[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libpng vulnerability, why does gnome2 depend on libpng2 and not libpng3?

"Versions of libpng prior to 1.2.4 and 1.0.14 have a buffer overflow vulnerability that could lead to remote code execution. "
After I read about the libpng vulnerability ( http://lwn.net/Articles/5017/ ) I routinely checked for the version in debian sid. 

ii  libpng2        1.0.12-3       PNG library - runtime
ii  libpng2-dev    1.0.12-3       PNG library - development
ii  libpng3        1.2.1-1.1      PNG library - runtime
un  libpng3-dev    <keine>        (keine Beschreibung vorhanden)
then I decided to do an apt-get install libpng3-dev and the result shocked me 

Note, selecting libpng-dev instead of libpng3-dev
The following extra packages will be installed:
  libdirectfb-dev libpng-dev
The following packages will be REMOVED:
  clanlib-dev gdk-imlib-dev libbonobo-dev libbonoboui2-dev libcapplet-dev
  libeel2-dev libgail-dev libgal2-0-dev libgdk-pixbuf-gnome-dev
libglade-bonobo0-dev libglade-gnome0-dev libglade2-dev libgnome-desktop-dev 
  libgnome-dev libgnomecanvas2-dev libgnomedb2-dev libgnomemm-dev
  libgnomeprint-dev libgnomeprintui-dev libgnomeui-dev libgtk2.0-dev
  libgtkhtml2-dev libgtop2-dev libmagick++5-dev libmagick5-dev
libnautilus2-dev libpng2-dev librsvg2-dev libwmf-dev libwnck-dev libzvt2-dev 
The following NEW packages will be installed:
  libpng-dev
1 packages upgraded, 1 newly installed, 31 to remove and 0  not upgraded.
Is there a reason to stay with the old branch? Or is this due to the lag of the ppc tree? 

     Christof


--
To UNSUBSCRIBE, email to debian-gtk-gnome-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: