Sorry for the horribly delayed response. I've been away on holiday.
Actually I downloaded the libpng src.rpm with yumdownloader --source
libpng and took a look into it, it contains the spec, the upstream
tarball and two patches:
All known libpng CVE ids are tracked via the following files:
If there are any CVE ids we're missing please let us know. There are a
number of CVE ids that are simply client crashes. We do not consider
client side crashes security issues, they are bugs. Some of them get CVE
ids. This is something MITRE is currently working on a policy for. Right
now they have a blanket policy of assigning a CVE id to anything anyone
calls a security flaw. It's then our job to weed through them and find the
> If you have concerns regarding a specific issue, feel free to bring that
> up, but bug 211705 in no way represents a security flaw.
But if the mentioned issues are no security flaws please document it in=20
bugzilla, so it does not seem to be ignored.
I've updated that bug with a statement regarding those CVE ids. The two
mentioned in the bug are client crashes, thus are just bugs.