Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 31 Dec 2015 16:35:49 -0500
From: Glenn Randers-Pehrson <>
	Brian Carpenter <>
Subject: Re: CVE request: pngcrush-1.3.35 through 1.7.88 segfault when run
 with "-loco" option

On Thu, Dec 31, 2015 at 3:33 PM, <> wrote:

> Our understanding is that pngcrush is a command-line program, and that
> the bug is largely equivalent to a scenario in which the "-loco"
> functionality had not been implemented.

There are web services that compress PNG files, using pngcrush
as their compression engine.  I haven't found any that allow users
to specify the "-loco" option, though.

> We probably would need a threat model in which the victim cannot
> recover from the attack by simply avoiding all subsequent use of the
> "-loco" option, e.g., a segfault that realistically could lead to code
> execution.

OK, I'm withdrawing the request for a CVE number.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.