Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 31 Dec 2015 15:33:11 -0500 (EST)
From: cve-assign@...re.org
To: glennrp@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, brian.carpenter@...il.com
Subject: Re: CVE request: pngcrush-1.3.35 through 1.7.88 segfault when run with "-loco" option

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Can you explain how a privilege boundary is crossed?

Our understanding is that pngcrush is a command-line program, and that
the bug is largely equivalent to a scenario in which the "-loco"
functionality had not been implemented.

We probably would need a threat model in which the victim cannot
recover from the attack by simply avoiding all subsequent use of the
"-loco" option, e.g., a segfault that realistically could lead to code
execution.

We also can't, for example, assign a CVE ID for a threat model in
which an attacker constructs a huge PNG file in the hope that a victim
may decide to try "pngcrush -loco" on it, and the segfault may cause
the creation of a core file that consumes the victim's available disk
space.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWhZADAAoJEL54rhJi8gl55u0QALmsZpPJPDlYUUIYzDubpfFR
QeLnKg4w94LZ2lN9YsNl6O2JVlZwDmquT0H6IdhpmFE54pz7iMV3O8pKJ5BVjuSF
3G7L32YGYY62NlARlwltC7Krxy2Xw0NiX/1lDi5xxHXshROtmF8xmtBqowjAJxHK
FkE5SXx6CyGQ5Du8PNhc9dQ33RPYRv67JMKA6JxgdbesVOyhZ64M2WKEOFYyFF4n
ivPyOddIkvrn9PoACDprZGSydjP23jfLa1Hlr7HS5W3+nWwm/C4nzW0AjIIzsTex
fJxkZhEJQyeR94qTRvsNzLGw8+8W0WjQhftSUWqsZi3HVZn2S5GXTlC2AZVAEBLE
Cdq0G1sYtdUZFPrra4bypirT2e6hsTupy1l8oDp/mGAxbP5qHJUe/pzSMBWwkmuI
fUv6fNUvWUnJvSzjVMNvEg3ArEY/4ZqMFqj+KTa0lfMfEN6rLctX+HpvIqlCL3tn
ts4232OBwDbvuZrf3nS33IB/Sy8pHae0jF7U3v0wtQhtZBH5ObsFMPJCQlXlhgLz
Pvgdx4bT0f8A1z+xHsG4/zyo7kLfxRstRGm+fR5QKVRD63do7b569/X3/CV3ViSH
ILQD5qQPYsdYlnnGQ0w3GaFl4lfajbttYfVMHNk/zrI8iK7/i6QN81mqKi2T2Jgi
XinKKQ528SshXssmInIo
=NnqJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.