Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 155278 - app-emulation/emul-linux-x86-baselibs: libpng sPLT chunk handling denial of service (CVE-2006-5793)
Summary: app-emulation/emul-linux-x86-baselibs: libpng sPLT chunk handling denial of s...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL:
Whiteboard: B3? [noglsa]
Keywords:
Depends on: 154380
Blocks:
  Show dependency tree
 
Reported: 2006-11-15 11:14 UTC by Simon Stelling (RETIRED)
Modified: 2006-12-14 09:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Stelling (RETIRED) gentoo-dev 2006-11-15 11:14:04 UTC
current app-emulation/emul-linux-x86-baselibs contains media-libs/libpng-1.2.12, therefore affected by bug 154380
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-15 13:36:32 UTC
amd64, pls provide an updated ebuild (don't forget about the other security bugs open for even more app-emulation/... packages)
Comment 2 Olivier Crete (RETIRED) gentoo-dev 2006-11-22 19:46:43 UTC
fixed in emul-linux-x86-baselibs-2.5.4
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-22 21:02:17 UTC
Thx Olivier, please don't close security bugs.

Security, time for GLSA decision. (Is A rating correct?)
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-27 06:49:54 UTC
guess this should be B3 and not A3

We did a GLSA on the original bug, so I tend to vote yes (a tiny little yes vote only though). Could be a really short GLSA mainly referencing the original, since the issue itself really is not a big one.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-27 07:00:16 UTC

    
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-27 07:00:16 UTC
½ yes vote from me as well.
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2006-11-27 07:12:53 UTC
1. Its not stable yet. Don't you want to wait until its stable to issue a GLSA?
2. Do you want to wait for openssl to be updated before issuing a combined GLSA ?
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-27 07:20:53 UTC
Thx for the note Olivier. I misunderstood your comment #2 to say that it was stable. Back to stable marking for now.
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-12-11 12:22:29 UTC
It was marked stable Dec 7.  Sorry no one mentioned it here...
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-11 12:57:13 UTC
Thx for the update dang.

This one is ready for GLSA vote. I tend to vote YES.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-11 16:33:48 UTC
a crash on applications using the libpng code? without more severe impact, i vote noglsa.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-13 06:15:13 UTC
there was GLSA 200612-11 about the openssl issue already, so we could just drop this if voted against or update that glsa with info about libpng

/me tends to vote no
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-14 09:52:20 UTC
This was minor in the first case. Reverting to 
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-14 09:52:20 UTC
This was minor in the first case. Reverting to ½ NO and closing.