Hello, On 1/2/07, Jonas Smedegaard <[EMAIL PROTECTED]> wrote:
>> While checking the current bug in debian libgd, I found the gnuplot >> one (#368096). > > I forgot to mention that it does not segfault using CVS but using debian > libgd. I am happy to hear that. I was made aware of the new upstream CVS code only a few days ago, but has hesitated switching to that, as I found no mention of fixes to the following publicly announced security issues: CAN-2004-0990: http://bugs.debian.org/278625
Fixed, there is a overflow2 check now (gd_png.c line 319).
CVE-2006-2906: http://bugs.debian.org/372912
Fixed, see #5 in libgd/ISSUES.
Please confirm (preferrably directly to those bugreports) that the current code in fact is not vulnerable to those issues, and I will be most happy to switch.
Is it possible to do not mix all discussions in one bug report? It will be confusing very quickly. I'm installing the issues tracker, it should be online tonight, I would like to centralize all issues there, is it ok for you? (you can obviously keep the debian tracker but it will really ease our lifes if we centralize gd bugs in the gd project). Thanks for the head up, --Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
