On Mon, 25 May 2009 20:21:12 +0100 (BST) Mark J Cox wrote:
Hello Jake; Tomas Hoger has just posted the details of this issue in
the bug, see
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2005-3350#c7
Thanks, Mark.
I don't know much about CVE assignment and the like (but perhaps I
should), but it would seem to me that the two CVEs from 2005 apply to
libungif rather than giflib and that new CVEs should be created or
applied for as it is a different package affected (though I assume they
share much of the same code) ... it would also seem plausible that
other distributions using giflib fell into the same hole ... or is this
purely a Fedora/RHEL issue because they stuck with giflib 4.1.3?
jake
--
Jake Edge - LWN - jake(a)lwn.net -
http://lwn.net