Search

About me

Johannes (Hanno) Böck
Plauenerweg 4
71540 Murrhardt
nick: Ctulhu
mail: hanno@hboeck.de
jabber: hanno@hboeck.de
gpg: BBB51E42

schokokeks.org

Berliner Energietisch

Atheist

Twitter/identi.ca

hanno: BuReg behauptet PGP entschlüsseln zu können http://t.co/z1XQwuXi ähm ja, natürlich, und morgen kommt der Osterhase

hanno: RT @mbeisen: publisher petition opposing expansion of public access policies http://t.co/yiiXe5UR

hanno: RT @bengoldacre: Shutting down an anti-Olympics protest account isnt about trademark. It's about big money stifling dissent http://t.co/ ...

hanno: RT @bengoldacre: Dear Journals. You are srsly not helping your case by ACTIVELY OBSTRUCTING science. Love, Science. RT @alokjha: http:/ ...

hanno: RT @gwup: gefällt das: @hanno titelt im Blog von @wirklimaretter über #6WSC12 mit "Das Treffen der guten Skeptiker": http://t.co/FH8KiBB ...

Anzeigen

Events

23.05 - 26.05 - Linuxtag Berlin
07.06 - 10.06 - GPN (14 Days)
25.08 - 26.08 - FrOSCon (93 Days)
26.09 - 27.09 - Open-Access-Tage (125 Days)
03.11 - Brandenburger Linux-Infotag (163 Days)
My pages
Picture gallery

Archives

Categories



All categories

Feeds

Tags

Creative Commons

CC0
Unless noted otherwise, all content is CC Zero / public domain

How long does it take to fix a crash-bug?

Friday, January 11. 2008, 05:56
About one year ago, Sam Hocevar posted some results on tests with his fuzzing tool zzuf, which showed a large number of crashes in various applications, especially multimedia apps.
Crash bugs on invalid input very often lead to security issues, thus this should be taken seriously.

Now, I took the freedom to have a look how many of the issues found back then were fixed. I used the most current versions in gentoo linux (testing/~x86-system), which tend to be quite up-to-date. I also cross-checked the crashes for other apps, as they often use the same or similar code.
Seems only vlc devs did their homework (Sam Hocevar is part of the vlc team). Interesting enough, even firefox seems to have a gif-crasher since a year.

gstreamer crash by lol-ffplay.mpg lol-gstreamer.m2v lol-mplayer.m2v lol-mplayer.mpg lol-vlc.m2v lol-vlc.mpg
endless loop by lol-ffplay.m2v lol-xine.mpg

mplayer hang by lol-mplayer.wmv,
crash by lol-ffplay.flac lol-mplayer.aac lol-mplayer.mpg lol-mplayer.ogg lol-ogg123.flac lol-vlc.aac lol-xine.aac

xine crash by lol-mplayer.wmv lol-ffplay.m2v lol-ffplay.ogg lol-ffplay.wmv lol-gstreamer.avi lol-ogg123.flac lol-vlc.aac lol-xine.mpg

firefox crash by lol-firefox.gif
English, Linux, Security | Comments (3) | Trackbacks (0)
Defined tags for this entry: , , , , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

which version did you test?
#1 lu_zero on 2008-01-12 05:41 (Reply)
Cite "I used the most current versions in gentoo linux (testing/~x86-system)" on the time of my writing.

mplayer 1.0_rc2_p24929-r2
xine-lib-1.1.9 (update to 1.1.9.1 is now available, but first tests don't show much changes)
gstreamer-0.10.15
firefox 2.0.0.11
#1.1 Hanno (Link) on 2008-01-12 11:38 (Reply)
Just tested those files, and the ones from the zuff page ... and nothing crashes here with latest cvs of all gstreamer + plugins.

If you get crashes, tell us on #gstreamer on irc.freenode.net or via the gstreamer bugzilla tracker (bugzilla.gnome.org Product:GStreamer)
#2 Edward Hervey on 2008-01-15 16:26 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.