Gentoo Bug 155278 - app-emulation/emul-linux-x86-baselibs: libpng sPLT chunk handling denial of service (CVE-2006-5793)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	155278
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Simon Stelling (RETIRED) <blubb@gentoo.org>
Add CC:
CC:

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 155278 depends on:	154380		Show dependency tree
Bug 155278 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2006-11-15 11:14 0000

current app-emulation/emul-linux-x86-baselibs contains
media-libs/libpng-1.2.12, therefore affected by bug 154380

------- Comment #1 From Matthias Geerdsen 2006-11-15 13:36:32 0000 -------

amd64, pls provide an updated ebuild (don't forget about the other security
bugs open for even more app-emulation/... packages)

------- Comment #2 From Olivier Crete 2006-11-22 19:46:43 0000 -------

fixed in emul-linux-x86-baselibs-2.5.4

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-11-22 21:02:17 0000 -------

Thx Olivier, please don't close security bugs.

Security, time for GLSA decision. (Is A rating correct?)

------- Comment #4 From Matthias Geerdsen 2006-11-27 06:49:54 0000 -------

guess this should be B3 and not A3

We did a GLSA on the original bug, so I tend to vote yes (a tiny little yes
vote only though). Could be a really short GLSA mainly referencing the
original, since the issue itself really is not a big one.

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-11-27 07:00:16 0000 -------

------- Comment #6 From Sune Kloppenborg Jeppesen 2006-11-27 07:00:16 0000 -------

½ yes vote from me as well.

------- Comment #7 From Olivier Crete 2006-11-27 07:12:53 0000 -------

1. Its not stable yet. Don't you want to wait until its stable to issue a GLSA?
2. Do you want to wait for openssl to be updated before issuing a combined GLSA
?

------- Comment #8 From Sune Kloppenborg Jeppesen 2006-11-27 07:20:53 0000 -------

Thx for the note Olivier. I misunderstood your comment #2 to say that it was
stable. Back to stable marking for now.

------- Comment #9 From Daniel Gryniewicz 2006-12-11 12:22:29 0000 -------

It was marked stable Dec 7.  Sorry no one mentioned it here...

------- Comment #10 From Sune Kloppenborg Jeppesen 2006-12-11 12:57:13 0000 -------

Thx for the update dang.

This one is ready for GLSA vote. I tend to vote YES.

------- Comment #11 From Raphael Marichez 2006-12-11 16:33:48 0000 -------

a crash on applications using the libpng code? without more severe impact, i
vote noglsa.

------- Comment #12 From Matthias Geerdsen 2006-12-13 06:15:13 0000 -------

there was GLSA 200612-11 about the openssl issue already, so we could just drop
this if voted against or update that glsa with info about libpng

/me tends to vote no

------- Comment #13 From Sune Kloppenborg Jeppesen 2006-12-14 09:52:20 0000 -------

This was minor in the first case. Reverting to

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-12-14 09:52:20 0000 -------

This was minor in the first case. Reverting to ½ NO and closing.

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 155278

app-emulation/emul-linux-x86-baselibs: libpng sPLT chunk handling denial of service (CVE-2006-5793)

Last modified: 2006-12-14 09:52:20 0000