[Bug 216706] New: CVE-2006-5793 libpng, libpng10 DoS
Josh Bressers
bressers at redhat.com
Wed Nov 29 20:16:15 UTC 2006
Sorry for the horribly delayed response. I've been away on holiday.
>
> Actually I downloaded the libpng src.rpm with yumdownloader --source
> libpng and took a look into it, it contains the spec, the upstream
> tarball and two patches:
>
> libpng-1.2.10-multilib.patch
> libpng-1.2.10-pngconf.patch
>
All known libpng CVE ids are tracked via the following files:
http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora
If there are any CVE ids we're missing please let us know. There are a
number of CVE ids that are simply client crashes. We do not consider
client side crashes security issues, they are bugs. Some of them get CVE
ids. This is something MITRE is currently working on a policy for. Right
now they have a blanket policy of assigning a CVE id to anything anyone
calls a security flaw. It's then our job to weed through them and find the
relevant ones.
>
> > If you have concerns regarding a specific issue, feel free to bring that
> > up, but bug 211705 in no way represents a security flaw.
>
> But if the mentioned issues are no security flaws please document it in=20
> bugzilla, so it does not seem to be ignored.
>
I've updated that bug with a statement regarding those CVE ids. The two
mentioned in the bug are client crashes, thus are just bugs.
Thanks.
--
JB
More information about the Fedora-security-list
mailing list