[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Aw: Re: Reporting 1.2K crashes

> Gesendet: Donnerstag, 27. Juni 2013 um 14:21 Uhr
> Von: "Paul Tagliamonte" <paultag@debian.org>
> An: "Alexandre Rebert" <alexandre.rebert@gmail.com>
> Cc: debian-devel@lists.debian.org
> Betreff: Re: Reporting 1.2K crashes
> On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote:
> > I am a security researcher at Carnegie Mellon University, and my team
> > has found thousands of crashes in binaries downloaded from debian
> > wheeze packages. After contacting owner@bugs.debian.org, Don Armstrong
>   ^^^^^^ wheezy :)
> > advised us to contact you before submitting ~1.2K bug reports to the
> > Debian BTS using maintonly@bugs.debian.org (to avoid spamming
> > debian-bugs-dist).
> > 
> > We found the bugs using Mayhem [1], an automatic bug finding system
> > that we've been developing in David Brumley's research lab for a
> > couple of years. We recently ran Mayhem on almost all ELF binaries of
> > Debian Wheezy (~23K binaries) [2], and it reported thousands of
> > crashes.
> One such crash was reported on a small fluxbox tool to be manually run,
> which used $HOME blindly. When it ran, it segfaulted, which is a bug,
> yes.
> However, it's not security, and to see the bug tagged 'security' was
> troubling - what oversight do you have to prevent the security team to
> get flooded with such bug reports (this bug is not a security risk.)

I wished the respective report would have been sent to the upstream developers,
not to Debian. We could have been a second resort when upstream does not
react to the reports (not unlikely, admittedly). Now, the Debian maintainer
sees the findings two weeks before the bug is made public. I do not feel this
to be right.



Reply to: