| Summary: | media-gfx/megapov affected by bundled libpng-1.2.8 (CVE-2008-5907, ...) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Diego Elio Pettenò (RETIRED) <flameeyes> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | binki, esigra, graphics+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | ~2 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 251464 | ||
megapov is at least affected by CVE-2008-5709 (c.f. bug 255231). For susceptibility to CVE-2008-5907, only 2 out of 3 needed requirements are met. I didn't check for other issues, but the one hit is enough for me to take action: Graphics, can you rip out libpng? If not, as upstream development seems to have stopped and no package RDPENEDS on it, we'd have to consider megapov as a candidate for removal. No response from maintainers. Treecleaners, please proceed to last rites. # Jeremy Olexa <darkside@gentoo.org> (3 Jul 2009) # Security issue, dead upstream. Removal in 60 days, bug 273105 media-gfx/megapov removed from tree, security team: all yours. libpng was rated B2 in bug #255231 megapov was never stable from what I see. → noglsa |
check ${S}/libraries/png.