Re: Reporting 1.2K crashes
]] Alexandre Rebert
(Cc-ing you as I don't know if you're subscribed. Apologies for the
extra copy if you are.)
> I am a security researcher at Carnegie Mellon University, and my team
> has found thousands of crashes in binaries downloaded from debian
> wheeze packages. After contacting firstname.lastname@example.org, Don Armstrong
> advised us to contact you before submitting ~1.2K bug reports to the
> Debian BTS using email@example.com (to avoid spamming
Thanks for getting in touch before filing a zillion bugs. :-) Also,
thanks for helping make Debian better.
> Our goal here is to make our bug reports as complete and accurate as
> possible. To minimize duplicates, we are reporting only one crash per
> binary, and at most 5 crashes per package. This amounts to ~1.2K
> crashes. Moreover, to ensure accuracy, we confirmed all the crashes by
> re-running them in a fresh unstable installation. Finally, we also
> filter out assertion failures for now, as they seemed less important.
> In short, every report is reproducible and actionable.
The crash.sh script seems to set LD_LIBRARY_PATH. Is that actually
needed? I'd prefer something that doesn't need something like that,
since being able to crash apps if you load a broken library isn't very
> You can download the list of affected packages, with their maintainers
> , generated with dd-list, as well as a sample bug report for
> gcov-4.6 . The bug report contains:
> 1) the bug report that will be mailed to firstname.lastname@example.org
> 2) a testcase reproducing the crash in ./crash/
> 3) information about the crash in ./crash_info/: a core dump (core),
> the output of the crash (crash_output.txt), the dmesg of the crash
> (dmesg.txt), as well as the exit status (exit_status.txt).
Since you're already running this under gdb, would you mind attaching a
full backtrace with debug symbols installed too?
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are