Re: Environment variable fuzzing

Hi,

On Wednesday 04 July 2007 14:52:17 Steve Kemp wrote:
> On Wed Jul 04, 2007 at 13:57:53 +0200, Victor Stinner wrote:
> > (This email first destination was skx#debian.org but he doesn't answer,
> > so I retry on this mailing list)
>
> I get behind on mail very very easily.  I get too much.

I guessed that yeah.

> > So you should try it 
> >   http://fusil.hachoir.org/trac
>
>   Definitely something that looks nice, and the bugs you've found
>  should be reported to the debian bts.

When I found a bug with my fuzzer, I identify the bug with gdb or other tool. 
Sometimes I write a patch. Then post a bug report. But it's not enough! Some 
developers « don't care » about security (eg. ImageMagick and gettext). I 
don't know what to do if they don't care. Fork the software? Do full 
disclosure?

Some bugs are minor ("just a crash") but other are more important (denial of 
service). Since ImageMagick is used on a lot of websites, denial of server 
will impact web servers. And I can say that last version of ImageMagick has 
such bugs!

> > Another funny bug ? COLUMNS=10000000 dpkg-query -l ? segfault (with
> > UTF-8 locale) because of a bug in libc  (bug fixed in libc upstream)
>
>   I can't reproduce that one.

See Debian bug entry:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=421555

=> Debian libc package version 2.5-6 has a patch « 
patches/any/cvs-vfprintf-stack-smashing.diff » fixing « my » bug.

Victor