Bug#632786:
Bug#632786: (PRSC) Bug#632786: CVE-2011-2501 libpng: regression of CVE-2004-0421
Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: lenny (5.0.9) squeeze (6.0.2) Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help or lack time. Please keep me in CC at all times so I can track the progress of this request. For details of this process and the rationale, please see the original announcement [1] and my blog post [2]. 0: debian-rele...@lists.debian.org 1: <201101232332.11736.th...@debian.org> 2: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 signature.asc Description: Digital signature
Bug#632786: CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
Package: libpng Tags: security patch Severity: critical https://bugzilla.redhat.com/show_bug.cgi?id=717084 Vincent Danen 2011-06-27 18:34:45 EDT It was reported [1] that the fix for CVE-2004-0421 in libpng was inadvertently reverted during the 1.2.23 development cycle. The original flaw could be used to cause a denial of service via a carefully-crafted PNG image. This would affect all versions of libpng >=1.2.23, including 1.4.x and 1.5.x. [1] http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTikrnU6FJNQYFvwmt78hwpgKPVRd1Q%40mail.gmail.com&forum_name=png-mng-implement Vincent Danen 2011-06-27 18:43:19 EDT Upstream fix is here: http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af Huzaifa S. Sidhpurwala 2011-06-28 23:44:56 EDT This has been assigned CVE-2011-2501: http://www.openwall.com/lists/oss-security/2011/06/28/16 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org