On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote: > > version 1:1.5.2-5 that I released to unstable is suitable for stable > > aswell. Prior to this bugfix unstable and stable both contained > > version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to > > build it for stable aswell? > > Thank you for getting in touch with us. Judging from the context in which > this > bug manifests itself, I think releasing a DSA for it is overkill. It happens > when creating a new X-Face header, which is something you would do rarely, > mostly not with any random image you didn't check out before, always as an > unprivileged user and what can happen is a crash of the conversion which is > harly harmful. The security implications of this are very minor. Normally > there's a process to fix minor security issues through a stable point update > but I think this one is even too minor for that. It's great that testing and > unstable are fixed for the future, but I propose that we just leave it at > that and consider this case closed.
i would agree. the implications (a user-initiated application crash on invalid input) are so minor that this probably should not have been tagged as a security concern nor given a CVE in the first place. although, has the possibility of code injection been fully ruled out? mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
