[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reporting 1.2K crashes

On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote:
> I am a security researcher at Carnegie Mellon University, and my team
> has found thousands of crashes in binaries downloaded from debian
> wheeze packages. After contacting owner@bugs.debian.org, Don Armstrong
  ^^^^^^ wheezy :)

> advised us to contact you before submitting ~1.2K bug reports to the
> Debian BTS using maintonly@bugs.debian.org (to avoid spamming
> debian-bugs-dist).
> We found the bugs using Mayhem [1], an automatic bug finding system
> that we've been developing in David Brumley's research lab for a
> couple of years. We recently ran Mayhem on almost all ELF binaries of
> Debian Wheezy (~23K binaries) [2], and it reported thousands of
> crashes.

One such crash was reported on a small fluxbox tool to be manually run,
which used $HOME blindly. When it ran, it segfaulted, which is a bug,

However, it's not security, and to see the bug tagged 'security' was
troubling - what oversight do you have to prevent the security team to
get flooded with such bug reports (this bug is not a security risk.)


 .''`.  Paul Tagliamonte <paultag@debian.org>
: :'  : Proud Debian Developer
`. `'`  4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
 `-     http://people.debian.org/~paultag

Attachment: signature.asc
Description: Digital signature

Reply to: