Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3

Mon, 02 Jan 2017 09:30:47 -0800 

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

CVE-2016-10087 is not worth a DSA, Security Team asked for a point release 
update.

diff -Nru libpng-1.2.50/debian/changelog libpng-1.2.50/debian/changelog
--- libpng-1.2.50/debian/changelog      2016-01-07 20:39:14.000000000 +0100
+++ libpng-1.2.50/debian/changelog      2017-01-02 18:24:35.000000000 +0100
@@ -1,3 +1,10 @@
+libpng (1.2.50-2+deb8u3) jessie; urgency=medium
+
+  * debian/patches/CVE-2016-10087.patch:
+    - cherry-pick upstream fix for CVE-2016-10087
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Mon, 02 Jan 2017 
18:21:33 +0100
+
libpng (1.2.50-2+deb8u2) jessie-security; urgency=high

* Non-maintainer upload by the Security Team.
diff -Nru libpng-1.2.50/debian/patches/CVE-2016-10087.patch 
libpng-1.2.50/debian/patches/CVE-2016-10087.patch
--- libpng-1.2.50/debian/patches/CVE-2016-10087.patch   1970-01-01 
01:00:00.000000000 +0100
+++ libpng-1.2.50/debian/patches/CVE-2016-10087.patch   2017-01-02 
18:23:04.000000000 +0100
@@ -0,0 +1,12 @@
+Description: Fix CVE 2016-10087
+Origin: 
https://sourceforge.net/p/libpng/code/ci/794a15fad6add4d636369d0b46f603a02995b2e2/
+--- a/png.c
++++ b/png.c
+@@ -387,6 +387,7 @@
+          png_free(png_ptr, info_ptr->text);
+          info_ptr->text = NULL;
+          info_ptr->num_text=0;
++         info_ptr->max_text=0;
+       }
+    }
+ #endif
diff -Nru libpng-1.2.50/debian/patches/series 
libpng-1.2.50/debian/patches/series
--- libpng-1.2.50/debian/patches/series 2016-01-07 20:39:14.000000000 +0100
+++ libpng-1.2.50/debian/patches/series 2017-01-02 18:21:33.000000000 +0100
@@ -8,3 +8,4 @@
CVE-2015-8472/0002-Use-unsigned-constants-in-buffer-length-com.patch
CVE-2015-8472/0003-Fixed-bug-recently-introduced-in-png_set_PL.patch
CVE-2015-8540.patch
+CVE-2016-10087.patch
(attached debdiff)




please ping if you want me to upload it


Il Lunedì 2 Gennaio 2017 7:19, Salvatore Bonaccorso <car...@debian.org> ha 
scritto:
Hi Gianfranco,

libpng has one issue which is below the threshold for fixing it
in a DSA due to minor impact:

https://security-tracker.debian.org/tracker/CVE-2016-10087

There's still the possibility to fix this via a stable point update
[1], so I was wondering whether anything of that sort is planned by
you. The next point release is scheduled for the 14th of january[2].

Regards,
Salvatore

[1] 
https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable
[2] https://lists.debian.org/debian-release/2016/12/msg00412.html

Attachment: debdiff
Description: Binary data

Reply via email to