Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Nov 2014 11:19:56 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: Fuzzing findings (and maybe CVE requests) -
 Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

Am Mon, 17 Nov 2014 22:39:29 -0500
schrieb Robert Watson <robertcwatson1@...il.com>:

> What about using fuzzing to find those tools withOUT vulnerabilities
> and "certifying them" in some way as safe for all inputs?

I had something alike this already in mind.
I thought about some "mapping" of open source tools parsing fileformats.

They would roughly fall into four categories:
1. ok
extensive fuzzing has been done and all known memory corruption issues
are fixed (this would probably apply to well-proven libs like zlib,
libpng etc.)
2. work in progress
fuzzing has revealed issues but the devs are actively working on fixing
them in a timely manner (binutils/libbfd would fall into this category)
3. unfixed
Known memory corruption issues exist and there is no upstream developer
available fixing them (abandoned software) or the upstream developer is
not willing to fix issues / thinks the tool is not suitable for
untrusted input.
4. unknown
No extensive fuzzing done.

I will probably come up with some project like this.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.