On Wednesday 22 November 2006 19:00, Josh Bressers wrote: > I'm going to presume you're claiming that since Fedora Core doesn't have > the latest libpng, it's vulnerable to the issues fixed in the upstream > new version. Actually I downloaded the libpng src.rpm with yumdownloader --source libpng and took a look into it, it contains the spec, the upstream tarball and two patches: libpng-1.2.10-multilib.patch libpng-1.2.10-pngconf.patch Description of CVE-2006-3334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334 | Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng | before 1.2.12 allows context-dependent attackers to cause a denial of | service and possibly execute arbitrary code via unspecified vectors related | to "chunk error processing," possibly involving the "chunk_name". > libpng in Fedora Core has all relevant security issues backported into it. $ grep pngrutil.c libpng-1.2.10-pngconf.patch libpng-1.2.10-multilib.patch $ So it is not backported. The libpng homepage also states for release 1.2.12: | The same releases (and their immediate predecessors) also fix an | out-of-bounds (by one) memory read and a second buffer overrun, this one in | the code that writes the sCAL ("physical scale of subject") chunk (which is | rather rare in any case). The patch for this is not backported, either. I do not know how relevant above vulnerabilites are, since novel states that CVE-2006-3334 is not that important in http://www.novell.com/linux/security/advisories/2006_16_sr.html > If you have concerns regarding a specific issue, feel free to bring that > up, but bug 211705 in no way represents a security flaw. But if the mentioned issues are no security flaws please document it in bugzilla, so it does not seem to be ignored. Regards, Till
Attachment:
pgpuIgsnS99yO.pgp
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
