Re: Cve issue discussion

[Jesse Hertz <jesse_hertz () apple com>]

fwiw, double check and make sure the issue occurs in libpng without ASAN. Sometimes ASAN can cause "heisenbugs" which 
only happen if ASAN is used.

> On Aug 7, 2017, at 9:57 AM, Glenn Randers-Pehrson <glennrp () gmail com> wrote:
>
> OK I'll request a CVE for this libpng issue.
>
> Glenn
>
> On Mon, Aug 7, 2017 at 9:05 AM, John Haxby <john.haxby () oracle com> wrote:
> > On 07/08/17 13:47, Glenn Randers-Pehrson wrote:
> > > It's not causing a crash, just a delay.  You'll safely get either an OOM
> > > message or an EOF message.and no memory leak.
> >
> > That's scant comfort when your browser is the one hit by the OOM killer
> > and then again when you restart it.  And also while you're wondering
> > what's going on because your laptop is basically completely
> > non-responsive ...
> >
> > So yes, it's a remote DoS and definitely worth a CVE.  We have had other
> > similar CVEs in the past with image handling libraries not being
> > sufficiently paranoid.
> >
> > jch
> >
> > > Glenn
> > >
> > > On Mon, Aug 7, 2017 at 8:37 AM, Marcus Meissner <meissner () suse de> wrote:
> > > > Hi,
> > > >
> > > > if it could crash the image reader I would consider it "remote denial of service"
> > > > classed and CVE worthy.

Attachment: signature.asc
Description: Message signed with OpenPGP