Re: please unblock libpng 1.2.15~beta5-0
Josselin Mouette wrote:
> The only sane solution if you want to get quickly to a releaseable state
> is to go back to the last 1.2.8 package and to backport security fixes.
> I've also explained more long-term solutions for the libpng madness on
> my planet posting.
I agree. Especially, as the security issues are so minor, that they're not
even worth a DSA for Sarge:
CVE-2006-5793 is a pure crasher w/o potential for code injection.
A reproducible crash in a picture processing library is only a security
problem by a very far stretch. No big deal, and easily backportable.
CVE-2006-3334 isn't exploitable, as no application-external memory sections
can be over-written.
Cheers,
Moritz
Reply to: