On Wed, Apr 08, 2026 at 11:29:17PM -0600, Theo de Raadt wrote: > Theo Buehler <tb@theobuehler.org> wrote: > > > On Thu, Apr 09, 2026 at 07:20:33AM +0200, Matthieu Herrb wrote: > > > === CVE-2026-34757 === > > > > > > Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST > > > leading to corrupted chunk data and potential heap information > > > disclosure > > > > > > no API/ABI change. > > > > > > ok ? > > How did you see that in the mail? I did not see it in the mail. I ran check_sym and tests. I also ran 'make patch' before applying the diff and after and inspected with diff -r between the two relevant directories below /usr/ports/pobj as I always do when libraries are updated in ports. Two headers changed. One is only a comment updating the version number. The other header changed version number macros and a typedef used as a guard against not mixing source and headers of different versions: -typedef char *png_libpng_version_1_6_56; +typedef char *png_libpng_version_1_6_57; and png.c does the corresponding -typedef png_libpng_version_1_6_56 Your_png_h_is_not_version_1_6_56; +typedef png_libpng_version_1_6_57 Your_png_h_is_not_version_1_6_57; I see no ABI/API change.
No comments:
Post a Comment