Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=608644
--- Comment #10 from Glenn Randers-Pehrson <glennrp+bmo(a)gmail.com> 2010-06-29 13:34:14 EDT ---
(In reply to comment #9)
> This also looks like it would affect libpng10, looking quickly at the code.
Yes, it does. Upstream has declared end-of-life for libpng10 and does
not plan any more updates, even for security, as announced back in
February. If that is a hardship, you can complain to png-mng-implemement at
lists.sf.net, explain why you still need libpng10, and we might revisit the
decision.
We also plan to abandon libpng12 at the end of 2010.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=608644
--- Comment #9 from Vincent Danen <vdanen(a)redhat.com> 2010-06-29 13:22:13 EDT ---
This also looks like it would affect libpng10, looking quickly at the code.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=608644
Vincent Danen <vdanen(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |vdanen(a)redhat.com
--- Comment #8 from Vincent Danen <vdanen(a)redhat.com> 2010-06-29 13:11:28 EDT ---
Looks like this is the upstream commit to fix this issue:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdi…
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=608644
--- Comment #7 from Jan Lieskovsky <jlieskov(a)redhat.com> 2010-06-29 10:45:32 EDT ---
Created mingw32-libpng tracking bugs for this issue
Affects: fedora-all [bug 609162]
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=608644
--- Comment #6 from Jan Lieskovsky <jlieskov(a)redhat.com> 2010-06-29 10:45:28 EDT ---
Created libpng tracking bugs for this issue
Affects: fedora-all [bug 609161]
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=608644
Jan Lieskovsky <jlieskov(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|libpng: Memory leak when |CVE-2010-2249 libpng:
|processing Physical Scale |Memory leak when processing
|(sCAL) images |Physical Scale (sCAL)
| |images
Alias| |CVE-2010-2249
--- Comment #4 from Jan Lieskovsky <jlieskov(a)redhat.com> 2010-06-29 10:30:31 EDT ---
CVE identifier of CVE-2010-2249 has been assigned to this.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=608644
Glenn Randers-Pehrson <glennrp+bmo(a)gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |glennrp+bmo(a)gmail.com
--- Comment #3 from Glenn Randers-Pehrson <glennrp+bmo(a)gmail.com> 2010-06-28 12:11:22 EDT ---
A defense for applications that don't need or want the sCAL
chunk is to use the png_set_keep_unknown_chunks() mechanism to ignore
it. See Mozilla's libpr0n/decoders/png or ImageMagick and
GraphicsMagick's coders/png.c, and pngcrush for examples of this.
It's a good idea for applications to do this because it
reduces resources consumed in reading a PNG, and it reduces their
attack surface by making the application invulnerable to future
vulnerabilities in known but unused chunks such as sCAL.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=510368
Bug Zapper <fedora-triage-list(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution| |WONTFIX
--- Comment #5 from Bug Zapper <fedora-triage-list(a)redhat.com> 2010-06-28 09:31:40 EDT ---
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=608644
--- Comment #2 from Tomas Hoger <thoger(a)redhat.com> 2010-06-28 07:46:27 EDT ---
*** Bug 608642 has been marked as a duplicate of this bug. ***
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=608644
Jan Lieskovsky <jlieskov(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|medium |low
Severity|medium |low
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.