Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Aug 2017 07:49:25 +0000
From: ne xo <nexo123@...look.kr>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: RE: Cve issue discussion

Most bugs in ASan do not cause crash in non-ASan environments.

You should check with the valgrind tool.
________________________________
보낸 사람: Glenn Randers-Pehrson <glennrp@...il.com>
보낸 날짜: 2017년 8월 8일 화요일 오전 4:32:13
받는 사람: oss-security@...ts.openwall.com
제목: Re: [oss-security] Cve issue discussion

It doesn't occur on my own Ubuntu platform without ASAN.  But anyone
running with
a malloc that initializes the memory (trusted systems, etc) would be affected

On Mon, Aug 7, 2017 at 1:22 PM, Jesse Hertz <jesse_hertz@...le.com> wrote:
> fwiw, double check and make sure the issue occurs in libpng without ASAN. Sometimes ASAN can cause "heisenbugs" which only happen if ASAN is used.
>
>> On Aug 7, 2017, at 9:57 AM, Glenn Randers-Pehrson <glennrp@...il.com> wrote:
>>
>> OK I'll request a CVE for this libpng issue.
>>
>> Glenn
>>
>> On Mon, Aug 7, 2017 at 9:05 AM, John Haxby <john.haxby@...cle.com> wrote:
>>> On 07/08/17 13:47, Glenn Randers-Pehrson wrote:
>>>> It's not causing a crash, just a delay.  You'll safely get either an OOM
>>>> message or an EOF message.and no memory leak.
>>>>
>>>
>>> That's scant comfort when your browser is the one hit by the OOM killer
>>> and then again when you restart it.  And also while you're wondering
>>> what's going on because your laptop is basically completely
>>> non-responsive ...
>>>
>>> So yes, it's a remote DoS and definitely worth a CVE.  We have had other
>>> similar CVEs in the past with image handling libraries not being
>>> sufficiently paranoid.
>>>
>>> jch
>>>
>>>> Glenn
>>>>
>>>> On Mon, Aug 7, 2017 at 8:37 AM, Marcus Meissner <meissner@...e.de> wrote:
>>>>> Hi,
>>>>>
>>>>> if it could crash the image reader I would consider it "remote denial of service"
>>>>> classed and CVE worthy.
>>>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ