Date: Mon, 17 Nov 2014 19:06:01 +0100 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less * Hanno Böck <hanno@...eck.de>, 2014-11-17, 17:21: >>>I wasn't able to fuzz a crash out of 7z, arj, msgunfmt (gettext), >> >>https://bugs.debian.org/763820 >>https://bugs.debian.org/769901 >> >>I don't remember the exact details, but I'm pretty sure it took at >>most a few hours of afl-fuzzing to find these crashers. > >I'd consider "few hours of afl-fuzzing" not to be low hanging fruit, >but opinions may differ on that (I'm currently only focusing on >software where I get the crashers within minutes). Fair enough. >But appart from that: The first bug is marked as fixed but no >indication is given whether the fix went upstream. It's fixed upstream: http://git.savannah.gnu.org/cgit/gettext.git/commit/?id=28a02a6f4f41 (But for avoidance of doubt, this is NOT a vulnerability, just poor error handling.) -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.