Re: libpng CVE-2006-7244/CVE-2009-5063

To: debian-security@lists.debian.org
Subject: Re: libpng CVE-2006-7244/CVE-2009-5063
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Sun, 24 Jul 2011 14:03:06 -0400
Message-id: <[🔎] 20110724140306.2b4341292820cea9055fd4cb@gmail.com>
In-reply-to: <[🔎] 20110724133148.GA24345@foo.fgeek.fi>
References: <[🔎] 20110724133148.GA24345@foo.fgeek.fi>

Henri Salo wrote:

> There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see from:
> 
> http://security-tracker.debian.org/tracker/source-package/libpng
> 
> The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of the issues are: "package libpng is vulnerable; however, the security impact is unimportant.", but I think these aren't unimportant as you can see from here:
> 
> http://www.openwall.com/lists/oss-security/2011/03/22/7
> http://www.openwall.com/lists/oss-security/2011/03/28/6
> 
> Is there a plan to fix these issues? Should I create a bug-report?

The CVE entries describe these issues as denial-of-services, which can
be chosen to be considered unimportant.  Do you have information that
the problem is actually more severe than that?

If you really want to fix this, you can prepare an ospu and send it to
debian-release@l.d.o for review for lenny's next stable update.

Best wishes,
Mike

Reply to:

References:
- libpng CVE-2006-7244/CVE-2009-5063
  - From: Henri Salo <henri@nerv.fi>

Prev by Date: Re: libpng CVE-2006-7244/CVE-2009-5063
Next by Date: Re: [SECURITY] [DSA 2282-1] qemu-kvm security update
Previous by thread: Re: libpng CVE-2006-7244/CVE-2009-5063
Next by thread: Re: [SECURITY] [DSA 2282-1] qemu-kvm security update
Index(es):
- Date
- Thread