoS vulnerability
they don't seem to care much.

Would May 18 (Friday) be better for you?  I've just released some
new "rc" libpngs that should really age for a week prior to the
public release.

Glenn



More information about the png-mng-security-archive mailing list