Date: Mon, 17 Nov 2014 17:21:07 +0100 From: Hanno Böck <hanno@...eck.de> To: Jakub Wilk <jwilk@...lk.net> Cc: oss-security@...ts.openwall.com Subject: Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Am Mon, 17 Nov 2014 14:52:22 +0100 schrieb Jakub Wilk <jwilk@...lk.net>: > * Hanno Böck <hanno@...eck.de>, 2014-11-17, 13:33: > >I wasn't able to fuzz a crash out of 7z, arj, msgunfmt (gettext), > > https://bugs.debian.org/763820 > https://bugs.debian.org/769901 > > I don't remember the exact details, but I'm pretty sure it took at > most a few hours of afl-fuzzing to find these crashers. I'd consider "few hours of afl-fuzzing" not to be low hanging fruit, but opinions may differ on that (I'm currently only focusing on software where I get the crashers within minutes). But appart from that: The first bug is marked as fixed but no indication is given whether the fix went upstream. Did you do that or should it be reported to gettext? (Actually that's also a thing I also see far too often - bugs get reported somehow in public, but the reports don't arrive at the appropriate upstreams) -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.