Am So., 1. Nov. 2020 um 15:22 Uhr schrieb Xavier <y...@debian.org>:
>
> Hi,
>
> Ubuntu is based on testing and does not import our fixes after its release
> (except a few list), then it's normal to find a lot of vulnerabilities. See
> https://lemonldap-ng.org/documentation for exemple
>
>
> Le 1 novembre 2020 14:59:32 GMT+01:00, Utkarsh Gupta <utka...@debian.org> a
> écrit :
>>
>> [CCing team@security.d.o]
>>
>> On Sun, Nov 1, 2020 at 7:09 PM Ole Streicher <oleb...@debian.org> wrote:
>>>
>>> I just stumbled upon the following web page:
>>> https://cyber-itl.org/2020/10/28/citl-7000-defects.html
>>> They claim to have found ~7000 defects in Ubuntu packages (a number of
>>> those are maintained by me).
>>
>>
>> On a *very* quick look, some of these packages have CVE(s) issued
>> against them and are already fixed as well, I think.
>>
>> That said, it'd be a bit weird if they don't report these issues and
>> ask for a CVE assignment against these.
>> Anyway, the security team might know more about this.
-----
While CITL doesn’t particularly want to see software remain vulnerable
or flawed, it is not CITL’s mission to improve the software itself.
CITL’s mission is to create scientific, quantifiable, and reproducible
ways to measure software binaries to understand how fragile or robust
they may be. The work CITL performs is ultimately to allow consumers
(for a wide definition of consumers) to evaluate software the software
they use or intend to use. All of this work is designed to happen
behind the scenes, as CITL was never designed for high-touch
interfacing.
-----
Is it just me, or does that paragraph sound very fishy?
In addition to that, some of the crashes they list terminate with
SIGABRT, which makes me think it's highly unlikely that there is any
security vulnerability involved. Even the segmentation faults may not
be security issues. Regardless, it would have been nice if they had
reported the issues they found while fuzzing binaries.
Cheers,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
