Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAFdMc-1FwzW+qar=rkCctgo-jdv4StD3izqBFWt8-CJFDxG1Yg@mail.gmail.com>
Date: Fri, 14 Feb 2025 07:58:01 -0300
From: Daniel Gutson <danielgutson@...il.com>
To: Nick Wellnhofer <wellnhofer@...um.de>
Cc: musl@...ts.openwall.com, oss-security@...ts.openwall.com
Subject: Re: [musl] CVE-2025-26519: musl libc: input-controlled out-of-bounds
 write primitive in iconv()

El vie, 14 feb 2025, 07:14, Nick Wellnhofer <wellnhofer@...um.de> escribió:

> On Feb 13, 2025, at 23:28, Daniel Gutson <danielgutson@...il.com> wrote:
> >
> > Curious: is there any info about how this was discovered?
>
> The bug was discovered with basic fuzz testing. As libxml2 maintainer, I
> found more and more issues in various iconv implementations by accident
> which is a strong indicator that all this code isn't tested enough. The
> iconv API is also trivial to fuzz, so it seemed like a nice weekend project.
>

Thanks, AFL?

My work is related to static checkers and linters (we will contribute an
important patch to weggli soon), so I was wondering if you used something
that used symbolic execution.

Nice job!


> Nick
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.