I don't know, but I would agree that the risk is small enough to drop the matter and close the case.
On Tue, Jul 7, 2009 at 7:09 AM, Michael S. Gilbert<michael.s.gilb...@gmail.com> wrote: > On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote: >> > version 1:1.5.2-5 that I released to unstable is suitable for stable >> > aswell. Prior to this bugfix unstable and stable both contained >> > version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to >> > build it for stable aswell? >> >> Thank you for getting in touch with us. Judging from the context in which >> this >> bug manifests itself, I think releasing a DSA for it is overkill. It happens >> when creating a new X-Face header, which is something you would do rarely, >> mostly not with any random image you didn't check out before, always as an >> unprivileged user and what can happen is a crash of the conversion which is >> harly harmful. The security implications of this are very minor. Normally >> there's a process to fix minor security issues through a stable point update >> but I think this one is even too minor for that. It's great that testing and >> unstable are fixed for the future, but I propose that we just leave it at >> that and consider this case closed. > > i would agree. the implications (a user-initiated application crash on > invalid input) are so minor that this probably should not have been > tagged as a security concern nor given a CVE in the first place. > although, has the possibility of code injection been fully ruled out? > > mike > > > -- Håkan Ardö -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
