Paul Wise p...@debian.org writes:
Do you know how to run that in an automated way? I would like to add
it here and to my pbuilder hook:
http://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package
Run the normal build system commands under scan-build. In other:
scan-build
* Paul Wise p...@debian.org [2013-07-04 13:20:38 +0800]:
On Thu, Jul 4, 2013 at 12:48 PM, Kurt Roeckx wrote:
I guess you could ask, but I have a feeling they would prefer to
work with the upstream projects.
I've sent an email to scan-ad...@coverity.com.
clang also has an option to
On Thu, Jul 04, 2013 at 06:48:47AM +0200, Kurt Roeckx wrote:
clang also has an option to do that now I think, did someone try
to run that on the archive?
Yep, Sylvestre is working on it together with Leo Cavaille as a GSoC
2013 project
On 04/07/2013 08:55, Russ Allbery wrote:
Paul Wise p...@debian.org writes:
Do you know how to run that in an automated way? I would like to add
it here and to my pbuilder hook:
http://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package
Run the normal build system commands
On Thu, Jul 4, 2013 at 2:55 PM, Russ Allbery wrote:
Run the normal build system commands under scan-build. In other:
scan-build ./configure ...
scan-build make
Hmm, it doesn't seem to work when upstream just uses CC=gcc in the
Makefile. For example mancala.
I haven't tried to see
On Tue, Jun 25, 2013 at 1:28 PM, Alexandre Rebert wrote:
We found the bugs using Mayhem [1], an automatic bug finding system
that we've been developing in David Brumley's research lab for a
couple of years. We recently ran Mayhem on almost all ELF binaries of
Debian Wheezy (~23K binaries)
BTW, your crash.sh scripts have a bug. When passing data on stdin to
the program but running the program under gdb, you have to use the
-tty argument to gdb instead of passing the data to stdin of gdb.
--
bye,
pabs
http://wiki.debian.org/PaulWise
--
To UNSUBSCRIBE, email to
On Thu, Jul 04, 2013 at 11:36:25AM +0800, Paul Wise wrote:
On Tue, Jun 25, 2013 at 1:28 PM, Alexandre Rebert wrote:
We found the bugs using Mayhem [1], an automatic bug finding system
that we've been developing in David Brumley's research lab for a
couple of years. We recently ran Mayhem
On Thu, Jul 4, 2013 at 12:28 PM, Kurt Roeckx wrote:
I think any open source project can ask that
Indeed, however, for a project like Debian it would probably require
some changes in their service or at least an ack for the large amount
of computing resources that scanning our archive would use.
On Thu, Jul 04, 2013 at 12:39:05PM +0800, Paul Wise wrote:
On Thu, Jul 4, 2013 at 12:28 PM, Kurt Roeckx wrote:
I think any open source project can ask that
Indeed, however, for a project like Debian it would probably require
some changes in their service or at least an ack for the large
On Thu, Jul 4, 2013 at 12:48 PM, Kurt Roeckx wrote:
I guess you could ask, but I have a feeling they would prefer to
work with the upstream projects.
I've sent an email to scan-ad...@coverity.com.
clang also has an option to do that now I think, did someone try
to run that on the archive?
while the coverage is still tiny, there is an effort to collect contact
addresses listed in the debian/upstream file in the VCS where our source
packages are maintained.
http://upstream-metadata.debian.net/table/contact
In some cases, it is a valid email address. Perhaps you can give
Le Sun, Jun 30, 2013 at 05:06:59AM +, Bart Martens a écrit :
On Sun, Jun 30, 2013 at 08:24:30AM +0900, Charles Plessy wrote:
How about simply replacing should name the original authors by should
provide contact information for license questions ?
That would give the wrong impression
On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote:
Please let us know if the reports are good enough to proceed with the
filing, or if any additional information should be included in the
report.
Heya, I haven't yet seen this mentioned yet, so here it goes: if/when
you go ahead
On Fri, Jun 28, 2013 at 08:06:54PM -0700, Russ Allbery wrote:
It is, however, closely related to all of those things and you end up
usually satisfying all of those requirements at the same time for quite a
few packages, as has been discussed many times in the past. People seem
I see some
Clint Adams cl...@debian.org writes:
On Fri, Jun 28, 2013 at 08:06:54PM -0700, Russ Allbery wrote:
It is, however, closely related to all of those things and you end up
usually satisfying all of those requirements at the same time for quite
a few packages, as has been discussed many times in
Clint Adams cl...@debian.org writes:
I see some value in distinguishing between upstream contact points for
problems with the software (bugs and such) and upstream contact points
for licensing issues (such as restoration of rights after a GPL-2
violation). debian/copyright seems like
On Friday 28 June 2013 20:12:50 Russ Allbery wrote:
Lisandro Damián Nicanor Pérez Meyer perezme...@gmail.com writes:
And DEP5 is fine as long as you don't hit a source wich makes it grow
above 12k+ lines. Then it becames a real PITA.
This usually means you're doing it wrong. Comprehensive
Lisandro Damián Nicanor Pérez Meyer perezme...@gmail.com writes:
I agree. And yes, Maybe I could have make it less verbose by compressing
the set of files thathave stuff in common.
But that would have taken me at least one more day of work. Thanks, but
no thanks.
Yeah, I definitely
On Sun, Jun 30, 2013 at 08:24:30AM +0900, Charles Plessy wrote:
How about simply replacing should name the original authors by should
provide contact information for license questions ?
That would give the wrong impression that whatever that contact answers to
license questions applies.
2013/6/28 Charles Plessy ple...@debian.org:
Le Thu, Jun 27, 2013 at 10:28:15AM -0400, Alexandre Rebert a écrit :
I wished the respective report would have been sent to the upstream
developers,
not to Debian. We could have been a second resort when upstream does not
react to the reports
On Fri, Jun 28, 2013 at 11:38:21AM +0200, Mathieu Parent wrote:
Dep12 [1] doesn't have a Security-Contact field. Should we add one?
(and maybe a Security-Submit?)
+1
BTW, -1 for duplicating information as Upstream-Contact in d/upstream as
long as it resides in d/copyright. I'm fine if this
Quoting Lisandro Damián Nicanor Pérez Meyer (2013-06-27 19:42:16)
On Thursday 27 June 2013 11:19:40 Alexandre Rebert wrote:
I do not think that you should try to implement this immediately
but from a Debian Maintainers point of view we now could present a
case where it makes perfectly
Quoting Charles Plessy (2013-06-28 00:07:55)
Le Thu, Jun 27, 2013 at 10:28:15AM -0400, Alexandre Rebert a écrit :
I wished the respective report would have been sent to the
upstream developers, not to Debian. We could have been a second
resort when upstream does not react to the
On Fri, Jun 28, 2013 at 01:28:59PM +0200, Jonas Smedegaard wrote:
But even if adopted and up to date, it doesn't means that's the
correct way of dealing with upstream. Many addresses will be of former
developers, and in most situations it will not be the best way to
contact upstream.
Alexandre Rebert alexandre.reb...@gmail.com schrieb:
Hi,
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
advised us to contact you
Le Fri, Jun 28, 2013 at 11:38:21AM +0200, Mathieu Parent a écrit :
Dep12 [1] doesn't have a Security-Contact field. Should we add one?
(and maybe a Security-Submit?)
Hi Mathieu,
the contents of the debian/upstream files is open-ended. You can start anytime
to document and promote the use of
On Fri, Jun 28, 2013 at 5:47 PM, Andreas Tille wrote:
BTW, -1 for duplicating information as Upstream-Contact in d/upstream as
long as it resides in d/copyright. I'm fine if this field is moved from
d/copyright to d/upstream but I'm against having the same value in two
different files.
I
Paul Wise p...@debian.org writes:
On Fri, Jun 28, 2013 at 5:47 PM, Andreas Tille wrote:
BTW, -1 for duplicating information as Upstream-Contact in d/upstream
as long as it resides in d/copyright. I'm fine if this field is moved
from d/copyright to d/upstream but I'm against having the same
On Fri, Jun 28, 2013 at 07:35:51PM -0700, Russ Allbery wrote:
Upstream-Contact was put into DEP-5 because it was already required
contents in debian/copyright according to Policy, which says:
Every package must be accompanied by a verbatim copy of its copyright
information and
Le Fri, Jun 28, 2013 at 07:35:51PM -0700, Russ Allbery a écrit :
Every package must be accompanied by a verbatim copy of its copyright
information and distribution license in the file
/usr/share/doc/package/copyright. This file must neither be compressed
nor be a symbolic
On Friday 28 June 2013 13:28:59 Jonas Smedegaard wrote:
Quoting Lisandro Damián Nicanor Pérez Meyer (2013-06-27 19:42:16)
On Thursday 27 June 2013 11:19:40 Alexandre Rebert wrote:
I do not think that you should try to implement this immediately
but from a Debian Maintainers point of
On Friday 28 June 2013 13:28:59 Jonas Smedegaard wrote:
Quoting Lisandro Damián Nicanor Pérez Meyer (2013-06-27 19:42:16)
[snip]
So if adopted and up-to-date, it will be the correct (and will also be
up-to-date - that's obviously implied from it being, ahem, up-to-date).
On a second thought,
Clint Adams cl...@debian.org writes:
On Fri, Jun 28, 2013 at 07:35:51PM -0700, Russ Allbery wrote:
Upstream-Contact was put into DEP-5 because it was already required
contents in debian/copyright according to Policy, which says:
Every package must be accompanied by a verbatim copy of its
Lisandro Damián Nicanor Pérez Meyer perezme...@gmail.com writes:
And DEP5 is fine as long as you don't hit a source wich makes it grow
above 12k+ lines. Then it becames a real PITA.
This usually means you're doing it wrong. Comprehensive copyright-format
1.0 files for some of my packages with
BTW, the mails you have been sending with links to the crashes have
been going to publicly archived lists, not sure if you meant for that
to happen though?
--
bye,
pabs
http://wiki.debian.org/PaulWise
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of
On Wed, Jun 26, 2013 at 5:37 AM, Alexandre Rebert
alexandre.reb...@gmail.com wrote:
Hi,
I understand. But two weeks might be a bit too short for the majority
of those crashes. Many upstream authors don't get paid for working on
their software.
I first want to clarify the purpose of the
On 25-06-13 07:28, Alexandre Rebert wrote:
Hi,
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages.
Out of interest, can you elaborate on the methodology you used in trying
to find these
Hi,
On 27/06/13 at 12:34 +0200, Wouter Verhelst wrote:
On 25-06-13 07:28, Alexandre Rebert wrote:
Hi,
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages.
Out of interest, can you
On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote:
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
^^ wheezy :)
BTW folks there is another tool (bfbtester) already in Debian that
does some testing of binaries for issues like crashes with long
argument strings or environment variables and also insecure tmpfile
usage. I'm running it on package uploads along with some other tools.
Gesendet: Donnerstag, 27. Juni 2013 um 14:21 Uhr
Von: Paul Tagliamonte paul...@debian.org
An: Alexandre Rebert alexandre.reb...@gmail.com
Cc: debian-devel@lists.debian.org
Betreff: Re: Reporting 1.2K crashes
On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote:
I am
Hi,
On Thu, Jun 27, 2013 at 03:15:17PM +0200, Steffen Möller wrote:
I wished the respective report would have been sent to the upstream
developers,
not to Debian. We could have been a second resort when upstream does not
react to the reports (not unlikely, admittedly). Now, the Debian
On Thu, Jun 27, 2013 at 3:30 AM, Paul Wise p...@debian.org wrote:
BTW, the mails you have been sending with links to the crashes have
been going to publicly archived lists, not sure if you meant for that
to happen though?
I realize only now that many emails (about 20% in our case), that are
One such crash was reported on a small fluxbox tool to be manually run,
which used $HOME blindly. When it ran, it segfaulted, which is a bug,
yes.
However, it's not security, and to see the bug tagged 'security' was
troubling - what oversight do you have to prevent the security team to
get
Hi
I wished the respective report would have been sent to the upstream
developers,
not to Debian. We could have been a second resort when upstream does not
react to the reports (not unlikely, admittedly). Now, the Debian maintainer
sees the findings two weeks before the bug is made public.
On Thu, Jun 27, 2013 at 5:11 AM, Aron Xu happyaron...@gmail.com wrote:
I wonder whether you have checked where the crash is caused, you have
sent several mails to me for every binary in your test run, but in
dmesg.txt you provided all of them are from the very same library.
This will cause
Hi Alexandre,
On Thu, Jun 27, 2013 at 10:28:15AM -0400, Alexandre Rebert wrote:
I agree with you that it would have been best to contact upstream
developers instead of package maintainers. I couldn't find a tool
listing upstream developers for a given package however, and that's
why we
On Thu, Jun 27, 2013 at 9:25 AM, Andreas Tille andr...@an3as.eu wrote:
The Debian Med team was flooded by about 50 mails which is hard to cope
in two weeks.
You shouldn't have received that many emails. If we decide to report
more bugs in the future (depending on the reactions from the
I do not think that you should try to implement this immediately but
from a Debian Maintainers point of view we now could present a case
where it makes perfectly sense to use DEP5 formated copyright files and
if we try to do this more strictly future tests could profit from it.
For our
On Thursday 27 June 2013 11:19:40 Alexandre Rebert wrote:
I do not think that you should try to implement this immediately but
from a Debian Maintainers point of view we now could present a case
where it makes perfectly sense to use DEP5 formated copyright files and
if we try to do this
BTW, the mails you have been sending with links to the crashes have
been going to publicly archived lists, not sure if you meant for that
to happen though?
I don't think the Mayhem team is at all to blame for that: we seemingly simply
don't have the necessary information in place.
For mass
Le Thu, Jun 27, 2013 at 10:28:15AM -0400, Alexandre Rebert a écrit :
I wished the respective report would have been sent to the upstream
developers,
not to Debian. We could have been a second resort when upstream does not
react to the reports (not unlikely, admittedly). Now, the Debian
]] Alexandre Rebert
Hi,
(Cc-ing you as I don't know if you're subscribed. Apologies for the
extra copy if you are.)
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages. After contacting
Hi Alexandre,
Many thanks for this effort, this sounds really interesting.
[...]
You can download the list of affected packages, with their maintainers
[3], generated with dd-list, as well as a sample bug report for
gcov-4.6 [4]. The bug report contains:
1) the bug report that will be
On Tue, Jun 25, 2013 at 1:28 PM, Alexandre Rebert wrote:
We found the bugs using Mayhem [1], an automatic bug finding system
that we've been developing in David Brumley's research lab for a
couple of years. We recently ran Mayhem on almost all ELF binaries of
Debian Wheezy (~23K binaries)
Alexandre Rebert alexandre.reb...@gmail.com writes:
wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
advised us to contact you before submitting ~1.2K bug reports to the
Debian BTS using mainto...@bugs.debian.org (to avoid spamming
debian-bugs-dist).
Interesting
Hi,
Thanks for all the feedback and comments. I tried to address all them below.
The crash.sh script seems to set LD_LIBRARY_PATH. Is that actually
needed? I'd prefer something that doesn't need something like that,
since being able to crash apps if you load a broken library isn't very
Hi Alexandre,
(Just replying regarding the point I had raised.)
[...]
Can one also access, even before you go and file bugs, information for other
packages? I cannot actually find any reports for the package listed in the
dd-list under my name in your Packages, Runs, nor Programs pages.
On Tue, Jun 25, 2013 at 10:54 PM, Alexandre Rebert wrote:
The reports are not public yet. Since you are a developer included in
dd-list, we will send you an email containing the crash information
for the programs you are developing. You will receive the email 1 week
before the crash is
On Tue, 25 Jun 2013 01:28:10 -0400, Alexandre Rebert
alexandre.reb...@gmail.com wrote:
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
On Tuesday 25 June 2013 10:54:21 Alexandre Rebert wrote:
Hi,
[snip]
Would it be possible to initially publish all the bug reports on your
web site under some random URL and then mail that to the maintainer
with a clearly indicated date when they will be made public?
Good point. I will
Hi
Le mardi, 25 juin 2013 07.28:10, Alexandre Rebert a écrit :
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages. After contacting ow...@bugs.debian.org, Don
Armstrong advised us to contact
Without diminishing the value of bugreports against our stable release,
I would be more interested in such reports against the software material
for our future stable; aka software from unstable; did you have such
plans in mind?
That's a good point that has been raised by other people as
Hi,
On Tue, Jun 25, 2013 at 11:38 AM, Marc Haber
mh+debian-de...@zugschlus.de wrote:
Will you also check Debian unstable? It is much easier to have a
package in unstable fixed, and I suspect that not every crash you find
will be a security relevant one.
We actually already did :) We re-ran
Hi,
On Tue, Jun 25, 2013 at 2:03 PM, Dmitrijs Ledkovs
dmitrij.led...@ubuntu.com wrote:
From Ubuntu point of view, we'd also be interested in a similar
analysis. Unlike Debian we provide automatically generated packages
with debug symbols.
Similar to debian, we would most interested for
Marc Haber mh+debian-de...@zugschlus.de writes:
Will you also check Debian unstable? It is much easier to have a package
in unstable fixed, and I suspect that not every crash you find will be a
security relevant one.
I suspect most of them won't be, actually, or at least will be difficult
to
On 25 June 2013 19:21, Alexandre Rebert alexandre.reb...@gmail.com wrote:
Hi,
On Tue, Jun 25, 2013 at 2:03 PM, Dmitrijs Ledkovs
dmitrij.led...@ubuntu.com wrote:
From Ubuntu point of view, we'd also be interested in a similar
analysis. Unlike Debian we provide automatically generated packages
Hello,
Is it possible to use/download Mayhem from somewhere?
On Tue, Jun 25, 2013 at 7:28 AM, Alexandre Rebert
alexandre.reb...@gmail.com wrote:
We found the bugs using Mayhem [1], an automatic bug finding system
that we've been developing in David Brumley's research lab for a
couple of
]] Alexandre Rebert
Hi,
Thanks for all the feedback and comments. I tried to address all them below.
The crash.sh script seems to set LD_LIBRARY_PATH. Is that actually
needed? I'd prefer something that doesn't need something like that,
since being able to crash apps if you load a
On Tue, 25 Jun 2013 14:06:42 -0400, Alexandre Rebert
alexandre.reb...@gmail.com wrote:
On Tue, Jun 25, 2013 at 11:38 AM, Marc Haber
mh+debian-de...@zugschlus.de wrote:
Additionally, I guess that the vast majority of crahes you have found
will be upstream bugs which the Debian maintainer would
On Tue, 25 Jun 2013 11:46:04 -0700, Russ Allbery r...@debian.org
wrote:
Marc Haber mh+debian-de...@zugschlus.de writes:
Will you also check Debian unstable? It is much easier to have a package
in unstable fixed, and I suspect that not every crash you find will be a
security relevant one.
I
Hi,
I understand. But two weeks might be a bit too short for the majority
of those crashes. Many upstream authors don't get paid for working on
their software.
I first want to clarify the purpose of the two-week delay to make sure
we are on the same page.We do not expect upstream developers
Hi,
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
advised us to contact you before submitting ~1.2K bug reports to the
Debian BTS using
74 matches
Mail list logo
