Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Aug 2017 07:49:25 +0000
From: ne xo <>
To: "" <>
Subject: RE: Cve issue discussion

Most bugs in ASan do not cause crash in non-ASan environments.

You should check with the valgrind tool.
보낸 사람: Glenn Randers-Pehrson <>
보낸 날짜: 2017년 8월 8일 화요일 오전 4:32:13
받는 사람:
제목: Re: [oss-security] Cve issue discussion

It doesn't occur on my own Ubuntu platform without ASAN.  But anyone
running with
a malloc that initializes the memory (trusted systems, etc) would be affected

On Mon, Aug 7, 2017 at 1:22 PM, Jesse Hertz <> wrote:
> fwiw, double check and make sure the issue occurs in libpng without ASAN. Sometimes ASAN can cause "heisenbugs" which only happen if ASAN is used.
>> On Aug 7, 2017, at 9:57 AM, Glenn Randers-Pehrson <> wrote:
>> OK I'll request a CVE for this libpng issue.
>> Glenn
>> On Mon, Aug 7, 2017 at 9:05 AM, John Haxby <> wrote:
>>> On 07/08/17 13:47, Glenn Randers-Pehrson wrote:
>>>> It's not causing a crash, just a delay.  You'll safely get either an OOM
>>>> message or an EOF message.and no memory leak.
>>> That's scant comfort when your browser is the one hit by the OOM killer
>>> and then again when you restart it.  And also while you're wondering
>>> what's going on because your laptop is basically completely
>>> non-responsive ...
>>> So yes, it's a remote DoS and definitely worth a CVE.  We have had other
>>> similar CVEs in the past with image handling libraries not being
>>> sufficiently paranoid.
>>> jch
>>>> Glenn
>>>> On Mon, Aug 7, 2017 at 8:37 AM, Marcus Meissner <> wrote:
>>>>> Hi,
>>>>> if it could crash the image reader I would consider it "remote denial of service"
>>>>> classed and CVE worthy.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ