Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs

To: Silvio Cesare <silvio.cesare@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
From: Steve Kemp <skx@debian.org>
Date: Tue, 18 Jan 2011 11:44:47 +0000
Message-id: <[🔎] 20110118114447.GA9063@steve.org.uk>
In-reply-to: <[🔎] AANLkTikDH8N7GC-EPemPOx_O-_3h387KDfY1p2i6M5rK@mail.gmail.com>
References: <[🔎] AANLkTim_wSs5yn83+AbxLY78CE-TQuJVDWCDiRVTXkdb@mail.gmail.com> <[🔎] AANLkTik+O5+oVtB6MuZpyUp=C2P_G=cxnW6Yy7MTPMB4@mail.gmail.com> <[🔎] AANLkTikDH8N7GC-EPemPOx_O-_3h387KDfY1p2i6M5rK@mail.gmail.com>

On Tue Jan 18, 2011 at 22:25:20 +1100, Silvio Cesare wrote:

>    This kind of testing is good for Debian security and provides some comfort
>    to me at least knowing this class of vulnerability has been tested for
>    against the privleged programs in the Debian repository.

  Agreed.

  I started doing the same thing a few years ago, and it was very
  useful.

  However to make your reports more thorough it is important to look
 at the source of the code to see if the crash is an exploitable one
 or not.  Ideally you'd include that information in any bug
 reports you submitted.

Steve
-- 
http://www.steve.org.uk/

Reply to:

References:
- Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
  - From: Silvio Cesare <silvio.cesare@gmail.com>
- Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
  - From: Kees de Jong <keesdejong@gmail.com>
- Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
  - From: Silvio Cesare <silvio.cesare@gmail.com>

Prev by Date: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
Next by Date: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
Previous by thread: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
Next by thread: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
Index(es):
- Date
- Thread