#524 Please make a 1.3.27 release for security fixes

[Natanael Copa]

I am trying to backport the long list of CVE fixes against 1.3.26 release but CVE-2017-15930 seems to be difficult to backport since there are so many changes in coders/png.c since the 1.3.26 release.

It would be great to have a new release so that we fix those security issues on production systems.

Alternatively, it would be nice with a patch that applies cleanly on the 1.3.26 release that solves CVE-2017-15930.

Thanks!

[Bob Friesenhahn]

I agree that we are past due for a release. It would be wrong to focus on just one issue afflicting png.c since many issues have been fixed in png.c since the last release.

[Natanael Copa]

I am aware that there more issues. The point is that it is difficult to fix production systems at current state.

Backporting patches also require some work since each commit includes changelog and version string change. Those hunks needs to be manually removed to be able to apply the patch which the actual fix. I did a handful fixes but gave up when I got to png.c. I though that it would be easier for you to tag a new release than ti would be for me to try manually backport 20-30 patches for png.c.

Do you have an ETA for when a 1.3.27 may be out? If its another 6 months then I should just go ahead and try backport the 30 patches.

Meanwhile, users remains vulnerable.

[Bob Friesenhahn]

The png.c problem could be handled by a single "patch", which might include some small new features but otherwise addresses many issues beyond those described by CVEs. Regardless, unless something unexpected happens I will try to cut the next release this weekend.

[Bob Friesenhahn]

The release is done. Releasing requires far more than applying a "tag" since it required about 5 hours of my time.

[Natanael Copa]

Thank you very much!