# libpng-1.2.45  GLSA 201010-01

## ChrisJumper

I was surprised that i had two gentoo Systems in July 2011 that use a slotted installation of libpng-1.2.45, and this library vulnerably by a remote exploit (GLSA 201010-01).

And there is (?) no fix available for that. I opened this Thread cause i suppose that this Library got reinstalled with a revdep-rebuild and i didn't recognize that i got a vulnerable Issue over some days. Now i have some Questions about this:

1. Why is this Package not masked?

2. Which Programs still use/need this Library?

3. Is there really no Patch available since one and a half year?

4. Shouldn't there be a message if Portage install a package that have a remote-exploit potential?

----------

## Bircoph

 *ChrisJumper wrote:*   

> 
> 
> 2. Which Programs still use/need this Library?
> 
> 

 

You can check this yourself:

```

equery d -D libpng:1.2

```

On all my gentoo systems libpng:1.2 is neither required nor installed.

----------

## phajdan.jr

 *ChrisJumper wrote:*   

> I was surprised that i had two gentoo Systems in July 2011 that use a slotted installation of libpng-1.2.45, and this library vulnerably by a remote exploit (GLSA 201010-01).

 

Vulnerable ebuilds get removed from the tree before GLSA is released. libpng has a stable 1.2 branch, which is a bit different from the 1.4/1.5 branch. For more info see http://www.libpng.org/pub/png/libpng.html

----------

