Erik Auerswald <auers...@unix-ag.uni-kl.de> writes: > Hi, > > On 04.09.22 17:34, Erik Auerswald wrote: >> On 03.09.22 19:07, Erik Auerswald wrote: >>> On Sat, Sep 03, 2022 at 05:39:45PM +0200, Simon Josefsson wrote: >>>> [...] >>>> did you notice some fuzzing report that wasn't fixed? >>> [...] >>> * Problems found in tftp (the code did not change since the report): >>> >>> * Untrusted Pointer Dereference in getcmd() at >>> inetutils/src/tftp.c:878 >>> https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00018.html >> That seems to be a missing bounds check in makeargv(), similar >> to the old, now fixed, code in telnet. >> I'll look into creating a nice reproducer instead of the one >> found by the fuzzer, adding a test case, and fixing the bug. > > That is harder than expected…. Is there a reason *not* to use > the crash input found by the fuzzer in a test for GNU Inetutils?
More testing would be great! Integrating oss-fuzz would be too... Re BSD tools: perhaps one way to proceed here is to start to sync code so we at least have similar code bases to look at? Maybe we can find some code that is sufficiently similar so that we can simply setup scripts to keep the code in sync for the future. And hopefully make the set of code that is kept in sync automatically larger and larger. The CVE-2019-0053 bug we discovered now was fixed in FreeBSD back in 2005... I'm sure there are plenty of more discoveries like this waiting for us. Having more code in sync helps with this. /Simon
signature.asc
Description: PGP signature