Bug 152757 - CVE-2002-1363, CAN-2004-0597to0599, 0768 libpng buffer overflows
CVE-2002-1363, CAN-2004-0597to0599, 0768 libpng buffer overflows
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
1, LEGACY, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-04 13:13 EDT by Marc Deslauriers
Modified: 2008-05-01 11:38 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:26:24 EST
During a source code audit, Chris Evans discovered several buffer overflows
in libpng. An attacker could create a carefully crafted PNG file in such a
way that it would cause an application linked with libpng to execute
arbitrary code when the file was opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0597 to these issues.

In addition, this audit discovered a potential NULL pointer dereference in
libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599).
An attacker could create a carefully crafted PNG file in such a way that
it would cause an application linked with libpng to crash when the file was
opened by the victim.

Info:

https://rhn.redhat.com/errata/RHSA-2004-402.html



------- Additional Comments From marcdeslauriers@videotron.ca 2004-08-04 17:04:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for 7.3 and 9 that fix this issue:

Changelog:
* Wed Aug 04 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
1.0.14-0.7x.7.legacy
- - Replace the patches for individual security problems with the
  cumulative patch issued by the png developers.
  Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599.

7.3:
3bd0955ccf2df348f5cf00e624b2541d700581e1  libpng-1.0.14-0.7x.7.legacy.i386.rpm
5525eda4abd357f11b1b13f61102d8f7bad0b2a3  libpng-1.0.14-0.7x.7.legacy.src.rpm
176460abd71efdb04fc32ee6f7f7eb403bdb2916  libpng-devel-1.0.14-0.7x.7.legacy.i386.rpm

9:
35f4bb98acb97d3d50ff0539a8bc14a3cb95a5d4  libpng10-1.0.13-11.3.legacy.i386.rpm
f175613c50acbfc00742a2ff2ba87c71fc56cfbc  libpng10-1.0.13-11.3.legacy.src.rpm
e20d5ceb0029095ecbdf0181f4c591ef748b2ae9  libpng10-devel-1.0.13-11.3.legacy.i386.rpm
d664e002e1ec6edf5327e2c1630d9cece2b472bd  libpng-1.2.2-20.2.legacy.i386.rpm
f95ebd506e55f6cdba7c5da60c1cc0063860a813  libpng-1.2.2-20.2.legacy.src.rpm
4d2bc34a9d337618bfab1f8e6ada9a314ebf8894  libpng-devel-1.2.2-20.2.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-1.0.14-0.7x.7.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-1.0.14-0.7x.7.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-devel-1.0.14-0.7x.7.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng-1.2.2-20.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng-1.2.2-20.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng-devel-1.2.2-20.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-devel-1.0.13-11.3.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBEaPBLMAs/0C4zNoRAspnAJ4ykoO+MMua20GaCsBhfPzPh8PODACfXMkI
QbCblDM0+k4GM5oHsGl5xvg=
=gqqY
-----END PGP SIGNATURE-----




------- Additional Comments From michal@harddata.com 2004-08-06 10:53:50 ----

Created an attachment (id=798)
piece which was dropped on the way to the current version

Looking at sources what is available here is equivalent to what was in previous

versions plus new fixes with an exception of one patch fragment.  It came in
libpng-1.0.9-badchunks.patch in older releases.  It is attached here.  I am not

that sure that it is really no longer needed.

In case one would want to apply it to the current version this should be
done with 'patch -R ....'.



------- Additional Comments From dom@earth.li 2004-08-11 13:06:07 ----

Having examined the rh7.3 patch I find the following:

There seem to be some descrepancies between the patch you have included as
libpng-1.0.14-security.patch and libpng-1.2.5-all-patches.txt which according to
http://heanet.dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt is the correct
patchset for 1.0.14. When both patches are applied the following differences
reveal themselves (attached)

Haven't looked at the 9 version - is that what you were comparing against
Michal? Either way is there any reason why the recommended patch from the
developers is not include verbatim with no other security patches?

Cheers,



------- Additional Comments From dom@earth.li 2004-08-11 13:07:24 ----

Created an attachment (id=808)
differences between officially patched version and 7.3 SRPM 0.7x.7.legacy




------- Additional Comments From dwb7@ccmr.cornell.edu 2004-08-12 10:43:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

libpng packages now available for QA for RH7.3:

sha1sum -b libpng*
b7053c46bd55f9100820b2423e524d05c9c022f1 *libpng-1.0.14-7.legacy.1.i386.rpm
6cc28880aeb2aa504add2b1fa454b358ef5fa7bb *libpng-1.0.14-7.legacy.1.src.rpm
b925cbbd367cd5e5d13990679dd2c6bb99a2e54c
*libpng-devel-1.0.14-7.legacy.1.i386.rpm

Download from:
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/libpng

- -DWB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBG9X0SY7s7uPf/IURAvFJAKC7pHeORngSbK1EqYqcaXFnP0D93wCeIPFY
iZkxr/KtlOSCxKMLWDoyrXw=
=HXKl
-----END PGP SIGNATURE-----



------- Additional Comments From simon@nzservers.com 2004-09-09 08:32:00 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
6cc28880aeb2aa504add2b1fa454b358ef5fa7bb libpng-1.0.14-7.legacy.1.src.rpm 
 
Inspected SPEC file - OK 
Checked patches against original from libpng for 1.0.14 (combined patch file 
minus patches for later versions up to 1.2.5) - OK 
BUILD - OK 
INSTALL - OK 
Appears to function normally with PHP (use verified via ldd) - OK 
 
+PUBLISH 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBQKEZMLOCzgCQslsRAgSsAKCYow0EaKmsMmMhEWbl5nRbyqyOggCcDqpS 
0sxbOp8IiHU+ZiaUkrmYyBw= 
=LO/n 
-----END PGP SIGNATURE----- 



------- Additional Comments From simon@nzservers.com 2004-09-09 08:39:33 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
I forgot to mention the above was tested on Redhat 7.3 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBQKNBMLOCzgCQslsRAoAbAJ9Xac4pJ7/ZDV9Pz5s5w+kiOTzouQCfZMct 
ccSSQrQAbA5U8tcIXiXDe+g= 
=0Xg4 
-----END PGP SIGNATURE----- 



------- Additional Comments From cra@wpi.edu 2004-10-21 16:16:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RH 7.3 packages from Dave Botsch:

b7053c46bd55f9100820b2423e524d05c9c022f1  libpng-1.0.14-7.legacy.1.i386.rpm
6cc28880aeb2aa504add2b1fa454b358ef5fa7bb  libpng-1.0.14-7.legacy.1.src.rpm
b925cbbd367cd5e5d13990679dd2c6bb99a2e54c  libpng-devel-1.0.14-7.legacy.1.i386.rpm

I still see differences from the upstream patch, identical to the
differences mentioned in comment #4.  This is the upstream patch that
should be applied to the 1.0.14 sources:

http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.5-all-patches.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBeG08w2eg+Um7WIYRAoa8AJ0b5TJORCWIF/tI/jR9eKZ6eRcIYACeKQ5a
DBp9BJuMyuiNd87ezD8J/YI=
=no+B
-----END PGP SIGNATURE-----




------- Additional Comments From cra@wpi.edu 2004-10-21 17:55:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Additional QA for RH 7.3 packages from Dave Botsch:

b7053c46bd55f9100820b2423e524d05c9c022f1  libpng-1.0.14-7.legacy.1.i386.rpm
6cc28880aeb2aa504add2b1fa454b358ef5fa7bb  libpng-1.0.14-7.legacy.1.src.rpm
b925cbbd367cd5e5d13990679dd2c6bb99a2e54c  libpng-devel-1.0.14-7.legacy.1.i386.rpm

I'm not sure the pkgconfig files should be there.  They aren't in the
original packages for 7.3.  libpng.pc is also not correct, as it refers
to libpng10:

/usr/bin/pkgconfig

/usr/lib/pkgconfig/libpng.pc:

prefix=/usr
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=${exec_prefix}/include

Name: libpng10
Description: Loads and saves PNG files
Version: 1.0.14
Libs: -L${libdir} -lpng10 -lz -lm
Cflags: -I${includedir}/libpng10

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBeIR2w2eg+Um7WIYRAqooAJ9MHZqgKH6rkybJAzdLqc53LNabmgCfVbPY
A+sgiqO91W7n8dwmTBRIKqs=
=x5ef
-----END PGP SIGNATURE-----




------- Additional Comments From cra@wpi.edu 2004-10-21 18:31:20 ----

There are some interesting E:N-V-R versioning differences that we need to get right:

Latest RH 7.3 errata:

2:libpng-1.0.14-0.7x.4.i386
2:libpng-devel-1.0.14-0.7x.4.i386

Latest RH 9 errata:

(none):libpng10-1.0.13-11.i386
(none):libpng10-devel-1.0.13-11.i386 (provides libpng-devel = (none):1.0.13)
2:libpng-1.2.2-20.i386
2:libpng-devel-1.2.2-20.i386

Latest FC 1 errata:
(none):libpng10-1.0.15-7.i386
(none):libpng10-devel-1.0.15-7.i386 (doesn't have virtual provides libpng-devel)
2:libpng-1.2.5-7.i386
2:libpng-devel-1.2.5-7.i386

The libpng packages need to maintain the Epoch: 2 for upgrades to work. 
libpng10 should remain with no Epoch for upgrades of those packages to work.

What is up with the Provides: libpng-devel in the libpng10-devel packages?  Do
any other packages require a versioned libpng-devel anywhere?  It seems like
this was a packaging bug in RH 9, and the issue was avoided altogether in FC 1,
where no Provides: libpng-devel is there at all.  Perhaps the problem never
arose in real life, because no one used versioned-requires on libpng-devel.




------- Additional Comments From cra@wpi.edu 2004-10-25 06:17:01 ----

Answering my question about libpng10-devel providing libpng-devel,
it appears we should remove the virtual provide:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=110161




------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-25 11:40:14 ----

Just thinking out loud here: what would happen if a package, included with rh9
or a third-party package for rh9, has a BuildRequires libpng = 1.0.13 in it?
Are we absolutely sure we won't be breaking anything?



------- Additional Comments From cra@wpi.edu 2004-10-25 12:13:13 ----

If there was, it would already break.  The backwards compat package has a
different version already.  7.3 has 2:libpng-1.0.14, and 9 has
(none):libpng10-1.0.13.  I don't think we should worry about exact versioned
BuildRequires.




------- Additional Comments From jpdalbec@ysu.edu 2004-10-29 03:02:28 ----

04.42.26 CVE: CAN-2004-0955
Platform: Cross Platform
Title: LibPNG Image Height Integer Overflow
Description: LibPNG is the Portable Network Graphics (PNG) reference
library. LibPNG is vulnerable to an integer overflow in the image
height parameter. Debian has released a patch to fix this issue. The
issue is fixed in version 1.0.12-3.woody.
Ref: http://www.debian.org/security/2004/dsa-570 



------- Additional Comments From deisenst@gtw.net 2004-11-19 05:43:58 ----

According to http://heanet.dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt,
libpng-1.2.5 is also affected by many of these issues.  I am adding FC1 to the
keyword list and we'll need to look into it further.



------- Additional Comments From cra@wpi.edu 2004-11-19 06:00:06 ----


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I built new 1.0.15 packages with the upstream patch included, and merged
the spec files so all the various versions are the same except where
needed.  This should make future maintenance easier, especially once/if
FC1 needs an update.  I did end up including fixed pkgconfig files since
they needed to be fixed for the other releases anyway.


Upstream patch:

http://heanet.dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt
http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.5-all-patches.txt


RH 9:

d1bb0af6be1ae41e161257ed285ea6a354155b42  libpng10-1.0.15-0.9.1.legacy.src.rpm
6d6897433536ede53467e04afd9ab817ce68813e  libpng10-1.0.15-0.9.1.legacy.i386.rpm
77c7d796b821d10b9b937e3e079e54958d21d514 
libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm
ccc986bf6792fc3172479a2e353b732784672321 
libpng10-debuginfo-1.0.15-0.9.1.legacy.i386.rpm

http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-1.0.15-0.9.1.legacy.src.rpm
http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-1.0.15-0.9.1.legacy.i386.rpm
http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm
http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-debuginfo-1.0.15-0.9.1.legacy.i386.rpm


RH 7.3:

38fa3e75ffc56dc7e6e0ecb3380a34e8f9469fb2  libpng-1.0.15-0.7x.1.legacy.src.rpm
096ae9361ea6411043e6b89dfc3ef83a77b8ef57  libpng-1.0.15-0.7x.1.legacy.i386.rpm
4093970919d5e13fd84ed4cd427f785b7cda834f  libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm

http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng-1.0.15-0.7x.1.legacy.i386.rpm
http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng-1.0.15-0.7x.1.legacy.src.rpm
http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm


* Mon Oct 25 2004 Charles R. Anderson <cra@wpi.edu> 1.0.15-0.9.1.legacy

- - Build for RH 9

* Fri Oct 22 2004 Charles R. Anderson <cra@wpi.edu> 1.0.15-0

- - Sync RH 9 libpng10 and RH 7.x libpng package specs

* Thu Oct 21 2004 Charles R. Anderson <cra@wpi.edu> 1.0.14-0.7x.8.legacy

- - Use upstream security patch 1.2.5 that is recommended for use
  with release 1.0.14.
- - Fix previous two changelog entry's formatting

* Thu Aug 12 2004 Dave Botsch <dwb7@ccmr.cornell.edu>

- - Added legacy keyword to release

* Fri Jul 23 2004 Matthias Clasen <mclasen@redhat.com> 1.0.14-7

- - Replace the patches for individual security problems with the
  cumulative patch issued by the png developers.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBfd7/w2eg+Um7WIYRAkvNAJ9V0CuQKX+lxXlNrjVMN3WHtufKlQCeOI26
qbR+Tjs3kh6M5fY/MTL18hs=
=G1Jy
-----END PGP SIGNATURE-----




------- Additional Comments From jpdalbec@ysu.edu 2004-11-24 09:36:09 ----

If I build libpng10 from the source RPM, I get different --requires output from
the previous version.  Should this be cause for concern?
(provides)
-libpng10 = 1.0.13-11.1.legacy
+libpng10 = 1.0.15-0.9.1.legacy
(requires)
 /sbin/ldconfig
 /sbin/ldconfig
 libc.so.6
 libc.so.6(GLIBC_2.0)
 libc.so.6(GLIBC_2.1.3)
-libm.so.6
-libm.so.6(GLIBC_2.0)
-libz.so.1

I don't see differences in the ldd output.



------- Additional Comments From jpdalbec@ysu.edu 2004-11-24 10:00:39 ----

Sorry, there was a bug in my summary script.  It didn't run ldd against shared
libraries.  Now I do see ldd differences:
-/usr/lib/libpng.so.2.1.0.13
+/usr/lib/libpng.so.2.1.0.15
        libc.so.6 => /lib/tls/libc.so.6
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2
-       libm.so.6 => /lib/tls/libm.so.6
-       libz.so.1 => /usr/lib/libz.so.1
Should the gcc command to build the shared library have -lz -lm added to it?



------- Additional Comments From cra@wpi.edu 2004-11-24 11:17:20 ----

The library should not have been linked against those libs.  It is the
responsibility of the program using the library to pull in libz and libm as needed.




------- Additional Comments From jpdalbec@ysu.edu 2004-11-29 07:24:16 ----

f95ebd506e55f6cdba7c5da60c1cc0063860a813  libpng-1.2.2-20.2.legacy.src.rpm

When I build this .src.rpm I get:
libpng-1.2.2-20.2.legacy/usr/lib/libpng12.so.0.1.2.2:
        libz.so.1 => /usr/lib/libz.so.1 (0x40032000)
        libm.so.6 => /lib/tls/libm.so.6 (0x40040000)
        libc.so.6 => /lib/tls/libc.so.6 (0x42000000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
Per comment 19 the .so should not be linked against libz or libm.



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-29 10:26:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated libpng10 and libpng packages to QA for fc1:
 
- - includes one extra patch from:
http://dl.sourceforge.net/sourceforge/libpng/libpng-patch11-limit-dimensions.txt
- - libpng-1.2.5 links to libm and libz, just as original package does
- - libpng10-1.0.15-7.1.legacy.src.rpm source looks basically the same as
  libpng10-1.0.15-0.9.1.legacy.src.rpm, plus some cleanups and with a version
  high enough to update an fc1 machine.  if the sources are going to be
  merged, perhaps an fc1 based version is most appropriate?
  
changelogs:
 
libpng10-1.0.15-7.1.legacy:
* Mon Nov 29 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.0.15-7.1.legacy
- - apply patch to limit dimensions (FL #1943)
 
libpng-1.2.5-7.1.legacy:
* Mon Nov 29 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2:1.2.5-7.1.legacy
- - apply patch to limit dimensions (FL #1943)
 
sha1sums:
e3522daec3945a01a9a637e8d76f957288ce0785  libpng10-1.0.15-7.1.legacy.i386.rpm
8e9781e86aa2a78eadccc3bdd5e8617102586910  libpng10-1.0.15-7.1.legacy.src.rpm
0be1100bf079c0c0a9b597d223fe9646aae32d0d 
libpng10-debuginfo-1.0.15-7.1.legacy.i386.rpm
8a9f21d6699f2842aa6f98af6135b0aca7c2b0a8  libpng10-devel-1.0.15-7.1.legacy.i386.rpm
9ae48e26207292c128699f89574219c69bc9157b  libpng-1.2.5-7.1.legacy.i386.rpm
2e7b7891fcb418b03ccaf21296f2d9c6c3719bcb  libpng-1.2.5-7.1.legacy.src.rpm
66bec2e649803284bff092f84138dceff81362ad  libpng-debuginfo-1.2.5-7.1.legacy.i386.rpm
4f3537e04eb0c408c1fe78dd7477bfbb852967ad  libpng-devel-1.2.5-7.1.legacy.i386.rpm
  
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-1.0.15-7.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-1.0.15-7.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-debuginfo-1.0.15-7.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-devel-1.0.15-7.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-1.2.5-7.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-1.2.5-7.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-debuginfo-1.2.5-7.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-devel-1.2.5-7.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBq4WltU2XAt1OWnsRAqgqAJ0VS3GlC1GSWBrjn4chEUNA653AKgCgqVu7
jjedoDhw4efCQcl/+K1OUPk=
=+q+l
-----END PGP SIGNATURE-----




------- Additional Comments From jpdalbec@ysu.edu 2004-11-29 10:36:26 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++PUBLISH RH7.3
++PUBLISH RH9

d1bb0af6be1ae41e161257ed285ea6a354155b42  libpng10-1.0.15-0.9.1.legacy.src.rpm
38fa3e75ffc56dc7e6e0ecb3380a34e8f9469fb2  libpng-1.0.15-0.7x.1.legacy.src.rpm
f95ebd506e55f6cdba7c5da60c1cc0063860a813  libpng-1.2.2-20.2.legacy.src.rpm

libpng10-1.0.15-0.9.1.legacy.src.rpm: sha1 md5 gpg OK
libpng-1.0.15-0.7x.1.legacy.src.rpm: sha1 md5 gpg OK
libpng-1.2.2-20.2.legacy.src.rpm: (sha1) dsa sha1 md5 gpg OK

Some ldd differences (an improvement, I'm told).
GNOME works normally with the new libraries.
Some new config files added to packages.
libpng10 no longer owns /usr/lib/pkgconfig.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBq25mJL4A+ldA7asRAphtAJ9r+UgfNimE24yWMzhxpBDqm2EeywCgx/LA
b9XCCCTeD8JPlA5Iu9pqFEo=
=uNMG
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2004-12-08 19:40:26 ----

Part 1 of 2:  FC1 libpng10:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


QA'ing Robs FC1 libpng10-1.0.15-7.1.legacy.src.rpm in comment 21:

8e9781e86aa2a78eadccc3bdd5e8617102586910  libpng10-1.0.15-7.1.legacy.src.rpm

  * sha1sum OK
  * rpm --checksig libpng10-1.0.15-7.1.legacy.src.rpm
    libpng10-1.0.15-7.1.legacy.src.rpm: (sha1) dsa sha1 md5 gpg OK
  * source file identical to libpng10-1.0.15.7.src.rpm from FC1 updates.
  * spec file looks great.  Good idea placing a comment to designate Fedora
    legacy patches versus others in the spec file.
  * patch to limit dimensions good.  In combination with previous patches, 
    produces same patched source as is created by using the upstream's
    "all-patches" patch file.
  * Builds well.
  * Charles Anderson's rpm-build-compare script output looks reasonable for
    both output rpm packages.
  * Installs ok.
  * Runs okay.  Tested with the pngtest.c program included, and with the gimp
    help browser, which is the only app. I know that uses libpng10.

      PUBLISH+

 =============================================================================
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBt+Ivxou1V/j9XZwRAtJQAKDOohZz5zDhE0/9wovGh5MDGNcPAgCdEXXQ
4y8DVZZ3vcCDazgxye/fn1I=
=6nb+
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2004-12-09 10:56:18 ----

Part 2 of 2:  FC1 libpng:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA'ing Robs FC1 libpng-1.2.5-7.1.legacy.src.rpm in comment 21:

2e7b7891fcb418b03ccaf21296f2d9c6c3719bcb  libpng-1.2.5-7.1.legacy.src.rpm

  * sha1sum OK
  * rpm --checksig libpng-1.2.5-7.1.legacy.src.rpm
    libpng-1.2.5-7.1.legacy.src.rpm: (sha1) dsa sha1 md5 gpg OK 
  * source file identical to libpng-1.2.5-7.src.rpm from FC1 updates.
  * spec file looks good.  Has proper %post and %postun for libraries.
  * patch to limit dimensions good.  In combination with previous patches, 
    produces same patched source as is created by using the upstream's
    "all-patches" patch file.
  * Builds well.
  * Charles Anderson's rpm-build-compare script output looks reasonable for
    both output rpm packages.
  * Installs ok.
  * Runs well.

      PUBLISH++

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBuLtQxou1V/j9XZwRAlDzAKDs2EVIoU+KWFGwAw3JhVMpwVk7AgCfQs2U
v0dYT/LmZlmePJbouiT68XE=
=LytN
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2004-12-09 10:59:14 ----

Does this issue need further QA, or can it go on to the next stage?  -David



------- Additional Comments From dom@earth.li 2004-12-09 13:20:50 ----

Good to go IMO. I've moved it to the to-build list in issues.txt.



------- Additional Comments From dom@earth.li 2004-12-09 13:57:17 ----

This isn't resolved yet.



------- Additional Comments From deisenst@gtw.net 2004-12-09 13:59:06 ----

Oh, okay.  I guess the process is still a little unclear to me.  Sorry.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-18 09:18:51 ----

Pushed to updates-testing



------- Additional Comments From jimpop@yahoo.com 2004-12-19 22:03:03 ----

+VERIFIED 73

21a9a1d6e6ae60ffd6144c8bfbf5b2fb  libpng-1.0.15-0.7x.1.legacy.i386.rpm

Per instructions from David Eisenstein (thank you), I have used pngtest to
verify libpng-1.0.15 on Redhat 7.3

- - - - - - - - - - - - - - - - - - - - - - - -
Testing libpng version 1.0.15
   with zlib   version 1.1.4

 libpng version 1.0.15 - October 3, 2002
   Copyright (c) 1998-2002 Glenn Randers-Pehrson
   Copyright (c) 1996-1997 Andreas Dilger
   Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
 library (10015): libpng version 1.0.15 - October 3, 2002 (header)
 pngtest (10015): libpng version 1.0.15 - October 3, 2002 (header)
 sizeof(png_struct)=680, sizeof(png_info)=288
Testing pngtest.png:
 Pass 0: rwrwrwrwrwrwrwrwrw
 Pass 1: rwrwrwrwrwrwrwrwrw
 Pass 2: rwrwrwrwrwrwrwrw
 Pass 3: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
 Pass 4: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
 Pass 5: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
         rwrwrwrw
 Pass 6: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
         rwrwrwrwrw
 PASS (9782 zero samples)
 Filter 0 was used 21 times
 Filter 1 was used 15 times
 Filter 2 was used 52 times
 Filter 3 was used 10 times
 Filter 4 was used 33 times
 tIME = 7 Jun 1996 17:58:08 +0000
libpng passes test
- - - - - - - - - - - - - - - - - - - - - - - -





------- Additional Comments From jimpop@yahoo.com 2004-12-20 11:22:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+VERIFIED 73

21a9a1d6e6ae60ffd6144c8bfbf5b2fb  libpng-1.0.15-0.7x.1.legacy.i386.rpm

Per instructions from David Eisenstein (thank you), I have used pngtest to
verify libpng-1.0.15 on Redhat 7.3

- - - - - - - - - - - - - - - - - - - - - - - - -
Testing libpng version 1.0.15
   with zlib   version 1.1.4

 libpng version 1.0.15 - October 3, 2002
   Copyright (c) 1998-2002 Glenn Randers-Pehrson
   Copyright (c) 1996-1997 Andreas Dilger
   Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
 library (10015): libpng version 1.0.15 - October 3, 2002 (header)
 pngtest (10015): libpng version 1.0.15 - October 3, 2002 (header)
 sizeof(png_struct)=680, sizeof(png_info)=288
Testing pngtest.png:
 Pass 0: rwrwrwrwrwrwrwrwrw
 Pass 1: rwrwrwrwrwrwrwrwrw
 Pass 2: rwrwrwrwrwrwrwrw
 Pass 3: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
 Pass 4: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
 Pass 5: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
         rwrwrwrw
 Pass 6: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
         rwrwrwrwrw
 PASS (9782 zero samples)
 Filter 0 was used 21 times
 Filter 1 was used 15 times
 Filter 2 was used 52 times
 Filter 3 was used 10 times
 Filter 4 was used 33 times
 tIME = 7 Jun 1996 17:58:08 +0000
libpng passes test
- - - - - - - - - - - - - - - - - - - - - - - - -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBxzkSuhh7yV/E9I4RAsDvAJ9e1e29HlLcYlVsn0fIQ0vIzTOUqQCdH69P
e9ne8YhrjhZY3j/+/MQzzqo=
=vdyw
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-22 04:44:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                               
QA for RHL9:
 - rpm-build-compare looks good
 - packages install OK
 - pngtest passes the test (as comment #30)
 - a couple of apps which use libpng work ok.
                                                                               
                               
+VERIFY RHL9
                                                                               
                               
d71f34a57a80386cdbe2bc9738f0e2b778c639e7  libpng10-1.0.15-0.9.1.legacy.i386.rpm
e89ca650e1839e4ad3155097cf6c70e239befe7c 
libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm
90c20c26388d2a32fb84433bff3d3abcd7010425  libpng-1.2.2-20.2.legacy.i386.rpm
360acd84d0b7e8bdf7e3358d3235bc67c28b1ba8  libpng-devel-1.2.2-20.2.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                               
iD8DBQFByYgaGHbTkzxSL7QRAlEjAJ9b/oN8I+7S0MSm4KpzXBj/pLF1tACfVbWH
ZakpC5B0xwreU4CYBqcCYew=
=TVDR
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2004-12-22 15:41:46 ----

Created an attachment (id=951)
Pekka's QA from comment 32, that verifies with PGP

I removed white space from comment 32 so that it would pass PGP verification. 
In the attachment.



------- Additional Comments From rob.myers@gtri.gatech.edu 2005-01-05 08:35:24 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i took a look at the fc1 packages:
 
0afca5b729899b1fedeed263ddd2ac7aa506eb5b  libpng10-1.0.15-7.1.legacy.i386.rpm
6a7a6ecaa0435e2254e48bc5ea4c2d1724d5b160  libpng10-devel-1.0.15-7.1.legacy.i386.rpm
8e28d39029ff88510d3899c2848273a76b6e71f4  libpng-1.2.5-7.1.legacy.i386.rpm
405443b2e0e56b3d5e5f3f9b6a89bd3a83c24afb  libpng-devel-1.2.5-7.1.legacy.i386.rpm
 
 - gpg signature good
 - rpm-build-compare looks good
 - installs fine
 - works fine
 
+VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFB3DMetU2XAt1OWnsRAj45AKDjRo9Edxms0yObP4gTaXIkctFegACgvhUH
ysEDKOQ3wOj2nVBWrcukxww=
=4R9o
-----END PGP SIGNATURE-----




------- Additional Comments From jimpop@yahoo.com 2005-01-05 10:00:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+VERIFIED 73

Tested on RH73.  PNG graph generation (via MRTG) works.

1c286b40e2ad76146a9a4480e9db26bc04aaadb7  libpng-1.0.15-0.7x.1.legacy.i386.rpm

- -Jim P.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB3ERauhh7yV/E9I4RAj0PAJ92wY+0G+k5mdwE2RSxog1JtDsWxACfQM3b
I+ep8S7IqLA6brr/sRMiOvQ=
=vv+K
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2005-01-08 15:07:22 ----

I believe these packages have enough VERIFIES (they have been verified for
RH7.3, RH9 and FC1), so I am marking this issue VERIFIED.  

These should should be moved to updates.



------- Additional Comments From dom@earth.li 2005-01-08 16:06:32 ----

For proofreading:
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1943-libpng-draft.txt



------- Additional Comments From pekkas@netcore.fi 2005-01-08 22:16:23 ----

Advisory looks good, but should we also reference CVE-2002-1363 such as Red Hat
is doing, because the patch for that changed in the meantime (I think) ?






------- Additional Comments From dom@earth.li 2005-01-09 02:26:40 ----

Have we fixed that though? I don't see anything in the bug history referencing
that number.



------- Additional Comments From pekkas@netcore.fi 2005-01-09 06:50:07 ----

AFAICS, the old patch (transfix) was one that RHEL21 replaced with a better
patch from upstream, like we did.  So, if RHEL21's patch was considered a better
fix to CAN-2002-1363, maybe ours should be considered a better fix to that as well?




------- Additional Comments From deisenst@gtw.net 2005-01-10 15:12:57 ----

Created an attachment (id=964)
Entire advisory (revision 007 29-Oct-04) for libpng-1.2.5 and earlier versions

The enclosed file is the latest SECURITY ADVISORY available for the libpng
packages we are patching here.	Regarding the transfix patch, these two
paragraphs seem relevant:


   "libpng-patch00-pngrtran-filler-RRGGBB-overflow.txt
   Fixes bug that was introduced in version 1.0.2
   This bug was widely publicised in December 2002 and
   has been fixed in many Linux distributions.	Mitre
   named this vulnerability CAN-2002-1363.  Use to patch
   libpng-1.0.5 through 1.2.5

   "libpng-patch01-pngrtran-filler-GG-overflow.txt
   Fixes bug that was introduced in version 1.0.2
   This bug was also publicised around January 2003.
   Because of its similarity to patch00, there has been
   some confusion and hardly anyone has applied this
   patch.  There was a flurry of bug reports about this
   in June 2004 when people noticed that only half of
   the problem had been fixed.	Mitre has assigned
   a new name, CAN-2004-0768, to this vulnerability."

I have gone ahead and checked all .src.rpm's that this bug report is patching
and find that both 
  libpng-patch00-pngrtran-filler-RRGGBB-overflow.txt and
  libpng-patch01-pngrtran-filler-GG-overflow.txt
are included in the all of the patches.  This implies that not only are we
patching for CVE-2002-1363 (no longer CAN-2002-1363), but we are also patching
here for CAN-2004-0768.  I will change the title of this bug to reflect that.


12345678901234567890123456789012345678901234567890123456789012345678901234567890



------- Additional Comments From deisenst@gtw.net 2005-01-10 15:48:37 ----

HOWEVER -- in reviewing all of the .src.rpm's, I discovered that the patch file
for RH9's libpng-1.2.2-20.2.legacy.src.rpm in updates-testing (from comment 1) 
is out of date, from July, named "libpng-1.2.2-security.patch".  

The advisory mentioned in comment 41 indicates that the correct megapatch for
libpng-1.2.2 should be "libpng-1.2.2-all-patches.txt".  

The difference between these two patch files is effectively the
"libpng-patch11-limit-dimensions.txt", which is the patch that limits images to
having no more than one million rows and one million columns.

Upstream patch for libpng-1.2.2 for RH9:
http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.2-all-patches.txt

The other packages in updates-testing for RH9 (coming from
libpng10-1.0.15-0.9.1.legacy.src.rpm in comment 16) are fine; that .src.rpm
includes "libpng-1.2.5-all-patches.patch", which is the recommended megapatch
for libpng-1.0.15.

I will go ahead and release an updated libpng-1.2.2 srpm for RH9, using the
upstream patch and post links to it here, hopefully later tonight.

       -David



------- Additional Comments From rob.myers@gtri.gatech.edu 2005-01-11 02:32:47 ----

re comment #37:

typo found:

--- 1943-libpng-draft.txt.orig  2005-01-11 07:26:21.000000000 -0500
+++ 1943-libpng-draft.txt       2005-01-11 07:26:44.000000000 -0500
@@ -106,7 +106,7 @@
 http://download.fedoralegacy.org/redhat/9/updates/i386/libpng-devel-1.2.2-20.2.legacy.i386.rpm
  
  
-Fedora Cope 1
+Fedora Core 1
  
 SRPM:
 http://download.fedoralegacy.org/fedora/1/updates/SRPMS/libpng-1.2.5-7.1.legacy.src.rpm




------- Additional Comments From deisenst@gtw.net 2005-01-11 12:39:51 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an updated libpng source package to QA for RH9:

- - - includes one extra patch from:
http://dl.sourceforge.net/sourceforge/libpng/libpng-patch11-limit-dimensions.txt

Instead of putting in the libpng-1.2.2-all-patches.txt from upstream, I
elected to make a smaller change, and put in the "limit-dimensions" patch, as
Rob did in comment 21.  (It creates exactly the same patched source as the
"all-patches" patch.)

PLEASE NOTE:  I don't run RH9, so am not able to test
  libpng-1.2.2-20.3.legacy binaries.  Please test!

changelog:

* Tue Jan 11 2005 David Eisenstein <deisenst@gtw.ne> 2:1.2.2-20.3.legacy
- - apply patch to limit dimensions (Fedora Legacy Bugzilla # 1943), from
  upstream patch.

* Wed Aug  4 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
  1.2.2-20.2.legacy
- - Replace the patches for individual security problems with the
  cumulative patch issued by the png developers.
  Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599.

* Tue Jun 18 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
  1.2.2-20.1.legacy
- - Added better version of the patch for CAN-2002-1363

 SHA1SUM                                   NAME
 ========================================  ===========================
 3b557f1624aefcf4ca11978b5a4e6278229b78d1  libpng-1.2.2-20.3.legacy.src.rpm

file:
http://members.gtw.net/~deisenst/legacy/RH9/SRPMS/libpng-1.2.2-20.3.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFB5FK7xou1V/j9XZwRAob/AJ9sdNXuQ4hba0Ut5XTw1CB+fkLMaQCgpHM0
RsoaYaJvPMx8EyzF2sWgJ8w=
=AGb4
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-01-11 21:16:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA of David's RHL9 rpm:
 - sources OK
 - patch verified to be OK
 - spec file changes minimal
 - rebuilds fine on RHL9, installs fine
 - pngtest on pngtest.png passes the test
 
+PUBLISH
(+VERIFY)
 
Just a question: is this stuff needed for libpng10 or libpng-1.0.x?
I guess not?
 
3b557f1624aefcf4ca11978b5a4e6278229b78d1  libpng-1.2.2-20.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFB5M6hGHbTkzxSL7QRAmkZAJ9wXIorfv2C9Jrl58zVByN3SojXawCghzDk
D20dCg45mjlFZRLwaDwqhNs=
=sB1M
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2005-01-12 14:43:18 ----

Pekka - thanks for QA'ing!  You asked:

> Just a question: is this stuff needed for libpng10 or libpng-1.0.x?
> I guess not?

I think we're covered, Pekka.  AFAICS, this stuff (the limit-dimensions
patch) is included in the other four .src.rpm's:

   * libpng-1.0.15-0.7x.1.legacy.src.rpm has "libpng-1.2.5-all-patches.patch"
     from upstream, which includes limit-dimensions (cra, comment 16; also
     see attachment 964 [details]);

   * libpng10-1.0.15-0.9.1.legacy.src.rpm has the same patch as the 0.7x.1
     .src.rpm package above (cra, comment 16);

   * The two FC1 .src.rpm's (from comment 21) have Rob's
     "libpng-patch11-limit-dimensions.patch" in addition to the slightly
     older security patch from upstream (from Red Hat's August 4th FC1
     updates - see http://tinyurl.com/522ze).  This combination of patches
     works fine (see comment 23, comment 24).



------- Additional Comments From deisenst@gtw.net 2005-01-20 12:38:44 ----

Created an attachment (id=970)
Suggested changes to the advisory.

Some suggested changes to Dominic's advisory in
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1943-libpng-draft.txt
dated 11-Jan-2005 12:39.




------- Additional Comments From deisenst@gtw.net 2005-02-01 23:41:34 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would say that we need no further QA to have this published to
updates-testing.  The limit-dimensions patch from comment 44 (for
RHL 9's libpng) was a very small patch, Pekka has QA'ed this, and
we have plenty of PUBLISH votes for other versions of this.

I have reviewed and verified that all other packages have the
limit-dimensions patch for their libpng and libpng10 packages.
So the issue that Pekka raises in comment 45 is a non-issue (see
comment 46).

Dominic, please see the suggested wording changes in Attachment 970 for

http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1943-libpng-draft.txt

Have removed QA from this issue.  Let's publish -> updates-testing.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFCAJ+vxou1V/j9XZwRAspkAJ9NTAeUfW45imcgfadmPu717XzvmwCfaYEm
sJSrQMWOsCwrLl62pgKibBs=
=JMXm
-----END PGP SIGNATURE-----



------- Additional Comments From deisenst@gtw.net 2005-02-01 23:51:56 ----

Oh.  Another suggestion for 1943-libpng-draft.txt -- add Bug 1550 to the
Cross References, ala:

Cross references:  https://bugzilla.fedora.us/show_bug.cgi?id=1550
                   https://bugzilla.fedora.us/show_bug.cgi?id=1943

Bug 1550 should be closed when this one is.



------- Additional Comments From deisenst@gtw.net 2005-02-02 16:28:08 ----

ALERT!

It looks like someone moved 
    * libpng-1.2.2-20.2.legacy.src.rpm, 
    * libpng-devel-1.2.2-20.2.legacy.i386.rpm, and
    * libpng-devel-1.2.2-20.i386.rpm
from updates-testing to updates for RH9.

Instead, 
    * libpng-1.2.2-20.3.legacy.src.rpm
needs to be rebuilt for RH9, then either put into updates-testing
(for further QA and VERIFY votes) or, if we feel it is sufficiently
verified, placed directly into updates.  I don't believe libpng-1.2.2-20.3
for RH9 was ever put into updates-testing.

Does libpng-1.2.2-20.3 for RH9 need more VERIFY votes in addition to
Pekka's in comment 45?  I would vote no, but does anyone else have an
opinion?





------- Additional Comments From dom@earth.li 2005-02-03 03:10:31 ----

Sorry about this, looks like I screwed up. However I'm rather unwell now so not
really able to think clearly about it.



------- Additional Comments From dom@earth.li 2005-02-03 11:00:19 ----

libpng-1.2.2-20.3 for rh9 now available from the updates-testing repository.



------- Additional Comments From madhatter@teaparty.net 2005-02-05 07:44:01 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
02/04/05 12:43:47 Updated: libpng-devel 2:1.2.2-20.3.legacy.i386
02/04/05 12:43:47 Updated: libpng 2:1.2.2-20.3.legacy.i386
  
installs OK, pngtest runs fine.
  
+VERIFY RH9
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFCBQWuePtvKV31zw4RAhECAJ9BREeWmeUcz1jH6xGOWYH098/8TQCfWyVy
qYr7ROw8Qa4a44/F+trvEUo=
=ZRmR
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-02-26 01:11:58 ----

Should this (or RHL9 in particular) be at "Packages that have been verified and
should be fully released" category?



------- Additional Comments From deisenst@gtw.net 2005-02-26 18:44:40 ----

Actually, this bug has been fully verified and has been published to updates.
It should be removed from Dominic's issues.txt.

[FLSA-2005:1943] Updated libpng resolves security vulnerabilities:
http://www.redhat.com/archives/fedora-legacy-list/2005-February/msg00093.html



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:26 -------

This bug previously known as bug 1943 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1943
Originally filed under the Fedora Legacy product and Package request component.
Bug blocks bug(s) 1550.

Attachments:
piece which was dropped on the way to the current version
https://bugzilla.fedora.us/attachment.cgi?action=view&id=798
differences between officially patched version and 7.3 SRPM 0.7x.7.legacy
https://bugzilla.fedora.us/attachment.cgi?action=view&id=808
Pekka's QA from comment 32, that verifies with PGP
https://bugzilla.fedora.us/attachment.cgi?action=view&id=951
Entire advisory (revision 007 29-Oct-04) for libpng-1.2.5 and earlier versions
https://bugzilla.fedora.us/attachment.cgi?action=view&id=964
Suggested changes to the advisory.
https://bugzilla.fedora.us/attachment.cgi?action=view&id=970

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.