Re: CVE request: pngcrush-1.3.35 through 1.7.88 segfault when run with "-loco" option

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Can you explain how a privilege boundary is crossed?

Our understanding is that pngcrush is a command-line program, and that
the bug is largely equivalent to a scenario in which the "-loco"
functionality had not been implemented.

We probably would need a threat model in which the victim cannot
recover from the attack by simply avoiding all subsequent use of the
"-loco" option, e.g., a segfault that realistically could lead to code
execution.

We also can't, for example, assign a CVE ID for a threat model in
which an attacker constructs a huge PNG file in the hope that a victim
may decide to try "pngcrush -loco" on it, and the segfault may cause
the creation of a core file that consumes the victim's available disk
space.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWhZADAAoJEL54rhJi8gl55u0QALmsZpPJPDlYUUIYzDubpfFR
QeLnKg4w94LZ2lN9YsNl6O2JVlZwDmquT0H6IdhpmFE54pz7iMV3O8pKJ5BVjuSF
3G7L32YGYY62NlARlwltC7Krxy2Xw0NiX/1lDi5xxHXshROtmF8xmtBqowjAJxHK
FkE5SXx6CyGQ5Du8PNhc9dQ33RPYRv67JMKA6JxgdbesVOyhZ64M2WKEOFYyFF4n
ivPyOddIkvrn9PoACDprZGSydjP23jfLa1Hlr7HS5W3+nWwm/C4nzW0AjIIzsTex
fJxkZhEJQyeR94qTRvsNzLGw8+8W0WjQhftSUWqsZi3HVZn2S5GXTlC2AZVAEBLE
Cdq0G1sYtdUZFPrra4bypirT2e6hsTupy1l8oDp/mGAxbP5qHJUe/pzSMBWwkmuI
fUv6fNUvWUnJvSzjVMNvEg3ArEY/4ZqMFqj+KTa0lfMfEN6rLctX+HpvIqlCL3tn
ts4232OBwDbvuZrf3nS33IB/Sy8pHae0jF7U3v0wtQhtZBH5ObsFMPJCQlXlhgLz
Pvgdx4bT0f8A1z+xHsG4/zyo7kLfxRstRGm+fR5QKVRD63do7b569/X3/CV3ViSH
ILQD5qQPYsdYlnnGQ0w3GaFl4lfajbttYfVMHNk/zrI8iK7/i6QN81mqKi2T2Jgi
XinKKQ528SshXssmInIo
=NnqJ
-----END PGP SIGNATURE-----