On Mon, Mar 16, 2020 at 4:21 PM Morgon Kanter <[email protected]> wrote:
> Our fuzzer for guacenc has uncovered a number of integer overflows, stack > overflows, and direct memory leaks -- usually centered around Cairo. How > would you like us to report them? I can provide backtraces of the stack and > minimal test cases that should reproduce the issues. > > Thanks, > -- Morgon > If the findings represent security issues (doubtful for something like guacenc, but something to think about nonetheless), then please report them to the security list: http://guacamole.apache.org/faq/#security Otherwise, here is fine. Are the issues in the actual guacenc implementation, or in the upstream cairo libraries? If the issues are in the upstream cairo libraries then reporting them here won't really do any good - they'll need to be reported upstream. Once we determine that there actually is a bug in the Guacamole code you can open a JIRA issue for the bug(s) and then we (you, us, whoever) can work on resolving them with changes to the code. -Nick
