> Gesendet: Donnerstag, 27. Juni 2013 um 14:21 Uhr > Von: "Paul Tagliamonte" <paul...@debian.org> > An: "Alexandre Rebert" <alexandre.reb...@gmail.com> > Cc: debian-devel@lists.debian.org > Betreff: Re: Reporting 1.2K crashes > > On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote: > > I am a security researcher at Carnegie Mellon University, and my team > > has found thousands of crashes in binaries downloaded from debian > > wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong > ^^^^^^ wheezy :) > > > advised us to contact you before submitting ~1.2K bug reports to the > > Debian BTS using mainto...@bugs.debian.org (to avoid spamming > > debian-bugs-dist). > > > > We found the bugs using Mayhem [1], an automatic bug finding system > > that we've been developing in David Brumley's research lab for a > > couple of years. We recently ran Mayhem on almost all ELF binaries of > > Debian Wheezy (~23K binaries) [2], and it reported thousands of > > crashes. > > One such crash was reported on a small fluxbox tool to be manually run, > which used $HOME blindly. When it ran, it segfaulted, which is a bug, > yes. > > However, it's not security, and to see the bug tagged 'security' was > troubling - what oversight do you have to prevent the security team to > get flooded with such bug reports (this bug is not a security risk.) >
I wished the respective report would have been sent to the upstream developers, not to Debian. We could have been a second resort when upstream does not react to the reports (not unlikely, admittedly). Now, the Debian maintainer sees the findings two weeks before the bug is made public. I do not feel this to be right. Steffen Steffen -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/trinity-a27b0448-d731-4ad0-8976-c99bcb8f4add-1372338916014@3capp-gmx-bs49
