Bug 211705 - CVE-2006-3334, CVE-2006-5793 libpng 1.2.13 is out there
Summary: CVE-2006-3334, CVE-2006-5793 libpng 1.2.13 is out there
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: libpng
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tom Lane
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-10-20 22:19 UTC by Henning Norén
Modified: 2013-07-03 03:11 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-02-12 16:25:00 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Henning Norén 2006-10-20 22:19:01 UTC
Description of problem:
libpng 1.2.12 has been out there since 2006-06-27 and contains, together with
2.6.11 several fixes for various problems, among others at least one possible
security related.


(from the release notes)
2.6.12:
Fix potential buffer overrun in chunk error processing.
2.6.11:
Fix 1 potential overflow and 1 out-of-bounds read. Fix some bugs in makefiles.
APPLY PATCH to fix another potential overflow (see KNOWNBUGS1)

Version-Release number of selected component (if applicable):
libpng-1.2.8-2.2.1

Additional info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334

Comment 1 Till Maas 2006-11-22 13:55:06 UTC
2.6.13 is out by now and fixes again a security flaw:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793
(See: #216706)

This affects also fc6

Comment 2 Till Maas 2006-11-22 13:56:35 UTC
(In reply to comment #1)
> 2.6.13 is out by now and fixes again a security flaw:
I mean 1.2.13



Comment 3 Josh Bressers 2006-11-29 20:12:24 UTC
There are no known security issues in the libpng shipped in Fedora.  The two CVE
ids in the summary are not considered security issues but simply bugs.  We track
all known CVE ids related to fedora core here:

http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora

If there are any CVE ids not mentioned in those files, please open bugs as
appropriate.

Comment 4 Tom Lane 2007-02-12 16:25:00 UTC
libpng is updated to 1.2.16 for Fedora 7.  As Josh notes, we don't currently see
a necessity to back-patch this.


Note You need to log in before you can comment on or make changes to this bug.