During a source code audit, Chris Evans discovered several buffer overflows
in libpng. An attacker could create a carefully crafted PNG file in such a
way that it would cause an application linked with libpng to execute
arbitrary code when the file was opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0597 to these issues.
In addition, this audit discovered a potential NULL pointer dereference in
libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599).
An attacker could create a carefully crafted PNG file in such a way that
it would cause an application linked with libpng to crash when the file was
opened by the victim.
Info:
https://rhn.redhat.com/errata/RHSA-2004-402.html
------- Additional Comments From marcdeslauriers 2004-08-04 17:04:49 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here are packages for 7.3 and 9 that fix this issue:
Changelog:
* Wed Aug 04 2004 Marc Deslauriers <marcdeslauriers>
1.0.14-0.7x.7.legacy
- - Replace the patches for individual security problems with the
cumulative patch issued by the png developers.
Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599.
7.3:
3bd0955ccf2df348f5cf00e624b2541d700581e1 libpng-1.0.14-0.7x.7.legacy.i386.rpm
5525eda4abd357f11b1b13f61102d8f7bad0b2a3 libpng-1.0.14-0.7x.7.legacy.src.rpm
176460abd71efdb04fc32ee6f7f7eb403bdb2916 libpng-devel-1.0.14-0.7x.7.legacy.i386.rpm
9:
35f4bb98acb97d3d50ff0539a8bc14a3cb95a5d4 libpng10-1.0.13-11.3.legacy.i386.rpm
f175613c50acbfc00742a2ff2ba87c71fc56cfbc libpng10-1.0.13-11.3.legacy.src.rpm
e20d5ceb0029095ecbdf0181f4c591ef748b2ae9 libpng10-devel-1.0.13-11.3.legacy.i386.rpm
d664e002e1ec6edf5327e2c1630d9cece2b472bd libpng-1.2.2-20.2.legacy.i386.rpm
f95ebd506e55f6cdba7c5da60c1cc0063860a813 libpng-1.2.2-20.2.legacy.src.rpm
4d2bc34a9d337618bfab1f8e6ada9a314ebf8894 libpng-devel-1.2.2-20.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-1.0.14-0.7x.7.legacy.i386.rpmhttp://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-1.0.14-0.7x.7.legacy.src.rpmhttp://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-devel-1.0.14-0.7x.7.legacy.i386.rpmhttp://www.infostrategique.com/linuxrpms/legacy/9/libpng-1.2.2-20.2.legacy.i386.rpmhttp://www.infostrategique.com/linuxrpms/legacy/9/libpng-1.2.2-20.2.legacy.src.rpmhttp://www.infostrategique.com/linuxrpms/legacy/9/libpng-devel-1.2.2-20.2.legacy.i386.rpmhttp://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.3.legacy.i386.rpmhttp://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.3.legacy.src.rpmhttp://www.infostrategique.com/linuxrpms/legacy/9/libpng10-devel-1.0.13-11.3.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBEaPBLMAs/0C4zNoRAspnAJ4ykoO+MMua20GaCsBhfPzPh8PODACfXMkI
QbCblDM0+k4GM5oHsGl5xvg=
=gqqY
-----END PGP SIGNATURE-----
------- Additional Comments From michal 2004-08-06 10:53:50 ----
Created an attachment (id=798)
piece which was dropped on the way to the current version
Looking at sources what is available here is equivalent to what was in previous
versions plus new fixes with an exception of one patch fragment. It came in
libpng-1.0.9-badchunks.patch in older releases. It is attached here. I am not
that sure that it is really no longer needed.
In case one would want to apply it to the current version this should be
done with 'patch -R ....'.
------- Additional Comments From dom 2004-08-11 13:06:07 ----
Having examined the rh7.3 patch I find the following:
There seem to be some descrepancies between the patch you have included as
libpng-1.0.14-security.patch and libpng-1.2.5-all-patches.txt which according to
http://heanet.dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt is the correct
patchset for 1.0.14. When both patches are applied the following differences
reveal themselves (attached)
Haven't looked at the 9 version - is that what you were comparing against
Michal? Either way is there any reason why the recommended patch from the
developers is not include verbatim with no other security patches?
Cheers,
------- Additional Comments From dom 2004-08-11 13:07:24 ----
Created an attachment (id=808)
differences between officially patched version and 7.3 SRPM 0.7x.7.legacy
------- Additional Comments From dwb7.edu 2004-08-12 10:43:04 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
libpng packages now available for QA for RH7.3:
sha1sum -b libpng*
b7053c46bd55f9100820b2423e524d05c9c022f1 *libpng-1.0.14-7.legacy.1.i386.rpm
6cc28880aeb2aa504add2b1fa454b358ef5fa7bb *libpng-1.0.14-7.legacy.1.src.rpm
b925cbbd367cd5e5d13990679dd2c6bb99a2e54c
*libpng-devel-1.0.14-7.legacy.1.i386.rpm
Download from:
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/libpng
- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFBG9X0SY7s7uPf/IURAvFJAKC7pHeORngSbK1EqYqcaXFnP0D93wCeIPFY
iZkxr/KtlOSCxKMLWDoyrXw=
=HXKl
-----END PGP SIGNATURE-----
------- Additional Comments From simon 2004-09-09 08:32:00 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
6cc28880aeb2aa504add2b1fa454b358ef5fa7bb libpng-1.0.14-7.legacy.1.src.rpm
Inspected SPEC file - OK
Checked patches against original from libpng for 1.0.14 (combined patch file
minus patches for later versions up to 1.2.5) - OK
BUILD - OK
INSTALL - OK
Appears to function normally with PHP (use verified via ldd) - OK
+PUBLISH
- - Si
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBQKEZMLOCzgCQslsRAgSsAKCYow0EaKmsMmMhEWbl5nRbyqyOggCcDqpS
0sxbOp8IiHU+ZiaUkrmYyBw=
=LO/n
-----END PGP SIGNATURE-----
------- Additional Comments From simon 2004-09-09 08:39:33 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I forgot to mention the above was tested on Redhat 7.3
- - Si
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBQKNBMLOCzgCQslsRAoAbAJ9Xac4pJ7/ZDV9Pz5s5w+kiOTzouQCfZMct
ccSSQrQAbA5U8tcIXiXDe+g=
=0Xg4
-----END PGP SIGNATURE-----
------- Additional Comments From cra 2004-10-21 16:16:54 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QA for RH 7.3 packages from Dave Botsch:
b7053c46bd55f9100820b2423e524d05c9c022f1 libpng-1.0.14-7.legacy.1.i386.rpm
6cc28880aeb2aa504add2b1fa454b358ef5fa7bb libpng-1.0.14-7.legacy.1.src.rpm
b925cbbd367cd5e5d13990679dd2c6bb99a2e54c libpng-devel-1.0.14-7.legacy.1.i386.rpm
I still see differences from the upstream patch, identical to the
differences mentioned in comment #4. This is the upstream patch that
should be applied to the 1.0.14 sources:
http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.5-all-patches.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFBeG08w2eg+Um7WIYRAoa8AJ0b5TJORCWIF/tI/jR9eKZ6eRcIYACeKQ5a
DBp9BJuMyuiNd87ezD8J/YI=
=no+B
-----END PGP SIGNATURE-----
------- Additional Comments From cra 2004-10-21 17:55:35 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Additional QA for RH 7.3 packages from Dave Botsch:
b7053c46bd55f9100820b2423e524d05c9c022f1 libpng-1.0.14-7.legacy.1.i386.rpm
6cc28880aeb2aa504add2b1fa454b358ef5fa7bb libpng-1.0.14-7.legacy.1.src.rpm
b925cbbd367cd5e5d13990679dd2c6bb99a2e54c libpng-devel-1.0.14-7.legacy.1.i386.rpm
I'm not sure the pkgconfig files should be there. They aren't in the
original packages for 7.3. libpng.pc is also not correct, as it refers
to libpng10:
/usr/bin/pkgconfig
/usr/lib/pkgconfig/libpng.pc:
prefix=/usr
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=${exec_prefix}/include
Name: libpng10
Description: Loads and saves PNG files
Version: 1.0.14
Libs: -L${libdir} -lpng10 -lz -lm
Cflags: -I${includedir}/libpng10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFBeIR2w2eg+Um7WIYRAqooAJ9MHZqgKH6rkybJAzdLqc53LNabmgCfVbPY
A+sgiqO91W7n8dwmTBRIKqs=
=x5ef
-----END PGP SIGNATURE-----
------- Additional Comments From cra 2004-10-21 18:31:20 ----
There are some interesting E:N-V-R versioning differences that we need to get right:
Latest RH 7.3 errata:
2:libpng-1.0.14-0.7x.4.i386
2:libpng-devel-1.0.14-0.7x.4.i386
Latest RH 9 errata:
(none):libpng10-1.0.13-11.i386
(none):libpng10-devel-1.0.13-11.i386 (provides libpng-devel = (none):1.0.13)
2:libpng-1.2.2-20.i386
2:libpng-devel-1.2.2-20.i386
Latest FC 1 errata:
(none):libpng10-1.0.15-7.i386
(none):libpng10-devel-1.0.15-7.i386 (doesn't have virtual provides libpng-devel)
2:libpng-1.2.5-7.i386
2:libpng-devel-1.2.5-7.i386
The libpng packages need to maintain the Epoch: 2 for upgrades to work.
libpng10 should remain with no Epoch for upgrades of those packages to work.
What is up with the Provides: libpng-devel in the libpng10-devel packages? Do
any other packages require a versioned libpng-devel anywhere? It seems like
this was a packaging bug in RH 9, and the issue was avoided altogether in FC 1,
where no Provides: libpng-devel is there at all. Perhaps the problem never
arose in real life, because no one used versioned-requires on libpng-devel.
------- Additional Comments From cra 2004-10-25 06:17:01 ----
Answering my question about libpng10-devel providing libpng-devel,
it appears we should remove the virtual provide:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=110161
------- Additional Comments From marcdeslauriers 2004-10-25 11:40:14 ----
Just thinking out loud here: what would happen if a package, included with rh9
or a third-party package for rh9, has a BuildRequires libpng = 1.0.13 in it?
Are we absolutely sure we won't be breaking anything?
------- Additional Comments From cra 2004-10-25 12:13:13 ----
If there was, it would already break. The backwards compat package has a
different version already. 7.3 has 2:libpng-1.0.14, and 9 has
(none):libpng10-1.0.13. I don't think we should worry about exact versioned
BuildRequires.
------- Additional Comments From jpdalbec 2004-10-29 03:02:28 ----
04.42.26 CVE: CAN-2004-0955
Platform: Cross Platform
Title: LibPNG Image Height Integer Overflow
Description: LibPNG is the Portable Network Graphics (PNG) reference
library. LibPNG is vulnerable to an integer overflow in the image
height parameter. Debian has released a patch to fix this issue. The
issue is fixed in version 1.0.12-3.woody.
Ref: http://www.debian.org/security/2004/dsa-570
------- Additional Comments From deisenst 2004-11-19 05:43:58 ----
According to http://heanet.dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt,
libpng-1.2.5 is also affected by many of these issues. I am adding FC1 to the
keyword list and we'll need to look into it further.
------- Additional Comments From cra 2004-11-19 06:00:06 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I built new 1.0.15 packages with the upstream patch included, and merged
the spec files so all the various versions are the same except where
needed. This should make future maintenance easier, especially once/if
FC1 needs an update. I did end up including fixed pkgconfig files since
they needed to be fixed for the other releases anyway.
Upstream patch:
http://heanet.dl.sourceforge.net/sourceforge/libpng/ADVISORY.txthttp://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.5-all-patches.txt
RH 9:
d1bb0af6be1ae41e161257ed285ea6a354155b42 libpng10-1.0.15-0.9.1.legacy.src.rpm
6d6897433536ede53467e04afd9ab817ce68813e libpng10-1.0.15-0.9.1.legacy.i386.rpm
77c7d796b821d10b9b937e3e079e54958d21d514
libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm
ccc986bf6792fc3172479a2e353b732784672321
libpng10-debuginfo-1.0.15-0.9.1.legacy.i386.rpm
http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-1.0.15-0.9.1.legacy.src.rpmhttp://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-1.0.15-0.9.1.legacy.i386.rpmhttp://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-devel-1.0.15-0.9.1.legacy.i386.rpmhttp://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-debuginfo-1.0.15-0.9.1.legacy.i386.rpm
RH 7.3:
38fa3e75ffc56dc7e6e0ecb3380a34e8f9469fb2 libpng-1.0.15-0.7x.1.legacy.src.rpm
096ae9361ea6411043e6b89dfc3ef83a77b8ef57 libpng-1.0.15-0.7x.1.legacy.i386.rpm
4093970919d5e13fd84ed4cd427f785b7cda834f libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm
http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng-1.0.15-0.7x.1.legacy.i386.rpmhttp://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng-1.0.15-0.7x.1.legacy.src.rpmhttp://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm
* Mon Oct 25 2004 Charles R. Anderson <cra> 1.0.15-0.9.1.legacy
- - Build for RH 9
* Fri Oct 22 2004 Charles R. Anderson <cra> 1.0.15-0
- - Sync RH 9 libpng10 and RH 7.x libpng package specs
* Thu Oct 21 2004 Charles R. Anderson <cra> 1.0.14-0.7x.8.legacy
- - Use upstream security patch 1.2.5 that is recommended for use
with release 1.0.14.
- - Fix previous two changelog entry's formatting
* Thu Aug 12 2004 Dave Botsch <dwb7.edu>
- - Added legacy keyword to release
* Fri Jul 23 2004 Matthias Clasen <mclasen> 1.0.14-7
- - Replace the patches for individual security problems with the
cumulative patch issued by the png developers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFBfd7/w2eg+Um7WIYRAkvNAJ9V0CuQKX+lxXlNrjVMN3WHtufKlQCeOI26
qbR+Tjs3kh6M5fY/MTL18hs=
=G1Jy
-----END PGP SIGNATURE-----
------- Additional Comments From jpdalbec 2004-11-24 09:36:09 ----
If I build libpng10 from the source RPM, I get different --requires output from
the previous version. Should this be cause for concern?
(provides)
-libpng10 = 1.0.13-11.1.legacy
+libpng10 = 1.0.15-0.9.1.legacy
(requires)
/sbin/ldconfig
/sbin/ldconfig
libc.so.6
libc.so.6(GLIBC_2.0)
libc.so.6(GLIBC_2.1.3)
-libm.so.6
-libm.so.6(GLIBC_2.0)
-libz.so.1
I don't see differences in the ldd output.
------- Additional Comments From jpdalbec 2004-11-24 10:00:39 ----
Sorry, there was a bug in my summary script. It didn't run ldd against shared
libraries. Now I do see ldd differences:
-/usr/lib/libpng.so.2.1.0.13
+/usr/lib/libpng.so.2.1.0.15
libc.so.6 => /lib/tls/libc.so.6
/lib/ld-linux.so.2 => /lib/ld-linux.so.2
- libm.so.6 => /lib/tls/libm.so.6
- libz.so.1 => /usr/lib/libz.so.1
Should the gcc command to build the shared library have -lz -lm added to it?
------- Additional Comments From cra 2004-11-24 11:17:20 ----
The library should not have been linked against those libs. It is the
responsibility of the program using the library to pull in libz and libm as needed.
------- Additional Comments From jpdalbec 2004-11-29 07:24:16 ----
f95ebd506e55f6cdba7c5da60c1cc0063860a813 libpng-1.2.2-20.2.legacy.src.rpm
When I build this .src.rpm I get:
libpng-1.2.2-20.2.legacy/usr/lib/libpng12.so.0.1.2.2:
libz.so.1 => /usr/lib/libz.so.1 (0x40032000)
libm.so.6 => /lib/tls/libm.so.6 (0x40040000)
libc.so.6 => /lib/tls/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
Per comment 19 the .so should not be linked against libz or libm.
------- Additional Comments From rob.myers.edu 2004-11-29 10:26:42 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here are updated libpng10 and libpng packages to QA for fc1:
- - includes one extra patch from:
http://dl.sourceforge.net/sourceforge/libpng/libpng-patch11-limit-dimensions.txt
- - libpng-1.2.5 links to libm and libz, just as original package does
- - libpng10-1.0.15-7.1.legacy.src.rpm source looks basically the same as
libpng10-1.0.15-0.9.1.legacy.src.rpm, plus some cleanups and with a version
high enough to update an fc1 machine. if the sources are going to be
merged, perhaps an fc1 based version is most appropriate?
changelogs:
libpng10-1.0.15-7.1.legacy:
* Mon Nov 29 2004 Rob Myers <rob.myers.edu> 1.0.15-7.1.legacy
- - apply patch to limit dimensions (FL #1943)
libpng-1.2.5-7.1.legacy:
* Mon Nov 29 2004 Rob Myers <rob.myers.edu> 2:1.2.5-7.1.legacy
- - apply patch to limit dimensions (FL #1943)
sha1sums:
e3522daec3945a01a9a637e8d76f957288ce0785 libpng10-1.0.15-7.1.legacy.i386.rpm
8e9781e86aa2a78eadccc3bdd5e8617102586910 libpng10-1.0.15-7.1.legacy.src.rpm
0be1100bf079c0c0a9b597d223fe9646aae32d0d
libpng10-debuginfo-1.0.15-7.1.legacy.i386.rpm
8a9f21d6699f2842aa6f98af6135b0aca7c2b0a8 libpng10-devel-1.0.15-7.1.legacy.i386.rpm
9ae48e26207292c128699f89574219c69bc9157b libpng-1.2.5-7.1.legacy.i386.rpm
2e7b7891fcb418b03ccaf21296f2d9c6c3719bcb libpng-1.2.5-7.1.legacy.src.rpm
66bec2e649803284bff092f84138dceff81362ad libpng-debuginfo-1.2.5-7.1.legacy.i386.rpm
4f3537e04eb0c408c1fe78dd7477bfbb852967ad libpng-devel-1.2.5-7.1.legacy.i386.rpm
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-1.0.15-7.1.legacy.src.rpmhttp://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-1.0.15-7.1.legacy.i386.rpmhttp://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-debuginfo-1.0.15-7.1.legacy.i386.rpmhttp://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-devel-1.0.15-7.1.legacy.i386.rpmhttp://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-1.2.5-7.1.legacy.src.rpmhttp://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-1.2.5-7.1.legacy.i386.rpmhttp://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-debuginfo-1.2.5-7.1.legacy.i386.rpmhttp://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-devel-1.2.5-7.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBq4WltU2XAt1OWnsRAqgqAJ0VS3GlC1GSWBrjn4chEUNA653AKgCgqVu7
jjedoDhw4efCQcl/+K1OUPk=
=+q+l
-----END PGP SIGNATURE-----
------- Additional Comments From jpdalbec 2004-11-29 10:36:26 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
++PUBLISH RH7.3
++PUBLISH RH9
d1bb0af6be1ae41e161257ed285ea6a354155b42 libpng10-1.0.15-0.9.1.legacy.src.rpm
38fa3e75ffc56dc7e6e0ecb3380a34e8f9469fb2 libpng-1.0.15-0.7x.1.legacy.src.rpm
f95ebd506e55f6cdba7c5da60c1cc0063860a813 libpng-1.2.2-20.2.legacy.src.rpm
libpng10-1.0.15-0.9.1.legacy.src.rpm: sha1 md5 gpg OK
libpng-1.0.15-0.7x.1.legacy.src.rpm: sha1 md5 gpg OK
libpng-1.2.2-20.2.legacy.src.rpm: (sha1) dsa sha1 md5 gpg OK
Some ldd differences (an improvement, I'm told).
GNOME works normally with the new libraries.
Some new config files added to packages.
libpng10 no longer owns /usr/lib/pkgconfig.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBq25mJL4A+ldA7asRAphtAJ9r+UgfNimE24yWMzhxpBDqm2EeywCgx/LA
b9XCCCTeD8JPlA5Iu9pqFEo=
=uNMG
-----END PGP SIGNATURE-----
------- Additional Comments From deisenst 2004-12-08 19:40:26 ----
Part 1 of 2: FC1 libpng10:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QA'ing Robs FC1 libpng10-1.0.15-7.1.legacy.src.rpm in comment 21:
8e9781e86aa2a78eadccc3bdd5e8617102586910 libpng10-1.0.15-7.1.legacy.src.rpm
* sha1sum OK
* rpm --checksig libpng10-1.0.15-7.1.legacy.src.rpm
libpng10-1.0.15-7.1.legacy.src.rpm: (sha1) dsa sha1 md5 gpg OK
* source file identical to libpng10-1.0.15.7.src.rpm from FC1 updates.
* spec file looks great. Good idea placing a comment to designate Fedora
legacy patches versus others in the spec file.
* patch to limit dimensions good. In combination with previous patches,
produces same patched source as is created by using the upstream's
"all-patches" patch file.
* Builds well.
* Charles Anderson's rpm-build-compare script output looks reasonable for
both output rpm packages.
* Installs ok.
* Runs okay. Tested with the pngtest.c program included, and with the gimp
help browser, which is the only app. I know that uses libpng10.
PUBLISH+
=============================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBt+Ivxou1V/j9XZwRAtJQAKDOohZz5zDhE0/9wovGh5MDGNcPAgCdEXXQ
4y8DVZZ3vcCDazgxye/fn1I=
=6nb+
-----END PGP SIGNATURE-----
------- Additional Comments From deisenst 2004-12-09 10:56:18 ----
Part 2 of 2: FC1 libpng:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QA'ing Robs FC1 libpng-1.2.5-7.1.legacy.src.rpm in comment 21:
2e7b7891fcb418b03ccaf21296f2d9c6c3719bcb libpng-1.2.5-7.1.legacy.src.rpm
* sha1sum OK
* rpm --checksig libpng-1.2.5-7.1.legacy.src.rpm
libpng-1.2.5-7.1.legacy.src.rpm: (sha1) dsa sha1 md5 gpg OK
* source file identical to libpng-1.2.5-7.src.rpm from FC1 updates.
* spec file looks good. Has proper %post and %postun for libraries.
* patch to limit dimensions good. In combination with previous patches,
produces same patched source as is created by using the upstream's
"all-patches" patch file.
* Builds well.
* Charles Anderson's rpm-build-compare script output looks reasonable for
both output rpm packages.
* Installs ok.
* Runs well.
PUBLISH++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBuLtQxou1V/j9XZwRAlDzAKDs2EVIoU+KWFGwAw3JhVMpwVk7AgCfQs2U
v0dYT/LmZlmePJbouiT68XE=
=LytN
-----END PGP SIGNATURE-----
------- Additional Comments From deisenst 2004-12-09 10:59:14 ----
Does this issue need further QA, or can it go on to the next stage? -David
------- Additional Comments From dom 2004-12-09 13:20:50 ----
Good to go IMO. I've moved it to the to-build list in issues.txt.
------- Additional Comments From dom 2004-12-09 13:57:17 ----
This isn't resolved yet.
------- Additional Comments From deisenst 2004-12-09 13:59:06 ----
Oh, okay. I guess the process is still a little unclear to me. Sorry.
------- Additional Comments From marcdeslauriers 2004-12-18 09:18:51 ----
Pushed to updates-testing
------- Additional Comments From jimpop 2004-12-19 22:03:03 ----
+VERIFIED 73
21a9a1d6e6ae60ffd6144c8bfbf5b2fb libpng-1.0.15-0.7x.1.legacy.i386.rpm
Per instructions from David Eisenstein (thank you), I have used pngtest to
verify libpng-1.0.15 on Redhat 7.3
- - - - - - - - - - - - - - - - - - - - - - - -
Testing libpng version 1.0.15
with zlib version 1.1.4
libpng version 1.0.15 - October 3, 2002
Copyright (c) 1998-2002 Glenn Randers-Pehrson
Copyright (c) 1996-1997 Andreas Dilger
Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
library (10015): libpng version 1.0.15 - October 3, 2002 (header)
pngtest (10015): libpng version 1.0.15 - October 3, 2002 (header)
sizeof(png_struct)=680, sizeof(png_info)=288
Testing pngtest.png:
Pass 0: rwrwrwrwrwrwrwrwrw
Pass 1: rwrwrwrwrwrwrwrwrw
Pass 2: rwrwrwrwrwrwrwrw
Pass 3: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
Pass 4: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
Pass 5: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
rwrwrwrw
Pass 6: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
rwrwrwrwrw
PASS (9782 zero samples)
Filter 0 was used 21 times
Filter 1 was used 15 times
Filter 2 was used 52 times
Filter 3 was used 10 times
Filter 4 was used 33 times
tIME = 7 Jun 1996 17:58:08 +0000
libpng passes test
- - - - - - - - - - - - - - - - - - - - - - - -
------- Additional Comments From jimpop 2004-12-20 11:22:54 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+VERIFIED 73
21a9a1d6e6ae60ffd6144c8bfbf5b2fb libpng-1.0.15-0.7x.1.legacy.i386.rpm
Per instructions from David Eisenstein (thank you), I have used pngtest to
verify libpng-1.0.15 on Redhat 7.3
- - - - - - - - - - - - - - - - - - - - - - - - -
Testing libpng version 1.0.15
with zlib version 1.1.4
libpng version 1.0.15 - October 3, 2002
Copyright (c) 1998-2002 Glenn Randers-Pehrson
Copyright (c) 1996-1997 Andreas Dilger
Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
library (10015): libpng version 1.0.15 - October 3, 2002 (header)
pngtest (10015): libpng version 1.0.15 - October 3, 2002 (header)
sizeof(png_struct)=680, sizeof(png_info)=288
Testing pngtest.png:
Pass 0: rwrwrwrwrwrwrwrwrw
Pass 1: rwrwrwrwrwrwrwrwrw
Pass 2: rwrwrwrwrwrwrwrw
Pass 3: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
Pass 4: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
Pass 5: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
rwrwrwrw
Pass 6: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
rwrwrwrwrw
PASS (9782 zero samples)
Filter 0 was used 21 times
Filter 1 was used 15 times
Filter 2 was used 52 times
Filter 3 was used 10 times
Filter 4 was used 33 times
tIME = 7 Jun 1996 17:58:08 +0000
libpng passes test
- - - - - - - - - - - - - - - - - - - - - - - - -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFBxzkSuhh7yV/E9I4RAsDvAJ9e1e29HlLcYlVsn0fIQ0vIzTOUqQCdH69P
e9ne8YhrjhZY3j/+/MQzzqo=
=vdyw
-----END PGP SIGNATURE-----
------- Additional Comments From pekkas 2004-12-22 04:44:10 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QA for RHL9:
- rpm-build-compare looks good
- packages install OK
- pngtest passes the test (as comment #30)
- a couple of apps which use libpng work ok.
+VERIFY RHL9
d71f34a57a80386cdbe2bc9738f0e2b778c639e7 libpng10-1.0.15-0.9.1.legacy.i386.rpm
e89ca650e1839e4ad3155097cf6c70e239befe7c
libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm
90c20c26388d2a32fb84433bff3d3abcd7010425 libpng-1.2.2-20.2.legacy.i386.rpm
360acd84d0b7e8bdf7e3358d3235bc67c28b1ba8 libpng-devel-1.2.2-20.2.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFByYgaGHbTkzxSL7QRAlEjAJ9b/oN8I+7S0MSm4KpzXBj/pLF1tACfVbWH
ZakpC5B0xwreU4CYBqcCYew=
=TVDR
-----END PGP SIGNATURE-----
------- Additional Comments From deisenst 2004-12-22 15:41:46 ----
Created an attachment (id=951)
Pekka's QA from comment 32, that verifies with PGP
I removed white space from comment 32 so that it would pass PGP verification.
In the attachment.
------- Additional Comments From rob.myers.edu 2005-01-05 08:35:24 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
i took a look at the fc1 packages:
0afca5b729899b1fedeed263ddd2ac7aa506eb5b libpng10-1.0.15-7.1.legacy.i386.rpm
6a7a6ecaa0435e2254e48bc5ea4c2d1724d5b160 libpng10-devel-1.0.15-7.1.legacy.i386.rpm
8e28d39029ff88510d3899c2848273a76b6e71f4 libpng-1.2.5-7.1.legacy.i386.rpm
405443b2e0e56b3d5e5f3f9b6a89bd3a83c24afb libpng-devel-1.2.5-7.1.legacy.i386.rpm
- gpg signature good
- rpm-build-compare looks good
- installs fine
- works fine
+VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFB3DMetU2XAt1OWnsRAj45AKDjRo9Edxms0yObP4gTaXIkctFegACgvhUH
ysEDKOQ3wOj2nVBWrcukxww=
=4R9o
-----END PGP SIGNATURE-----
------- Additional Comments From jimpop 2005-01-05 10:00:10 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+VERIFIED 73
Tested on RH73. PNG graph generation (via MRTG) works.
1c286b40e2ad76146a9a4480e9db26bc04aaadb7 libpng-1.0.15-0.7x.1.legacy.i386.rpm
- -Jim P.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFB3ERauhh7yV/E9I4RAj0PAJ92wY+0G+k5mdwE2RSxog1JtDsWxACfQM3b
I+ep8S7IqLA6brr/sRMiOvQ=
=vv+K
-----END PGP SIGNATURE-----
------- Additional Comments From deisenst 2005-01-08 15:07:22 ----
I believe these packages have enough VERIFIES (they have been verified for
RH7.3, RH9 and FC1), so I am marking this issue VERIFIED.
These should should be moved to updates.
------- Additional Comments From dom 2005-01-08 16:06:32 ----
For proofreading:
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1943-libpng-draft.txt
------- Additional Comments From pekkas 2005-01-08 22:16:23 ----
Advisory looks good, but should we also reference CVE-2002-1363 such as Red Hat
is doing, because the patch for that changed in the meantime (I think) ?
------- Additional Comments From dom 2005-01-09 02:26:40 ----
Have we fixed that though? I don't see anything in the bug history referencing
that number.
------- Additional Comments From pekkas 2005-01-09 06:50:07 ----
AFAICS, the old patch (transfix) was one that RHEL21 replaced with a better
patch from upstream, like we did. So, if RHEL21's patch was considered a better
fix to CAN-2002-1363, maybe ours should be considered a better fix to that as well?
------- Additional Comments From deisenst 2005-01-10 15:12:57 ----
Created an attachment (id=964)
Entire advisory (revision 007 29-Oct-04) for libpng-1.2.5 and earlier versions
The enclosed file is the latest SECURITY ADVISORY available for the libpng
packages we are patching here. Regarding the transfix patch, these two
paragraphs seem relevant:
"libpng-patch00-pngrtran-filler-RRGGBB-overflow.txt
Fixes bug that was introduced in version 1.0.2
This bug was widely publicised in December 2002 and
has been fixed in many Linux distributions. Mitre
named this vulnerability CAN-2002-1363. Use to patch
libpng-1.0.5 through 1.2.5
"libpng-patch01-pngrtran-filler-GG-overflow.txt
Fixes bug that was introduced in version 1.0.2
This bug was also publicised around January 2003.
Because of its similarity to patch00, there has been
some confusion and hardly anyone has applied this
patch. There was a flurry of bug reports about this
in June 2004 when people noticed that only half of
the problem had been fixed. Mitre has assigned
a new name, CAN-2004-0768, to this vulnerability."
I have gone ahead and checked all .src.rpm's that this bug report is patching
and find that both
libpng-patch00-pngrtran-filler-RRGGBB-overflow.txt and
libpng-patch01-pngrtran-filler-GG-overflow.txt
are included in the all of the patches. This implies that not only are we
patching for CVE-2002-1363 (no longer CAN-2002-1363), but we are also patching
here for CAN-2004-0768. I will change the title of this bug to reflect that.
12345678901234567890123456789012345678901234567890123456789012345678901234567890
------- Additional Comments From deisenst 2005-01-10 15:48:37 ----
HOWEVER -- in reviewing all of the .src.rpm's, I discovered that the patch file
for RH9's libpng-1.2.2-20.2.legacy.src.rpm in updates-testing (from comment 1)
is out of date, from July, named "libpng-1.2.2-security.patch".
The advisory mentioned in comment 41 indicates that the correct megapatch for
libpng-1.2.2 should be "libpng-1.2.2-all-patches.txt".
The difference between these two patch files is effectively the
"libpng-patch11-limit-dimensions.txt", which is the patch that limits images to
having no more than one million rows and one million columns.
Upstream patch for libpng-1.2.2 for RH9:
http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.2-all-patches.txt
The other packages in updates-testing for RH9 (coming from
libpng10-1.0.15-0.9.1.legacy.src.rpm in comment 16) are fine; that .src.rpm
includes "libpng-1.2.5-all-patches.patch", which is the recommended megapatch
for libpng-1.0.15.
I will go ahead and release an updated libpng-1.2.2 srpm for RH9, using the
upstream patch and post links to it here, hopefully later tonight.
-David
------- Additional Comments From rob.myers.edu 2005-01-11 02:32:47 ----
re comment #37:
typo found:
--- 1943-libpng-draft.txt.orig 2005-01-11 07:26:21.000000000 -0500
+++ 1943-libpng-draft.txt 2005-01-11 07:26:44.000000000 -0500
@@ -106,7 +106,7 @@
http://download.fedoralegacy.org/redhat/9/updates/i386/libpng-devel-1.2.2-20.2.legacy.i386.rpm
-Fedora Cope 1
+Fedora Core 1
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/libpng-1.2.5-7.1.legacy.src.rpm
------- Additional Comments From deisenst 2005-01-11 12:39:51 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is an updated libpng source package to QA for RH9:
- - - includes one extra patch from:
http://dl.sourceforge.net/sourceforge/libpng/libpng-patch11-limit-dimensions.txt
Instead of putting in the libpng-1.2.2-all-patches.txt from upstream, I
elected to make a smaller change, and put in the "limit-dimensions" patch, as
Rob did in comment 21. (It creates exactly the same patched source as the
"all-patches" patch.)
PLEASE NOTE: I don't run RH9, so am not able to test
libpng-1.2.2-20.3.legacy binaries. Please test!
changelog:
* Tue Jan 11 2005 David Eisenstein <deisenst> 2:1.2.2-20.3.legacy
- - apply patch to limit dimensions (Fedora Legacy Bugzilla # 1943), from
upstream patch.
* Wed Aug 4 2004 Marc Deslauriers <marcdeslauriers>
1.2.2-20.2.legacy
- - Replace the patches for individual security problems with the
cumulative patch issued by the png developers.
Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599.
* Tue Jun 18 2004 Marc Deslauriers <marcdeslauriers>
1.2.2-20.1.legacy
- - Added better version of the patch for CAN-2002-1363
SHA1SUM NAME
======================================== ===========================
3b557f1624aefcf4ca11978b5a4e6278229b78d1 libpng-1.2.2-20.3.legacy.src.rpm
file:
http://members.gtw.net/~deisenst/legacy/RH9/SRPMS/libpng-1.2.2-20.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFB5FK7xou1V/j9XZwRAob/AJ9sdNXuQ4hba0Ut5XTw1CB+fkLMaQCgpHM0
RsoaYaJvPMx8EyzF2sWgJ8w=
=AGb4
-----END PGP SIGNATURE-----
------- Additional Comments From pekkas 2005-01-11 21:16:04 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QA of David's RHL9 rpm:
- sources OK
- patch verified to be OK
- spec file changes minimal
- rebuilds fine on RHL9, installs fine
- pngtest on pngtest.png passes the test
+PUBLISH
(+VERIFY)
Just a question: is this stuff needed for libpng10 or libpng-1.0.x?
I guess not?
3b557f1624aefcf4ca11978b5a4e6278229b78d1 libpng-1.2.2-20.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFB5M6hGHbTkzxSL7QRAmkZAJ9wXIorfv2C9Jrl58zVByN3SojXawCghzDk
D20dCg45mjlFZRLwaDwqhNs=
=sB1M
-----END PGP SIGNATURE-----
------- Additional Comments From deisenst 2005-01-12 14:43:18 ----
Pekka - thanks for QA'ing! You asked:
> Just a question: is this stuff needed for libpng10 or libpng-1.0.x?
> I guess not?
I think we're covered, Pekka. AFAICS, this stuff (the limit-dimensions
patch) is included in the other four .src.rpm's:
* libpng-1.0.15-0.7x.1.legacy.src.rpm has "libpng-1.2.5-all-patches.patch"
from upstream, which includes limit-dimensions (cra, comment 16; also
see attachment 964[details]);
* libpng10-1.0.15-0.9.1.legacy.src.rpm has the same patch as the 0.7x.1
.src.rpm package above (cra, comment 16);
* The two FC1 .src.rpm's (from comment 21) have Rob's
"libpng-patch11-limit-dimensions.patch" in addition to the slightly
older security patch from upstream (from Red Hat's August 4th FC1
updates - see http://tinyurl.com/522ze). This combination of patches
works fine (see comment 23, comment 24).
------- Additional Comments From deisenst 2005-01-20 12:38:44 ----
Created an attachment (id=970)
Suggested changes to the advisory.
Some suggested changes to Dominic's advisory in
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1943-libpng-draft.txt
dated 11-Jan-2005 12:39.
------- Additional Comments From deisenst 2005-02-01 23:41:34 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I would say that we need no further QA to have this published to
updates-testing. The limit-dimensions patch from comment 44 (for
RHL 9's libpng) was a very small patch, Pekka has QA'ed this, and
we have plenty of PUBLISH votes for other versions of this.
I have reviewed and verified that all other packages have the
limit-dimensions patch for their libpng and libpng10 packages.
So the issue that Pekka raises in comment 45 is a non-issue (see
comment 46).
Dominic, please see the suggested wording changes in Attachment 970 for
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1943-libpng-draft.txt
Have removed QA from this issue. Let's publish -> updates-testing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
iD8DBQFCAJ+vxou1V/j9XZwRAspkAJ9NTAeUfW45imcgfadmPu717XzvmwCfaYEm
sJSrQMWOsCwrLl62pgKibBs=
=JMXm
-----END PGP SIGNATURE-----
------- Additional Comments From deisenst 2005-02-01 23:51:56 ----
Oh. Another suggestion for 1943-libpng-draft.txt -- add Bug 1550 to the
Cross References, ala:
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1550https://bugzilla.fedora.us/show_bug.cgi?id=1943Bug 1550 should be closed when this one is.
------- Additional Comments From deisenst 2005-02-02 16:28:08 ----
ALERT!
It looks like someone moved
* libpng-1.2.2-20.2.legacy.src.rpm,
* libpng-devel-1.2.2-20.2.legacy.i386.rpm, and
* libpng-devel-1.2.2-20.i386.rpm
from updates-testing to updates for RH9.
Instead,
* libpng-1.2.2-20.3.legacy.src.rpm
needs to be rebuilt for RH9, then either put into updates-testing
(for further QA and VERIFY votes) or, if we feel it is sufficiently
verified, placed directly into updates. I don't believe libpng-1.2.2-20.3
for RH9 was ever put into updates-testing.
Does libpng-1.2.2-20.3 for RH9 need more VERIFY votes in addition to
Pekka's in comment 45? I would vote no, but does anyone else have an
opinion?
------- Additional Comments From dom 2005-02-03 03:10:31 ----
Sorry about this, looks like I screwed up. However I'm rather unwell now so not
really able to think clearly about it.
------- Additional Comments From dom 2005-02-03 11:00:19 ----
libpng-1.2.2-20.3 for rh9 now available from the updates-testing repository.
------- Additional Comments From madhatter 2005-02-05 07:44:01 ----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
02/04/05 12:43:47 Updated: libpng-devel 2:1.2.2-20.3.legacy.i386
02/04/05 12:43:47 Updated: libpng 2:1.2.2-20.3.legacy.i386
installs OK, pngtest runs fine.
+VERIFY RH9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCBQWuePtvKV31zw4RAhECAJ9BREeWmeUcz1jH6xGOWYH098/8TQCfWyVy
qYr7ROw8Qa4a44/F+trvEUo=
=ZRmR
-----END PGP SIGNATURE-----
------- Additional Comments From pekkas 2005-02-26 01:11:58 ----
Should this (or RHL9 in particular) be at "Packages that have been verified and
should be fully released" category?
------- Additional Comments From deisenst 2005-02-26 18:44:40 ----
Actually, this bug has been fully verified and has been published to updates.
It should be removed from Dominic's issues.txt.
[FLSA-2005:1943] Updated libpng resolves security vulnerabilities:
http://www.redhat.com/archives/fedora-legacy-list/2005-February/msg00093.html
------- Bug moved to this database by dkl 2005-03-30 18:26 -------
This bug previously known as bug 1943 at https://bugzilla.fedora.us/https://bugzilla.fedora.us/show_bug.cgi?id=1943
Originally filed under the Fedora Legacy product and Package request component.
Bug blocks bug(s) 1550.
Attachments:
piece which was dropped on the way to the current version
https://bugzilla.fedora.us/attachment.cgi?action=view&id=798
differences between officially patched version and 7.3 SRPM 0.7x.7.legacy
https://bugzilla.fedora.us/attachment.cgi?action=view&id=808
Pekka's QA from comment 32, that verifies with PGP
https://bugzilla.fedora.us/attachment.cgi?action=view&id=951
Entire advisory (revision 007 29-Oct-04) for libpng-1.2.5 and earlier versions
https://bugzilla.fedora.us/attachment.cgi?action=view&id=964
Suggested changes to the advisory.
https://bugzilla.fedora.us/attachment.cgi?action=view&id=970
Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
This bug either had no qa contact or an invalid one.