Theo Buehler <tb@theobuehler.org> wrote:

> On Thu, Apr 09, 2026 at 07:20:33AM +0200, Matthieu Herrb wrote:
> > === CVE-2026-34757 ===
> > 
> > Use-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST
> > leading to corrupted chunk data and potential heap information
> > disclosure
> > 
> > no API/ABI change.
> > 
> > ok ?

How did you see that in the mail?

> > I'll also take case of updating the embedded copy in xenocara,
> > used by freetype, although the affected functions are not called by
> > freetype afaict.
> 
> The diff between the two version reads fine and completely risk-free to
> me. ok for this as well. Thanks!

As I told matthieu, I think we ran into a case where ports and xenocara
API/ABI needed to very sync'd before, so we need to make sure that both
naddy and I agree on the ABI/API now that we are locked.

I think I agree, as long as I know no ABI change.