Re: [csswg-drafts] [css-color-4] Security: handling of color-profiles (#5552) from Chris Lilley via GitHub on 2020-09-29 (public-css-archive@w3.org from September 2020)

From: Chris Lilley via GitHub <sysbot+gh@w3.org>
Date: Tue, 29 Sep 2020 12:40:33 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-700675258-1601383232-sysbot+gh@w3.org>

OS-level color management systems are certainly a possible attack surface, but this has already been probed and cleaned up over the last decade or so from fuzzing image decoders. The ICC profiles used in CSS Color 4 as the same as those embedded in raster images or PDFs.

See for example https://www.real-sec.com/2020/09/fuzzing-image-parsing-in-windows-part-one-color-profiles/

-- 
GitHub Notification of comment by svgeesus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5552#issuecomment-700675258 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 29 September 2020 12:40:35 UTC