Please sponsor libpng 1.2.24

Here is the debdiff (filterdiff -i '*/debian/*')

Sources are there: http://www.libpng.org/pub/png/libpng.html

Oops, wrong debdiff. Here is the right one. I've also updated the Maintainer field that I've missed before.

Please tell me if something is preventing this to be sponsored.

It seems the updates of libpng in Debian has ceased, and the version is stuck at 1.2.15~beta5-3. Meanwhile, quite a number of CVEs have been reported at the upstream homepage, where the version is now at 1.2.26. This package should certainly be updated.

Morten, it is stuck here because of the unwanted APNG patch. That's the reason why Firefox 3 has to ship with in-source png instead of system png.

If someone from ubuntu-main-sponsors tells me that another debdiff for 1.2.26 but *without* APNG is still acceptable at this point in hardy, I would sure give it a try.

FYI: libpng 1.2.17 has been uploaded to debian unstable

Would the APNG patch be acceptable in intrepid?

The following CVE has been fixed in debian as well:
1.2.26:
  * Fix CVE-2008-1382 denial of service and possibly code execution
    Add 02-476669-CVE-2008-1382.diff
    Closes: #476669
This was merged upstream in 1.2.27

Attached is the debdiff (filterdiff -i '*/debian/*') from 1.2.15~beta5-3 to 1.2.27-1 (straight from debian, no other patches). Since there are a number of CVE fixes, it seems like a good candidate for a SRU.

Changelog:
libpng (1.2.27-1) unstable; urgency=low

  * New upstream release
  * Patches merged upstream:
    debian/patches/02-476669-CVE-2008-1382.diff
    debian/patches/03-404514-png.5.diff
  * Run ./autogen.sh

 -- Anibal Monsalve Salazar <email address hidden> Tue, 29 Apr 2008 17:22:16 +1000

libpng (1.2.26-1) unstable; urgency=high

  * New upstream release. Closes: #431202
  * Use quilt
    Add 01-legacy.diff
  * Fix CVE-2008-1382 denial of service and possibly code execution
    Add 02-476669-CVE-2008-1382.diff
    Closes: #476669
  * Fix URL in png.5. Closes: #404514
    Add 03-404514-png.5.diff
  * Move examples to libpng12-dev. Closes: #401467
  * Fix "libpng (<= 1.2.20) contains grey-licensed code". Closes: #469126
  * Fix the following lintian issues:
    W: libpng source: debian-rules-ignores-make-clean-error line 37
    W: libpng source: substvar-source-version-is-deprecated libpng12-dev
    W: libpng source: out-of-date-standards-version 3.7.2 (current is 3.7.3)
    W: libpng12-0-udeb udeb: description-contains-homepage
    W: libpng3: description-contains-homepage
    W: libpng12-dev: description-contains-homepage
    W: libpng12-0: package-contains-empty-directory usr/bin/
    W: libpng12-0: package-contains-empty-directory usr/sbin/
    W: libpng12-0: description-contains-homepage
    W: libpng12-0: doc-base-unknown-section libpng12:22 Apps/Programming

 -- Anibal Monsalve Salazar <email address hidden> Sun, 20 Apr 2008 18:22:32 +1000

I will file another bug for the security issues only (pure sync from debian); feel free to update the APNG patch to be based on 1.2.27-1 for intrepid

Thanks! Looks like this has been done:

$ apt-cache madison libpng
    libpng | 1.2.27-1 | http://us.archive.ubuntu.com intrepid/main Sources