[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reporting 1.2K crashes

]] Alexandre Rebert 


(Cc-ing you as I don't know if you're subscribed.  Apologies for the
extra copy if you are.)

> I am a security researcher at Carnegie Mellon University, and my team
> has found thousands of crashes in binaries downloaded from debian
> wheeze packages. After contacting owner@bugs.debian.org, Don Armstrong
> advised us to contact you before submitting ~1.2K bug reports to the
> Debian BTS using maintonly@bugs.debian.org (to avoid spamming
> debian-bugs-dist).

Thanks for getting in touch before filing a zillion bugs. :-)  Also,
thanks for helping make Debian better.

> Our goal here is to make our bug reports as complete and accurate as
> possible. To minimize duplicates, we are reporting only one crash per
> binary, and at most 5 crashes per package. This amounts to ~1.2K
> crashes. Moreover, to ensure accuracy, we confirmed all the crashes by
> re-running them in a fresh unstable installation. Finally, we also
> filter out assertion failures for now, as they seemed less important.
> In short, every report is reproducible and actionable.

The crash.sh script seems to set LD_LIBRARY_PATH.  Is that actually
needed?  I'd prefer something that doesn't need something like that,
since being able to crash apps if you load a broken library isn't very

> You can download the list of affected packages, with their maintainers
> [3], generated with dd-list, as well as a sample bug report for
> gcov-4.6 [4]. The bug report contains:
>   1) the bug report that will be mailed to maintonly@bugs.debian.org
> (report.txt)
>   2) a testcase reproducing the crash in ./crash/
>   3) information about the crash in ./crash_info/: a core dump (core),
> the output of the crash (crash_output.txt), the dmesg of the crash
> (dmesg.txt), as well as the exit status (exit_status.txt).

Since you're already running this under gdb, would you mind attaching a
full backtrace with debug symbols installed too?

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to: