oss-sec mailing list archives
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less
From: Hanno Böck <hanno () hboeck de>
Date: Tue, 18 Nov 2014 11:19:56 +0100
Am Mon, 17 Nov 2014 22:39:29 -0500 schrieb Robert Watson <robertcwatson1 () gmail com>:
What about using fuzzing to find those tools withOUT vulnerabilities and "certifying them" in some way as safe for all inputs?
I had something alike this already in mind. I thought about some "mapping" of open source tools parsing fileformats. They would roughly fall into four categories: 1. ok extensive fuzzing has been done and all known memory corruption issues are fixed (this would probably apply to well-proven libs like zlib, libpng etc.) 2. work in progress fuzzing has revealed issues but the devs are actively working on fixing them in a timely manner (binutils/libbfd would fall into this category) 3. unfixed Known memory corruption issues exist and there is no upstream developer available fixing them (abandoned software) or the upstream developer is not willing to fix issues / thinks the tool is not suitable for untrusted input. 4. unknown No extensive fuzzing done. I will probably come up with some project like this. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less, (continued)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Jakub Wilk (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Jakub Wilk (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Alexander Cherepanov (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Watson (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Watson (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Michal Zalewski (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 18)