Hello Mike,
At first, I would thank you very much for all the effort you have put in making
lcms more secure. I appreciate.
I will contact you by a separate email from my google account.
If anybody else in the list are interested in this stuff, please let me know.
Please note this is related to security and therefore I will not publicly list
the vulnerabilities found. On depending on the severity, I can do a maintenance
release to deal with that.
Best regards
Marti Maria
The LittleCMS project
http://www.littlecms.com
From: Mike Aizatsky [mailto:aizat...@google.com]
Sent: Friday, December 2, 2016 7:58 PM
To: lcms-user@lists.sourceforge.net
Subject: [Lcms-user] Reporting potential security vulnerabilities in lcms
Hi!
Our OSS-Fuzz fuzzing effort
(https://testing.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html)
has located several potential issues in lcms library (crash, heap use after
free, heap buffer overflow) using the fuzz targets we developed
(https://github.com/google/oss-fuzz/tree/master/projects/lcms)
These crashes are now filed in a security-protected monorail tracker
(https://bugs.chromium.org/p/oss-fuzz/issues/list) and we'd like to find lcms
developers to take a look at them.
We will CC developers on these issues to give them access to stack traces and
reproducer data. For that we'd need an e-mail with associated gmail account.
We will also set up the process to auto-CC these e-mails when we find more
issues.
--
Mike
Sent from phone
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Lcms-user mailing list
Lcms-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lcms-user
