https://bugzilla.redhat.com/show_bug.cgi?id=1281756
--- Comment #20 from Stefan Cornelius <scorn...@redhat.com> --- Our CVSSv2 score may be different from what other sources suggest. That's because we don't think that other CVSSv2 score give an appropriate approximation of the real-life impact of this issue. In order to be vulnerable, an application needs to calculate the exact minimum buffer space for the palette according to the image's bit depth and then has to interact with libpng in a way that would copy the palette into the buffer the application has reserved. This is an extra-effort step most applications do not take, for simplicity reasons. Instead, for example, a lot of applications use the maximum size the palette can possibly have, regardless of the image's bit depth. In such a case, the application would not be vulnerable, even when using a vulnerable libpng version. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=GiYX7aCy3k&a=cc_unsubscribe _______________________________________________ mingw mailing list mingw@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/mingw@lists.fedoraproject.org
