Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141117172107.5fab0d21@pc>
Date: Mon, 17 Nov 2014 17:21:07 +0100
From: Hanno Böck <hanno@...eck.de>
To: Jakub Wilk <jwilk@...lk.net>
Cc: oss-security@...ts.openwall.com
Subject: Re: Fuzzing findings (and maybe CVE requests) -
 Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

Am Mon, 17 Nov 2014 14:52:22 +0100
schrieb Jakub Wilk <jwilk@...lk.net>:

> * Hanno Böck <hanno@...eck.de>, 2014-11-17, 13:33:
> >I wasn't able to fuzz a crash out of 7z, arj, msgunfmt (gettext),
> 
> https://bugs.debian.org/763820
> https://bugs.debian.org/769901
> 
> I don't remember the exact details, but I'm pretty sure it took at
> most a few hours of afl-fuzzing to find these crashers.

I'd consider "few hours of afl-fuzzing" not to be low hanging fruit,
but opinions may differ on that (I'm currently only focusing on
software where I get the crashers within minutes).

But appart from that: The first bug is marked as fixed but no
indication is given whether the fix went upstream. Did you do that or
should it be reported to gettext?

(Actually that's also a thing I also see far too often - bugs get
reported somehow in public, but the reports don't arrive at the
appropriate upstreams)

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.