"G. Branden Robinson" <[email protected]> writes:
> Hi folks, > > Bruno Haible found a SEGV in the formatter by putting the GNU > distribution archive "sed-4.8.tar.xz" on the input. > > See <https://savannah.gnu.org/bugs/?67978>. > > I _was_ going to bust the C/C++ code freeze for this and whatever yarn > unravelled from it...I've already started to find some, as seen in > comment #4 to the foregoing ticket. > > However, Bruno argues against that. > >> I wouldn't delay the 1.24.0 release for this, because >> >> It's an absurd, unrealistic input. >> >> Complete handling of such inputs would take several weeks. When I >> did input fuzzing on the 'xgettext' program, it took me two weeks >> to fix the various findings. And for groff, Ingo Schwarze >> estimates it to be "at least a month of full-time work", see >> https://lists.nongnu.org/archive/html/groff/2019-12/msg00078.html >> >> You have 15 pages of NEWS accumulated for this release. Get the >> new features out to the users! I haven't looked at the bug, but speaking generally I would try to fix it. I have noticed an annoying trend of people assigning CVEs to null pointer dereferences, etc. which only occur on fuzzed input in programs that do not produce executables or run with elevated permissions. You can probably find plenty of examples in GNU Binutils despite binutils/SECURITY.txt mentioning these aren't security risks. But it is a "denial of service" to not be able to run 'readelf' on a bogus file. Collin
