A crash potentially leading to code execution was reported [1] and fixed [2] in pngcrush version 1.7.84. Upstream commit that fixes this: http://sourceforge.net/p/pmt/code/ci/a1ce646d00a400fd9ec321ab5cb522f40b7bdfe6/ [1]: http://seclists.org/oss-sec/2015/q1/709 [2]: http://sourceforge.net/p/pmt/news/2015/02/pngcrush-1784-released/
Created pngcrush tracking bugs for this issue: Affects: fedora-all [bug 1198174] Affects: epel-all [bug 1198175]
This is an off-by-one error in the "pngcrush_measure_idat()" function in pngcrush.c, introduced by commit http://sourceforge.net/p/pmt/code/ci/e1a36a9639e2db16494d90459c7c2b78677a20bf/ in version 1.7.83. The code in pngcrush line 7405: if (length < 28) for (ib=27; ib >= length; ib--) buff[ib] = 0; If length is 0, the last iteration will set "ib" to -1, thus buff[ib] = 0; will write outside of the "buff" buffer. I doubt that this can be exploited for anything else than an application crash. Statement: This issue did not affect the versions of pngcrush as shipped with Red Hat Enterprise Linux 7.