Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #8 from Tomas Hoger thoger@redhat.com 2009-06-09 12:14:26 EDT --- (In reply to comment #7)
Calling this a security issue seems like a bit of a stretch.
Yeah, that was reaction too, when seeing upstream announcement.
You can only read portions of individual bytes, you can't control very well which bytes those are, and the whole thing depends on the application's display code being seriously buggy (i.e. showing garbage pixels on the right side of an image).
I believe applications displaying images using libpng were not really assumed attack vector, as those can only show those leaked bytes to the user running application, so that case is non-issue. I guess they may have assumed some automated image processing (such as image conversion using ImageMagick's convert, or CUPS printing) as a vector, though even without checking if any such application can return leaked bytes in some output attacker can see and use, the leak seem rather limited, not easily predictable and not too likely to yield any valuable data.
Have you already looked into what application must do wrong to process those garbage pixels at all?