Date: Wed, 9 Aug 2017 07:49:25 +0000 From: ne xo <nexo123@...look.kr> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: RE: Cve issue discussion Most bugs in ASan do not cause crash in non-ASan environments. You should check with the valgrind tool. ________________________________ 보낸 사람: Glenn Randers-Pehrson <glennrp@...il.com> 보낸 날짜: 2017년 8월 8일 화요일 오전 4:32:13 받는 사람: oss-security@...ts.openwall.com 제목: Re: [oss-security] Cve issue discussion It doesn't occur on my own Ubuntu platform without ASAN. But anyone running with a malloc that initializes the memory (trusted systems, etc) would be affected On Mon, Aug 7, 2017 at 1:22 PM, Jesse Hertz <jesse_hertz@...le.com> wrote: > fwiw, double check and make sure the issue occurs in libpng without ASAN. Sometimes ASAN can cause "heisenbugs" which only happen if ASAN is used. > >> On Aug 7, 2017, at 9:57 AM, Glenn Randers-Pehrson <glennrp@...il.com> wrote: >> >> OK I'll request a CVE for this libpng issue. >> >> Glenn >> >> On Mon, Aug 7, 2017 at 9:05 AM, John Haxby <john.haxby@...cle.com> wrote: >>> On 07/08/17 13:47, Glenn Randers-Pehrson wrote: >>>> It's not causing a crash, just a delay. You'll safely get either an OOM >>>> message or an EOF message.and no memory leak. >>>> >>> >>> That's scant comfort when your browser is the one hit by the OOM killer >>> and then again when you restart it. And also while you're wondering >>> what's going on because your laptop is basically completely >>> non-responsive ... >>> >>> So yes, it's a remote DoS and definitely worth a CVE. We have had other >>> similar CVEs in the past with image handling libraries not being >>> sufficiently paranoid. >>> >>> jch >>> >>>> Glenn >>>> >>>> On Mon, Aug 7, 2017 at 8:37 AM, Marcus Meissner <meissner@...e.de> wrote: >>>>> Hi, >>>>> >>>>> if it could crash the image reader I would consider it "remote denial of service" >>>>> classed and CVE worthy. >>> >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ