Subject: CVS commit: pkgsrc/graphics/png
To: None <pkgsrc-changes@NetBSD.org>
From: Frederick Bruckman <fredb@netbsd.org>
List: pkgsrc-changes
Date: 05/10/2004 01:15:14
Module Name:	pkgsrc
Committed By:	fredb
Date:		Mon May 10 01:15:14 UTC 2004

Modified Files:
	pkgsrc/graphics/png: Makefile distinfo
	pkgsrc/graphics/png/patches: patch-ae
Added Files:
	pkgsrc/graphics/png/patches: patch-af

Log Message:
Don't read past the end of the error message string. This patch was
posted to png-implement by Glenn Randers-Pherson, libpng's maintainer.

This error was widely reported as "security issue",

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421

even though there is no security issue. The most the error could do is
SIGSEGV, and that only with some fairly uncommon circumstances. The patch
posted with the advisory is in fact flawed, in that it calls strlen() on
presumably arbitrary data.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -r1.60 -r1.61 pkgsrc/graphics/png/Makefile
cvs rdiff -r1.17 -r1.18 pkgsrc/graphics/png/distinfo
cvs rdiff -r1.1 -r1.2 pkgsrc/graphics/png/patches/patch-ae
cvs rdiff -r0 -r1.1 pkgsrc/graphics/png/patches/patch-af

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.