Re: please unblock libpng 1.2.15~beta5-0

To: debian-release@lists.debian.org
Subject: Re: please unblock libpng 1.2.15~beta5-0
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 15 Dec 2006 19:01:20 +0100
Message-id: <[🔎] slrneo5ong.31p.jmm@inutil.org>
References: <[🔎] 20061212092323.GD7578@debianrules.debiancolombia.org> <[🔎] 1165929216.3693.17.camel@silicium.ccc.cea.fr> <[🔎] 20061215071953.GD5093@mauritius.dodds.net> <[🔎] 1166186774.31753.20.camel@silicium.ccc.cea.fr>

Josselin Mouette wrote:
> The only sane solution if you want to get quickly to a releaseable state
> is to go back to the last 1.2.8 package and to backport security fixes.
> I've also explained more long-term solutions for the libpng madness on
> my planet posting.

I agree. Especially, as the security issues are so minor, that they're not
even worth a DSA for Sarge:

CVE-2006-5793 is a pure crasher w/o potential for code injection. 
A reproducible crash in a picture processing library is only a security
problem by a very far stretch. No big deal, and easily backportable.

CVE-2006-3334 isn't exploitable, as no application-external memory sections
can be over-written.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: please unblock libpng 1.2.15~beta5-0
  - From: Mike Hommey <mh@glandium.org>

References:
- please unblock libpng 1.2.15~beta5-0
  - From: Aníbal Monsalve Salazar <anibal@debian.org>
- Re: please unblock libpng 1.2.15~beta5-0
  - From: Josselin Mouette <joss@debian.org>
- Re: please unblock libpng 1.2.15~beta5-0
  - From: Steve Langasek <vorlon@debian.org>
- Re: please unblock libpng 1.2.15~beta5-0
  - From: Josselin Mouette <joss@debian.org>

Prev by Date: Re: Please unblock moodle_1.6.3-2
Next by Date: Re: mingw32 uploaded to unstable with GFDL issue #392953 resolved
Previous by thread: Re: please unblock libpng 1.2.15~beta5-0
Next by thread: Re: please unblock libpng 1.2.15~beta5-0
Index(es):
- Date
- Thread