155278 – app-emulation/emul-linux-x86-baselibs: libpng sPLT chunk handling denial of service (CVE-2006-5793)

Bug 155278 - app-emulation/emul-linux-x86-baselibs: libpng sPLT chunk handling denial of service (CVE-2006-5793)

Summary: app-emulation/emul-linux-x86-baselibs: libpng sPLT chunk handling denial of s...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3? [noglsa]
Keywords:

Depends on:	154380
Blocks:
	Show dependency tree

Reported:	2006-11-15 11:14 UTC by Simon Stelling (RETIRED)
Modified:	2006-12-14 09:52 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simon Stelling (RETIRED) gentoo-dev

2006-11-15 11:14:04 UTC

current app-emulation/emul-linux-x86-baselibs contains media-libs/libpng-1.2.12, therefore affected by bug 154380

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2006-11-15 13:36:32 UTC

amd64, pls provide an updated ebuild (don't forget about the other security bugs open for even more app-emulation/... packages)

Comment 2 Olivier Crete (RETIRED) gentoo-dev

2006-11-22 19:46:43 UTC

fixed in emul-linux-x86-baselibs-2.5.4

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-22 21:02:17 UTC

Thx Olivier, please don't close security bugs.

Security, time for GLSA decision. (Is A rating correct?)

Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev

2006-11-27 06:49:54 UTC

guess this should be B3 and not A3

We did a GLSA on the original bug, so I tend to vote yes (a tiny little yes vote only though). Could be a really short GLSA mainly referencing the original, since the issue itself really is not a big one.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-27 07:00:16 UTC

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-27 07:00:16 UTC

½ yes vote from me as well.

Comment 7 Olivier Crete (RETIRED) gentoo-dev

2006-11-27 07:12:53 UTC

1. Its not stable yet. Don't you want to wait until its stable to issue a GLSA?
2. Do you want to wait for openssl to be updated before issuing a combined GLSA ?

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-27 07:20:53 UTC

Thx for the note Olivier. I misunderstood your comment #2 to say that it was stable. Back to stable marking for now.

Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev

2006-12-11 12:22:29 UTC

It was marked stable Dec 7.  Sorry no one mentioned it here...

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-12-11 12:57:13 UTC

Thx for the update dang.

This one is ready for GLSA vote. I tend to vote YES.

Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-12-11 16:33:48 UTC

a crash on applications using the libpng code? without more severe impact, i vote noglsa.

Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev

2006-12-13 06:15:13 UTC

there was GLSA 200612-11 about the openssl issue already, so we could just drop this if voted against or update that glsa with info about libpng

/me tends to vote no

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-12-14 09:52:20 UTC

This was minor in the first case. Reverting to

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-12-14 09:52:20 UTC

This was minor in the first case. Reverting to ½ NO and closing.