On Sun, Mar 01, 2009 at 04:39:52PM +1100, Anibal Monsalve Salazar wrote: >On Mon, Feb 23, 2009 at 06:47:11PM +0100, Luk Claes wrote: >>Otavio Salvador wrote: >>>Aníbal Monsalve Salazar <anibal@debian.org> writes: >>> >>>>please approve / unblock libpng/1.2.35-1 >>> >>>>Closes: 486415 516256 >>>>Changes: >>>> libpng (1.2.35-1) unstable; urgency=high >>>> . >>>> * New upstream release >>>> - http://secunia.com/advisories/33970/ >>>> Fix a vulnerability reported by Tavis Ormandy in which >>>> some arrays of pointers are not initialized prior to using >>>> "malloc" to define the pointers. >>>> Closes: #516256 >>>> - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907 >>>> The png_check_keyword function in pngwutil.c in libpng, might >>>> allow context-dependent attackers to set the value of an >>>> arbitrary memory location to zero via vectors involving >>>> creation of crafted PNG files with keywords, related to an >>>> implicit cast of the '\0' character constant to a NULL pointer. >>>> * Don't build libpng3 when binary-indep target is not called. >>>> Closes: #486415 >>> >>>Ack. >> >>unblocked >> >>Cheers >> >>Luk > >Please push libpng/1.2.35-1 which hasn't been installed yet. No help from mips@buildd.debian.org yet. Should libpng 1.2.35-1 be given back?
Attachment:
signature.asc
Description: Digital signature