Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 255231
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Stefan Behte <craig@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 255231 depends on: Show dependency tree
Bug 255231 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2009-01-17 00:47 0000 
CVE-2008-5907 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5907):
  The png_check_keyword function in pngwutil.c in libpng before 1.0.42,
  and 1.2.x before 1.2.34, might allow context-dependent attackers to
  set the value of an arbitrary memory location to zero via vectors
  involving creation of crafted PNG files with keywords, related to an
  implicit cast of the '\0' character constant to a NULL pointer. 
  NOTE: some sources incorrectly report this as a double free
  vulnerability.

------- Comment #1 From Stefan Behte 2009-01-17 00:54:45 0000 ------- 
base-system: can this go stable?

------- Comment #2 From Lars Wendler (Polynomial-C) 2009-01-17 01:19:49 0000 ------- 
The summary is misleading as it includes version 1.2.34 which seems to be
unaffected.

------- Comment #3 From Stefan Behte 2009-01-17 02:48:55 0000 ------- 
Thanks, fixed.

------- Comment #4 From SpanKY 2009-01-17 15:53:14 0000 ------- 
ive seen no regressions with 1.2.34 ... it's fine to stabilize

------- Comment #5 From Robert Buchholz 2009-01-17 16:40:17 0000 ------- 
Arches, please test and mark stable:
=media-libs/libpng-1.2.34
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

------- Comment #6 From Ferris McCormick 2009-01-17 17:08:12 0000 ------- 
Sparc stable (I've been using it with no problems for 3 or 4 weeks now).

------- Comment #7 From Tobias Scherbaum 2009-01-18 11:19:27 0000 ------- 
ppc stable

------- Comment #8 From Tobias Klausmann 2009-01-18 12:18:57 0000 ------- 
Stable on alpha.

------- Comment #9 From Markus Meier 2009-01-18 13:58:20 0000 ------- 
amd64/x86 stable

------- Comment #10 From Jeroen Roovers 2009-01-19 11:31:53 0000 ------- 
Stable for HPPA.

------- Comment #11 From Brent Baude 2009-01-19 16:12:27 0000 ------- 
ppc64 done

------- Comment #12 From Stefan Behte 2009-01-26 00:54:00 0000 ------- 
ia64: *ping*

------- Comment #13 From Tobias Heinlein 2009-01-28 00:27:53 0000 ------- 
GLSA together with bug 244808.

------- Comment #14 From Raúl Porcel 2009-02-02 19:25:20 0000 ------- 
ia64 stable

------- Comment #15 From Robert Buchholz 2009-02-12 16:44:18 0000 ------- 
Redhat is disputing this issue:
http://thread.gmane.org/gmane.comp.security.oss.general/1375

------- Comment #16 From Pierre-Yves Rofes 2009-03-15 18:46:33 0000 ------- 
GLSA 200903-28
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug