Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 18 Nov 2014 15:50:11 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: RE: [security-vendor] Re: Fuzzing
 findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP,
 gdk-pixbuf, file, ndisasm, less

On Wed, Nov 19, 2014 at 12:21:29AM +0100, Hanno Böck wrote:
> It'd already be a good start to do this for format-parsing tools. So
> stuff that runs on files. Everything else is more complicated, fuzzing
> file formats is the easiest.

You'd be surprised how infrequently file formats come up.. :)

> > Getting AFL to work with every package suggested for Ubuntu main is
> > probably too much work.
> 
> You may overestimate the complexity of afl. Once you get used to it it
> basically takes minutes to start a fuzzing job.
> And Michal is very open to suggestions to improve it (and it is
> improving on a daily basis right now).

Oh, AFL itself looks pretty blindingly easy to use: CC=... CXX=...  and go
with it. It's our packaging and building infrastracture that I think would
make it more complicated: they're designed to make repeatable builds
easy, not necessarily to allow arbitrary changes to the compiler. And,
AFL only works for C/C++.

> A bit sad is that afl+asan is somewhat tricky business, because that'd
> be the ultimate combo.

That does sound nice, not every Bad Thing is necessarily visible to the
fuzzer, but asan is more likely to recognize Bad Things.

> I agree that it's not the best proxy for code quality. But for me what
> is a good proxy for *project* quality is how they handle the bugs that
> result from fuzzing.
> While libbfd was in a terrible state, Nick did a marvellous job in
> fixing everythin we reported in a timely manner.
> Whilst for others you simply don't get a reply (or there is noone to
> report to).
> 
> That's the difference between a healthy and an unhealthy project.

Oh my yes; having a contact readily visible, having someone respond
quickly, both are very strong indicators of quality.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.