W3C home > Mailing lists > Public > public-css-archive@w3.org > September 2020

Re: [csswg-drafts] [css-color-4] Security: handling of color-profiles (#5552)

From: Chris Lilley via GitHub <sysbot+gh@w3.org>
Date: Tue, 29 Sep 2020 12:40:33 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-700675258-1601383232-sysbot+gh@w3.org>
OS-level color management systems are certainly a possible attack surface, but this has already been probed and cleaned up over the last decade or so from fuzzing image decoders. The ICC profiles used in CSS Color 4 as the same as those embedded in raster images or PDFs.

See for example https://www.real-sec.com/2020/09/fuzzing-image-parsing-in-windows-part-one-color-profiles/

GitHub Notification of comment by svgeesus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5552#issuecomment-700675258 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 29 September 2020 12:40:35 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:17 UTC