On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote: > I am a security researcher at Carnegie Mellon University, and my team > has found thousands of crashes in binaries downloaded from debian > wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong ^^^^^^ wheezy :)
> advised us to contact you before submitting ~1.2K bug reports to the > Debian BTS using mainto...@bugs.debian.org (to avoid spamming > debian-bugs-dist). > > We found the bugs using Mayhem [1], an automatic bug finding system > that we've been developing in David Brumley's research lab for a > couple of years. We recently ran Mayhem on almost all ELF binaries of > Debian Wheezy (~23K binaries) [2], and it reported thousands of > crashes. One such crash was reported on a small fluxbox tool to be manually run, which used $HOME blindly. When it ran, it segfaulted, which is a bug, yes. However, it's not security, and to see the bug tagged 'security' was troubling - what oversight do you have to prevent the security team to get flooded with such bug reports (this bug is not a security risk.) Thanks! Paul -- .''`. Paul Tagliamonte <paul...@debian.org> : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag
signature.asc
Description: Digital signature
