Re: CITL Releasing 7000 defects/vulnerabilities

To: debian-devel@lists.debian.org
Subject: Re: CITL Releasing 7000 defects/vulnerabilities
From: Russ Allbery <rra@debian.org>
Date: Sun, 01 Nov 2020 14:56:04 -0800
Message-id: <[🔎] 87blgg660r.fsf@hope.eyrie.org>
In-reply-to: <[🔎] CAPP0f97kfm=QTrrS1ysNW6V5ovAkWNeDAHL8WkUjW+dS9cQzjQ@mail.gmail.com> (Utkarsh Gupta's message of "Sun, 1 Nov 2020 19:29:32 +0530")
References: <[🔎] 87o8kh6wyb.fsf@news.ole.ath.cx> <[🔎] CAPP0f97kfm=QTrrS1ysNW6V5ovAkWNeDAHL8WkUjW+dS9cQzjQ@mail.gmail.com>

Utkarsh Gupta <utkarsh@debian.org> writes:

> That said, it'd be a bit weird if they don't report these issues and ask
> for a CVE assignment against these.  Anyway, the security team might
> know more about this.

It appears to be the output of automated fuzz testing, which based on past
experience means that a large percentage of the crashes are probably not
exploitable.

The raw data is not hugely useful in aggregate unless you enjoy fixing
edge-case buffer management bugs that no one is likely to care about (such
as in options parsing code).  It can be made useful by tracking down where
the crash happens and then figuring out if that's part of an attack
surface, but that's quite a bit of work which they're clearly not
volunteering to do.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: CITL Releasing 7000 defects/vulnerabilities
  - From: Calum McConnell <calumlikesapplepie@gmail.com>

References:
- CITL Releasing 7000 defects/vulnerabilities
  - From: Ole Streicher <olebole@debian.org>
- Re: CITL Releasing 7000 defects/vulnerabilities
  - From: Utkarsh Gupta <utkarsh@debian.org>

Prev by Date: Bug#973568: ITP: libpj-java -- API and middleware for parallel programming in Java
Next by Date: Re: CITL Releasing 7000 defects/vulnerabilities
Previous by thread: Re: CITL Releasing 7000 defects/vulnerabilities
Next by thread: Re: CITL Releasing 7000 defects/vulnerabilities
Index(es):
- Date
- Thread