Re: [openssl-dev] Testing CVE-2016-6309
On 14/04/17 21:11, Lysoněk Milan wrote: > > On 06/04/17 00:25 Matt Caswell wrote: >> Can you reproduce it using the fuzz corpora added in commit 44f206aa9df, >> or by running the large message test introduced in 84d5549e69? >> >> Matt >> > > Commit 44f206aa9df - All tests from this commit give me: > > OSError: [Errno 8] Exec format error > > And I dont know, if its because my OS (Ubuntu 16.04 64bit) or I'm doing > something wrong (I followed instructions from > https://github.com/openssl/openssl/blob/master/fuzz/README.md ) > > > Commit 84d5549e69 - It looks like this test reproduce it (I tried run > tests with "./config","make" and then "make test") > > # Failed test 'running sslapitest' > # at ../test/recipes/90-test_sslapi.t line 21. > # Looks like you failed 1 test of 1. > ../test/recipes/90-test_sslapi.t ... Dubious, test returned > 1 (wstat 256, 0x100) > Failed 1/1 subtests > > It fails in 1.1.0a, but at 1.1.0b too, which is weird (also tried it at > 1.1.0e and here it was ok). Well that doesn't sound right because that commit is already in 1.1.0b. In the 1.1.0 tree it appears as commit df7681e46 (which is just a cherry-pick of 84d5549e69). So you shouldn't need to do anything special to test this in 1.1.0b - just checkout that version, compile and run the tests. sslapitest should pass if all is well (it does for me and I don't believe we had any other reports of problems). Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Testing CVE-2016-6309
On 06/04/17 00:25 Matt Caswell wrote: Can you reproduce it using the fuzz corpora added in commit 44f206aa9df, or by running the large message test introduced in 84d5549e69? Matt Commit 44f206aa9df - All tests from this commit give me: OSError: [Errno 8] Exec format error And I dont know, if its because my OS (Ubuntu 16.04 64bit) or I'm doing something wrong (I followed instructions from https://github.com/openssl/openssl/blob/master/fuzz/README.md ) Commit 84d5549e69 - It looks like this test reproduce it (I tried run tests with "./config","make" and then "make test") # Failed test 'running sslapitest' # at ../test/recipes/90-test_sslapi.t line 21. # Looks like you failed 1 test of 1. ../test/recipes/90-test_sslapi.t ... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests It fails in 1.1.0a, but at 1.1.0b too, which is weird (also tried it at 1.1.0e and here it was ok). I'm not sure if I have done everything correctly in running these tests. I'm a newbie, so I apologize if I made any mistake. Milan. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Testing CVE-2016-6309
On 05/04/17 19:24, Lysoněk Milan wrote: > Hello, > I'd like to make test for CVE-2016-6309 > https://www.openssl.org/news/secadv/20160926.txt in tlsfuzzer. I tried > combining and sending different lengths (from small lengths to large) of > application data and padding, but I could not trigger this issue on > mentioned OpenSSL 1.1.0a. > > Is there any way, how can I test it and if yes, then how? Can you reproduce it using the fuzz corpora added in commit 44f206aa9df, or by running the large message test introduced in 84d5549e69? Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Testing CVE-2016-6309
Hello, I'd like to make test for CVE-2016-6309 https://www.openssl.org/news/secadv/20160926.txt in tlsfuzzer. I tried combining and sending different lengths (from small lengths to large) of application data and padding, but I could not trigger this issue on mentioned OpenSSL 1.1.0a. Is there any way, how can I test it and if yes, then how? Thanks, Milan. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
