Utkarsh Gupta <utka...@debian.org> writes: > That said, it'd be a bit weird if they don't report these issues and ask > for a CVE assignment against these. Anyway, the security team might > know more about this.
It appears to be the output of automated fuzz testing, which based on past experience means that a large percentage of the crashes are probably not exploitable. The raw data is not hugely useful in aggregate unless you enjoy fixing edge-case buffer management bugs that no one is likely to care about (such as in options parsing code). It can be made useful by tracking down where the crash happens and then figuring out if that's part of an attack surface, but that's quite a bit of work which they're clearly not volunteering to do. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
