Bug 211705

Summary: CVE-2006-3334, CVE-2006-5793 libpng 1.2.13 is out there
Product: [Fedora] Fedora Reporter: Henning Norén <henning.noren>
Component: libpngAssignee: Tom Lane <tgl>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: hhorak, opensource
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-12 16:25:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Henning Norén 2006-10-20 22:19:01 UTC 
Description of problem:
libpng 1.2.12 has been out there since 2006-06-27 and contains, together with
2.6.11 several fixes for various problems, among others at least one possible
security related.


(from the release notes)
2.6.12:
Fix potential buffer overrun in chunk error processing.
2.6.11:
Fix 1 potential overflow and 1 out-of-bounds read. Fix some bugs in makefiles.
APPLY PATCH to fix another potential overflow (see KNOWNBUGS1)

Version-Release number of selected component (if applicable):
libpng-1.2.8-2.2.1

Additional info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334
Comment 1 Till Maas 2006-11-22 13:55:06 UTC 
2.6.13 is out by now and fixes again a security flaw:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793
(See: #216706)

This affects also fc6
Comment 2 Till Maas 2006-11-22 13:56:35 UTC 
(In reply to comment #1)
> 2.6.13 is out by now and fixes again a security flaw:
I mean 1.2.13
Comment 3 Josh Bressers 2006-11-29 20:12:24 UTC 
There are no known security issues in the libpng shipped in Fedora.  The two CVE
ids in the summary are not considered security issues but simply bugs.  We track
all known CVE ids related to fedora core here:

http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora

If there are any CVE ids not mentioned in those files, please open bugs as
appropriate.
Comment 4 Tom Lane 2007-02-12 16:25:00 UTC 
libpng is updated to 1.2.16 for Fedora 7.  As Josh notes, we don't currently see
a necessity to back-patch this.