glpng patches

[Hans de Goede]

Hi,

On 06/02/2014 12:20 AM, James Le Cuirot wrote:
> Hello list!
> 
> I have a series of patches for glpng, resulting in an eventual bump to
> version 1.46. This bump is needed as you will see and it's probably
> about time, seeing as the last release was 14 years ago.
> 
> Although I have prepared these patches, not all of them are actually by
> me. The most important comes from Hans de Goede, fixing CVE-2010-1519.
> I think he's on this list. Hi Hans. :)

Correct I'm on this list :)

> A few come from Aquaria, most
> notably the addition of memory reading functions.
> 
> The only other game I know of that uses this is Chromium BSU. I've
> checked that it still builds and works but I've only just discovered
> that most distros have opted to build it against SDL_image instead.
> Gentoo still uses glpng but if I'd known that before, I might not have
> spent so long on this. Oh well. :)

First if all I appreciate your work on this, and the posting of the
patches. But what exactly is the purpose of this, a chance to comment /
review before you do an official 1.46 release ?

Upstream seems to be dead, there is this page:
http://www.fifi.org/doc/libglpng-dev/glpng.html

But that has a broken download link. So if you're going to do a new release
maybe you can register a sourceforge or github proejct for it, and put
official tarbals up there ?

Also may I ask on top of which sources these patches are based ? I see
some bits in there which come from Debian patches, not from the original
1.45 sources. Is this based on: http://repo.or.cz/w/glpng.git  ?
Note that is completely fine, just wondering.

Last I'm not seeing this patch:
https://pkgs.fedoraproject.org/cgit/libglpng.git/tree/libglpng-1.45-libpng15.patch
In the series you posted, but an equivalent patch us already in
http://repo.or.cz/w/glpng.git , so if you're using that as a base rock on :)

Regards,

Hans