Re: [Bug 216706] New: CVE-2006-5793 libpng, libpng10 DoS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry for the horribly delayed response.  I've been away on holiday.

> 
> Actually I downloaded the libpng src.rpm with yumdownloader --source
> libpng and took a look into it, it contains the spec, the upstream
> tarball and two patches:
> 
> libpng-1.2.10-multilib.patch
> libpng-1.2.10-pngconf.patch
> 

All known libpng CVE ids are tracked via the following files:
http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora

If there are any CVE ids we're missing please let us know.  There are a
number of CVE ids that are simply client crashes.  We do not consider
client side crashes security issues, they are bugs.  Some of them get CVE
ids.  This is something MITRE is currently working on a policy for.  Right
now they have a blanket policy of assigning a CVE id to anything anyone
calls a security flaw.  It's then our job to weed through them and find the
relevant ones.

> 
> > If you have concerns regarding a specific issue, feel free to bring that
> > up, but bug 211705 in no way represents a security flaw.
> 
> But if the mentioned issues are no security flaws please document it in=20
> bugzilla, so it does not seem to be ignored.
> 

I've updated that bug with a statement regarding those CVE ids.  The two
mentioned in the bug are client crashes, thus are just bugs.

Thanks.

-- 
    JB

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux