Description of problem: libpng 1.2.12 has been out there since 2006-06-27 and contains, together with 2.6.11 several fixes for various problems, among others at least one possible security related. (from the release notes) 2.6.12: Fix potential buffer overrun in chunk error processing. 2.6.11: Fix 1 potential overflow and 1 out-of-bounds read. Fix some bugs in makefiles. APPLY PATCH to fix another potential overflow (see KNOWNBUGS1) Version-Release number of selected component (if applicable): libpng-1.2.8-2.2.1 Additional info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334
2.6.13 is out by now and fixes again a security flaw: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793 (See: #216706) This affects also fc6
(In reply to comment #1) > 2.6.13 is out by now and fixes again a security flaw: I mean 1.2.13
There are no known security issues in the libpng shipped in Fedora. The two CVE ids in the summary are not considered security issues but simply bugs. We track all known CVE ids related to fedora core here: http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora If there are any CVE ids not mentioned in those files, please open bugs as appropriate.
libpng is updated to 1.2.16 for Fedora 7. As Josh notes, we don't currently see a necessity to back-patch this.