From: Glenn Randers-P. <gl...@gm...> - 2014-04-11 14:56:20
|
No, libpng10, 12, and 14 were not affected. Libpng15, 16, and 17beta were fixed in January 2013. On Fri, Apr 11, 2014 at 7:00 AM, Paul Howarth <pa...@ci...> wrote: > On 10/04/14 21:43, Glenn Randers-Pehrson wrote: > > http://sourceforge.net/p/libpng/bugs/199/ > > > > Use CVE-2013-7353 for "png_set_unknown_chunks in libpng/pngset.c ... > > Fixed in libpng-1.5.14beta08" > > > > ("has four integer overflow bugs" is apparently a typo of "has one > > integer overflow bug") > > > > Use CVE-2013-7354 for "The png_set_sPLT() and png_set_text_2() > > functions have a similar bug, which is fixed in libpng-1.5.14rc03" -- > > this has a different discoverer. > > > > The vendor mentions that internal calls use safe values. These issues > > could potentially affect applications that use the libpng API. > > Apparently no such applications were identified as part of the work on > > bug 199. > > > > - -- > > CVE assignment team, MITRE CVE Numbering Authority > > M/S M300 > > 202 Burlington Road, Bedford, MA 01730 USA > > > > I'll update the CHANGES files for libpng15, 16, and 17 to include > > > > these CVE numbers in the appropriate January 2013 entries. > > Is libpng10 affected by either of these issues? > > Paul. > > > ------------------------------------------------------------------------------ > Put Bad Developers to Shame > Dominate Development with Jenkins Continuous Integration > Continuously Automate Build, Test & Deployment > Start a new project now. Try Jenkins in the cloud. > http://p.sf.net/sfu/13600_Cloudbees > _______________________________________________ > png-mng-implement mailing list > png...@li... > https://lists.sourceforge.net/lists/listinfo/png-mng-implement > |