oss-sec mailing list archives

Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

From: Raphael Geissert <geissert () debian org>
Date: Mon, 17 Nov 2014 13:48:39 +0100

On 17 November 2014 13:33, Hanno Böck <hanno () hboeck de> wrote:
[...]

What should we do with that?
a) is it an unappropriate use of less to view untrusted files and we
should teach users so? (I seriously never would've thought of that - and
which average "just learned how to use the shell" user would've?)
b) tell linux distros that lesspipe is insecure and shouldn't be
enabled?
c) fuzz all the tools in there and report at least the
low-hanging-fruit-bugs? (and then maybe try to replace the
"they-don't-fix-bugs-or-don't-have-a-dev-any-more"-tools with more
secure ones)


d) acknowledge the fact that most tools were not "designed for
security" and that we should talk about mitigation. It's about risk
analysis.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Current thread:

Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 16)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 16)
  - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Michal Zalewski (Nov 16)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Joshua Rogers (Nov 16)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 16)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 16)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Watson (Nov 16)
  - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Raphael Geissert (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Michal Zalewski (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Raphael Geissert (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Raphael Geissert (Nov 18)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Jakub Wilk (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Jakub Wilk (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Alexander Cherepanov (Nov 17)
  - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Daniel Kahn Gillmor (Nov 17)

(Thread continues...)