Date: Thu, 31 Dec 2015 13:42:46 -0500 From: Glenn Randers-Pehrson <glennrp@...il.com> To: cve-assign@...re.org, oss-security@...ts.openwall.com Cc: Brian Carpenter <brian.carpenter@...il.com> Subject: CVE request: pngcrush-1.3.35 through 1.7.88 segfault when run with "-loco" option I am requsting a CVE for the following vulnerability in pngcrush. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pngcrush versions 1.7.35 through 1.7.88 will segfault when run with the "-loco" option and multiple trials. This is due to attempting to write to a file that has not yet been opened. The vulnerability can be exploited trivially to create a Denial of Service. Remote exploit is possible if the application accepts remote input and accepts the "-loco" option. No specially crafted PNG file is needed; any valid PNG file can be used in an attack. The bug was discovered by Brian Carpenter using AFL, and is fixed in pngcrush-1.7.91, which was released on December 31, 2015. Glenn Randers-Pehrson pngcrush author and maintainer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWhXTvAAoJEPVJhL+hbGQP6vkP/1fqKQBMXffpVZEJ1DzmTeo5 +F0mLYhRax0xKvvOBFw3jvmCF7Wr7FATXEjUiHc3u9FNeIQwmLosBvCajnWYhExC jjiweKt7ZBg/7NPFLEcKFtVASjQCkSMFTsWO6jWi1PIxJYztp/BGT1FB/H3ecrUZ IHwReuFu3qnjB9hbUy9pbrJmeVSyQY1DWnFwLFJ8PaMrHpvJfXiraPHNaR4WDDDp PgmxVF8GrpINh8oBZP1gLlBiSsiAUvt6C4Bpr/LaMrP/6nnPBW0y3bptGorxa5gY 4Z2k/P+12lU15oV//RG1gYGAE5R7I2fteOLA0ES1Xsvw6re8tJ0oEl9SWmhCBBAj n2C3sCLhK619/KHWx6tety9N5ZCBHdrk6hwYzLVFVLOLmHPyrhhJCI+HJeKde4nw BhruvP+iuhxqjCDoHPoxLnK5FMdYxrGn2vB2lq6AGjFuKtd7Nb2hTsYZu7bnGWYQ dpNiVruRkdABLm621twGdU3GN45DwgfTy8kucypPmkxhmUgz2z30EExNcS1r0ph2 ywmCUz11jYH4oJIrZE3LNSPzuT3zymBmwENbY5GYbAnAYnjbVyy/HcIrp9+eALxZ EkO4hGAFidhijHn8NnMpQI9EIoNMPhiJN9fYKfO56GNFysKEFBeOwzOLIuAYQQb+ v0R8JFw32Xm4ULrDjXk3 =Lm3P -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.