Hi Bobb, Oh, that's interesting. I wonder if we should stop packaging these tools, or ask Debian's maintainer to stop packaging them then. Packaged programs have a way of getting used, perhaps beyond the original author's intentions.
I've found fuzzing results to be best accepted by upstreams when run against a recent checkout of their development branch; it's normally best to report issues to upstreams first, since they are in the best position to prepare fixes and determine if older versions may also be affected. If you can test the crashers against released versions, that's often also helpful to report. When reporting fuzzing-discovered issues, it's important to include the generated test cases. In this specific case, your analysis was very helpful; I'm sure other upstreams would appreciate this kind of effort in reports. It's all too easy to just dump a few hundred crashing files on someone. (I've done this. Several times. It hasn't been received well.) Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1653729 Title: Heap based OOB READ in hbpldecode.c To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/foo2zjs/+bug/1653729/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
