Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 Nov 2014 19:06:01 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Fuzzing findings (and maybe CVE requests) -
 Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

* Hanno Böck <hanno@...eck.de>, 2014-11-17, 17:21:
>>>I wasn't able to fuzz a crash out of 7z, arj, msgunfmt (gettext),
>>
>>https://bugs.debian.org/763820
>>https://bugs.debian.org/769901
>>
>>I don't remember the exact details, but I'm pretty sure it took at 
>>most a few hours of afl-fuzzing to find these crashers.
>
>I'd consider "few hours of afl-fuzzing" not to be low hanging fruit, 
>but opinions may differ on that (I'm currently only focusing on 
>software where I get the crashers within minutes).

Fair enough.

>But appart from that: The first bug is marked as fixed but no 
>indication is given whether the fix went upstream.

It's fixed upstream:
http://git.savannah.gnu.org/cgit/gettext.git/commit/?id=28a02a6f4f41
(But for avoidance of doubt, this is NOT a vulnerability, just poor 
error handling.)

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.