On Thu, Jul 4, 2013 at 2:55 PM, Russ Allbery wrote:
> Run the normal build system commands under scan-build. In other:
>
> scan-build ./configure ...
> scan-build make
Hmm, it doesn't seem to work when upstream just uses CC=gcc in the
Makefile. For example mancala.
> I haven't tried to
On 04/07/2013 08:55, Russ Allbery wrote:
> Paul Wise writes:
>
>> Do you know how to run that in an automated way? I would like to add
>> it here and to my pbuilder hook:
>
>> http://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package
>
> Run the normal build system commands unde
On Thu, Jul 04, 2013 at 06:48:47AM +0200, Kurt Roeckx wrote:
> clang also has an option to do that now I think, did someone try
> to run that on the archive?
Yep, Sylvestre is working on it together with Leo Cavaille as a GSoC
2013 project
https://wiki.debian.org/SummerOfCode2013/StudentApplicatio
* Paul Wise [2013-07-04 13:20:38 +0800]:
> On Thu, Jul 4, 2013 at 12:48 PM, Kurt Roeckx wrote:
>
> > I guess you could ask, but I have a feeling they would prefer to
> > work with the upstream projects.
>
> I've sent an email to scan-ad...@coverity.com.
>
> > clang also has an option to do tha
Paul Wise writes:
> Do you know how to run that in an automated way? I would like to add
> it here and to my pbuilder hook:
> http://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package
Run the normal build system commands under scan-build. In other:
scan-build ./configure .
On Thu, Jul 4, 2013 at 12:48 PM, Kurt Roeckx wrote:
> I guess you could ask, but I have a feeling they would prefer to
> work with the upstream projects.
I've sent an email to scan-ad...@coverity.com.
> clang also has an option to do that now I think, did someone try
> to run that on the archive
On Thu, Jul 04, 2013 at 12:39:05PM +0800, Paul Wise wrote:
> On Thu, Jul 4, 2013 at 12:28 PM, Kurt Roeckx wrote:
>
> > I think any open source project can ask that
>
> Indeed, however, for a project like Debian it would probably require
> some changes in their service or at least an ack for the l
On Thu, Jul 4, 2013 at 12:28 PM, Kurt Roeckx wrote:
> I think any open source project can ask that
Indeed, however, for a project like Debian it would probably require
some changes in their service or at least an ack for the large amount
of computing resources that scanning our archive would use.
On Thu, Jul 04, 2013 at 11:36:25AM +0800, Paul Wise wrote:
> On Tue, Jun 25, 2013 at 1:28 PM, Alexandre Rebert wrote:
>
> > We found the bugs using Mayhem [1], an automatic bug finding system
> > that we've been developing in David Brumley's research lab for a
> > couple of years. We recently ran
BTW, your crash.sh scripts have a bug. When passing data on stdin to
the program but running the program under gdb, you have to use the
-tty argument to gdb instead of passing the data to stdin of gdb.
--
bye,
pabs
http://wiki.debian.org/PaulWise
--
To UNSUBSCRIBE, email to debian-devel-requ.
On Tue, Jun 25, 2013 at 1:28 PM, Alexandre Rebert wrote:
> We found the bugs using Mayhem [1], an automatic bug finding system
> that we've been developing in David Brumley's research lab for a
> couple of years. We recently ran Mayhem on almost all ELF binaries of
> Debian Wheezy (~23K binaries)
Le Sun, Jun 30, 2013 at 05:06:59AM +, Bart Martens a écrit :
> On Sun, Jun 30, 2013 at 08:24:30AM +0900, Charles Plessy wrote:
> > How about simply replacing "should name the original authors" by "should
> > provide contact information for license questions" ?
>
> That would give the wrong imp
> while the coverage is still tiny, there is an effort to collect contact
> addresses listed in the debian/upstream file in the VCS where our source
> packages are maintained.
>
> http://upstream-metadata.debian.net/table/contact
>
> In some cases, it is a valid email address. Perhaps you can
On Sun, Jun 30, 2013 at 08:24:30AM +0900, Charles Plessy wrote:
> How about simply replacing "should name the original authors" by "should
> provide contact information for license questions" ?
That would give the wrong impression that whatever that contact answers to
license questions applies.
R
"Lisandro Damián Nicanor Pérez Meyer" writes:
> I agree. And yes, Maybe I could have make it less verbose by compressing
> the set of files thathave stuff in common.
> But that would have taken me at least one more day of work. Thanks, but
> no thanks.
Yeah, I definitely understand that part.
On Friday 28 June 2013 20:12:50 Russ Allbery wrote:
> "Lisandro Damián Nicanor Pérez Meyer" writes:
> > And DEP5 is fine as long as you don't hit a source wich makes it grow
> > above 12k+ lines. Then it becames a real PITA.
>
> This usually means you're doing it wrong. Comprehensive copyright-f
> Clint Adams writes:
>
> > I see some value in distinguishing between upstream contact points for
> > problems with the software (bugs and such) and upstream contact points
> > for licensing issues (such as restoration of rights after a GPL-2
> > violation). debian/copyright seems like the logi
Clint Adams writes:
> On Fri, Jun 28, 2013 at 08:06:54PM -0700, Russ Allbery wrote:
>> It is, however, closely related to all of those things and you end up
>> usually satisfying all of those requirements at the same time for quite
>> a few packages, as has been discussed many times in the past.
On Fri, Jun 28, 2013 at 08:06:54PM -0700, Russ Allbery wrote:
> It is, however, closely related to all of those things and you end up
> usually satisfying all of those requirements at the same time for quite a
> few packages, as has been discussed many times in the past. People seem
I see some va
On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote:
> Please let us know if the reports are good enough to proceed with the
> filing, or if any additional information should be included in the
> report.
Heya, I haven't yet seen this mentioned yet, so here it goes: if/when
you go ahea
"Lisandro Damián Nicanor Pérez Meyer" writes:
> And DEP5 is fine as long as you don't hit a source wich makes it grow
> above 12k+ lines. Then it becames a real PITA.
This usually means you're doing it wrong. Comprehensive copyright-format
1.0 files for some of my packages with over 20 differen
On Friday 28 June 2013 13:28:59 Jonas Smedegaard wrote:
> Quoting Lisandro Damián Nicanor Pérez Meyer (2013-06-27 19:42:16)
[snip]
> So if adopted and up-to-date, it will be the correct (and will also be
> up-to-date - that's obviously implied from it being, ahem, up-to-date).
On a second thought
Clint Adams writes:
> On Fri, Jun 28, 2013 at 07:35:51PM -0700, Russ Allbery wrote:
>> Upstream-Contact was put into DEP-5 because it was already required
>> contents in debian/copyright according to Policy, which says:
>> Every package must be accompanied by a verbatim copy of its
>> co
On Friday 28 June 2013 13:28:59 Jonas Smedegaard wrote:
> Quoting Lisandro Damián Nicanor Pérez Meyer (2013-06-27 19:42:16)
>
> > On Thursday 27 June 2013 11:19:40 Alexandre Rebert wrote:
> > > > I do not think that you should try to implement this immediately
> > > > but from a Debian Maintainers
Le Fri, Jun 28, 2013 at 07:35:51PM -0700, Russ Allbery a écrit :
>
> Every package must be accompanied by a verbatim copy of its copyright
> information and distribution license in the file
> /usr/share/doc/package/copyright. This file must neither be compressed
> nor be a symbolic
On Fri, Jun 28, 2013 at 07:35:51PM -0700, Russ Allbery wrote:
> Upstream-Contact was put into DEP-5 because it was already required
> contents in debian/copyright according to Policy, which says:
>
> Every package must be accompanied by a verbatim copy of its copyright
> information and di
Paul Wise writes:
> On Fri, Jun 28, 2013 at 5:47 PM, Andreas Tille wrote:
>> BTW, -1 for duplicating information as Upstream-Contact in d/upstream
>> as long as it resides in d/copyright. I'm fine if this field is moved
>> from d/copyright to d/upstream but I'm against having the same value in
>
On Fri, Jun 28, 2013 at 5:47 PM, Andreas Tille wrote:
> BTW, -1 for duplicating information as Upstream-Contact in d/upstream as
> long as it resides in d/copyright. I'm fine if this field is moved from
> d/copyright to d/upstream but I'm against having the same value in two
> different files.
I
Le Fri, Jun 28, 2013 at 11:38:21AM +0200, Mathieu Parent a écrit :
>
> Dep12 [1] doesn't have a Security-Contact field. Should we add one?
> (and maybe a Security-Submit?)
Hi Mathieu,
the contents of the debian/upstream files is open-ended. You can start anytime
to document and promote the use
Alexandre Rebert schrieb:
> Hi,
>
> I am a security researcher at Carnegie Mellon University, and my team
> has found thousands of crashes in binaries downloaded from debian
> wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
> advised us to contact you before submitting ~1.2K
On Fri, Jun 28, 2013 at 01:28:59PM +0200, Jonas Smedegaard wrote:
> > But even if adopted and up to date, it doesn't means that's the
> > correct way of dealing with upstream. Many addresses will be of former
> > developers, and in most situations it will not be the best way to
> > contact upstr
Quoting Charles Plessy (2013-06-28 00:07:55)
> Le Thu, Jun 27, 2013 at 10:28:15AM -0400, Alexandre Rebert a écrit :
> >
> > > I wished the respective report would have been sent to the
> > > upstream developers, not to Debian. We could have been a second
> > > resort when upstream does not react
Quoting Lisandro Damián Nicanor Pérez Meyer (2013-06-27 19:42:16)
> On Thursday 27 June 2013 11:19:40 Alexandre Rebert wrote:
> > > I do not think that you should try to implement this immediately
> > > but from a Debian Maintainers point of view we now could present a
> > > case where it makes p
On Fri, Jun 28, 2013 at 11:38:21AM +0200, Mathieu Parent wrote:
>
> Dep12 [1] doesn't have a Security-Contact field. Should we add one?
> (and maybe a Security-Submit?)
+1
BTW, -1 for duplicating information as Upstream-Contact in d/upstream as
long as it resides in d/copyright. I'm fine if thi
2013/6/28 Charles Plessy :
> Le Thu, Jun 27, 2013 at 10:28:15AM -0400, Alexandre Rebert a écrit :
>>
>> > I wished the respective report would have been sent to the upstream
>> > developers,
>> > not to Debian. We could have been a second resort when upstream does not
>> > react to the reports (no
Le Thu, Jun 27, 2013 at 10:28:15AM -0400, Alexandre Rebert a écrit :
>
> > I wished the respective report would have been sent to the upstream
> > developers,
> > not to Debian. We could have been a second resort when upstream does not
> > react to the reports (not unlikely, admittedly). Now, the
> BTW, the mails you have been sending with links to the crashes have
> been going to publicly archived lists, not sure if you meant for that
> to happen though?
>
I don't think the Mayhem team is at all to blame for that: we seemingly simply
don't have the necessary information in place.
For m
On Thursday 27 June 2013 11:19:40 Alexandre Rebert wrote:
> > I do not think that you should try to implement this immediately but
> > from a Debian Maintainers point of view we now could present a case
> > where it makes perfectly sense to use DEP5 formated copyright files and
> > if we try to do
> I do not think that you should try to implement this immediately but
> from a Debian Maintainers point of view we now could present a case
> where it makes perfectly sense to use DEP5 formated copyright files and
> if we try to do this more strictly future tests could profit from it.
For our pur
On Thu, Jun 27, 2013 at 9:25 AM, Andreas Tille wrote:
> The Debian Med team was flooded by about 50 mails which is hard to cope
> in two weeks.
You shouldn't have received that many emails. If we decide to report
more bugs in the future (depending on the reactions from the
community), we will mak
Hi Alexandre,
On Thu, Jun 27, 2013 at 10:28:15AM -0400, Alexandre Rebert wrote:
> I agree with you that it would have been best to contact upstream
> developers instead of package maintainers. I couldn't find a tool
> listing upstream developers for a given package however, and that's
> why we con
On Thu, Jun 27, 2013 at 5:11 AM, Aron Xu wrote:
> I wonder whether you have checked where the crash is caused, you have
> sent several mails to me for every binary in your test run, but in
> dmesg.txt you provided all of them are from the very same library.
> This will cause lots of duplicates, an
Hi
> I wished the respective report would have been sent to the upstream
> developers,
> not to Debian. We could have been a second resort when upstream does not
> react to the reports (not unlikely, admittedly). Now, the Debian maintainer
> sees the findings two weeks before the bug is made publ
> One such crash was reported on a small fluxbox tool to be manually run,
> which used $HOME blindly. When it ran, it segfaulted, which is a bug,
> yes.
>
> However, it's not security, and to see the bug tagged 'security' was
> troubling - what oversight do you have to prevent the security team to
On Thu, Jun 27, 2013 at 3:30 AM, Paul Wise wrote:
> BTW, the mails you have been sending with links to the crashes have
> been going to publicly archived lists, not sure if you meant for that
> to happen though?
I realize only now that many emails (about 20% in our case), that are
listed as pack
Hi,
On Thu, Jun 27, 2013 at 03:15:17PM +0200, "Steffen Möller" wrote:
>
> I wished the respective report would have been sent to the upstream
> developers,
> not to Debian. We could have been a second resort when upstream does not
> react to the reports (not unlikely, admittedly). Now, the Debia
> Gesendet: Donnerstag, 27. Juni 2013 um 14:21 Uhr
> Von: "Paul Tagliamonte"
> An: "Alexandre Rebert"
> Cc: debian-devel@lists.debian.org
> Betreff: Re: Reporting 1.2K crashes
>
> On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote:
&
BTW folks there is another tool (bfbtester) already in Debian that
does some testing of binaries for issues like crashes with long
argument strings or environment variables and also insecure tmpfile
usage. I'm running it on package uploads along with some other tools.
http://packages.debian.org/si
On Tue, Jun 25, 2013 at 01:28:10AM -0400, Alexandre Rebert wrote:
> I am a security researcher at Carnegie Mellon University, and my team
> has found thousands of crashes in binaries downloaded from debian
> wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
^^ wheezy :)
Hi,
On 27/06/13 at 12:34 +0200, Wouter Verhelst wrote:
> On 25-06-13 07:28, Alexandre Rebert wrote:
> > Hi,
> >
> > I am a security researcher at Carnegie Mellon University, and my team
> > has found thousands of crashes in binaries downloaded from debian
> > wheeze packages.
>
> Out of interest
On 25-06-13 07:28, Alexandre Rebert wrote:
> Hi,
>
> I am a security researcher at Carnegie Mellon University, and my team
> has found thousands of crashes in binaries downloaded from debian
> wheeze packages.
Out of interest, can you elaborate on the methodology you used in trying
to find these
On Wed, Jun 26, 2013 at 5:37 AM, Alexandre Rebert
wrote:
> Hi,
>
>> I understand. But two weeks might be a bit too short for the majority
>> of those crashes. Many upstream authors don't get paid for working on
>> their software.
>
> I first want to clarify the purpose of the two-week delay to mak
BTW, the mails you have been sending with links to the crashes have
been going to publicly archived lists, not sure if you meant for that
to happen though?
--
bye,
pabs
http://wiki.debian.org/PaulWise
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubs
Hi,
> I understand. But two weeks might be a bit too short for the majority
> of those crashes. Many upstream authors don't get paid for working on
> their software.
I first want to clarify the purpose of the two-week delay to make sure
we are on the same page.We do not expect upstream developers
On Tue, 25 Jun 2013 11:46:04 -0700, Russ Allbery
wrote:
>Marc Haber writes:
>
>> Will you also check Debian unstable? It is much easier to have a package
>> in unstable fixed, and I suspect that not every crash you find will be a
>> security relevant one.
>
>I suspect most of them won't be, actua
On Tue, 25 Jun 2013 14:06:42 -0400, Alexandre Rebert
wrote:
>On Tue, Jun 25, 2013 at 11:38 AM, Marc Haber
> wrote:
>> Additionally, I guess that the vast majority of crahes you have found
>> will be upstream bugs which the Debian maintainer would have to
>> forward upstream. Will you take efforts
]] Alexandre Rebert
> Hi,
>
> Thanks for all the feedback and comments. I tried to address all them below.
>
> > The crash.sh script seems to set LD_LIBRARY_PATH. Is that actually
> > needed? I'd prefer something that doesn't need something like that,
> > since being able to crash apps if you
Hello,
Is it possible to use/download Mayhem from somewhere?
On Tue, Jun 25, 2013 at 7:28 AM, Alexandre Rebert <
alexandre.reb...@gmail.com> wrote:
We found the bugs using Mayhem [1], an automatic bug finding system
> that we've been developing in David Brumley's research lab for a
> couple of
On 25 June 2013 19:21, Alexandre Rebert wrote:
> Hi,
>
> On Tue, Jun 25, 2013 at 2:03 PM, Dmitrijs Ledkovs
> wrote:
>> From Ubuntu point of view, we'd also be interested in a similar
>> analysis. Unlike Debian we provide automatically generated packages
>> with debug symbols.
>> Similar to debian
Marc Haber writes:
> Will you also check Debian unstable? It is much easier to have a package
> in unstable fixed, and I suspect that not every crash you find will be a
> security relevant one.
I suspect most of them won't be, actually, or at least will be difficult
to exploit. A lot of command
Hi,
On Tue, Jun 25, 2013 at 2:03 PM, Dmitrijs Ledkovs
wrote:
> From Ubuntu point of view, we'd also be interested in a similar
> analysis. Unlike Debian we provide automatically generated packages
> with debug symbols.
> Similar to debian, we would most interested for development series to
> be t
Hi,
On Tue, Jun 25, 2013 at 11:38 AM, Marc Haber
wrote:
> Will you also check Debian unstable? It is much easier to have a
> package in unstable fixed, and I suspect that not every crash you find
> will be a security relevant one.
We actually already did :) We re-ran all the crashes on debian
un
> Without diminishing the value of bugreports against our stable release,
> I would be more interested in such reports against the software material
> for our future stable; aka software from unstable; did you have such
> plans in mind?
That's a good point that has been raised by other people as w
Hi
Le mardi, 25 juin 2013 07.28:10, Alexandre Rebert a écrit :
> I am a security researcher at Carnegie Mellon University, and my team
> has found thousands of crashes in binaries downloaded from debian
> wheeze packages. After contacting ow...@bugs.debian.org, Don
> Armstrong advised us to contac
On Tuesday 25 June 2013 10:54:21 Alexandre Rebert wrote:
> Hi,
[snip]
> > Would it be possible to initially publish all the bug reports on your
> > web site under some random URL and then mail that to the maintainer
> > with a clearly indicated date when they will be made public?
>
> Good point. I
On Tue, 25 Jun 2013 01:28:10 -0400, Alexandre Rebert
wrote:
>I am a security researcher at Carnegie Mellon University, and my team
>has found thousands of crashes in binaries downloaded from debian
>wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
>advised us to contact you b
On Tue, Jun 25, 2013 at 10:54 PM, Alexandre Rebert wrote:
> The reports are not public yet. Since you are a developer included in
> dd-list, we will send you an email containing the crash information
> for the programs you are developing. You will receive the email 1 week
> before the crash is sub
Hi Alexandre,
(Just replying regarding the point I had raised.)
[...]
> > Can one also access, even before you go and file bugs, information for other
> > packages? I cannot actually find any reports for the package listed in the
> > dd-list under my name in your Packages, Runs, nor Programs page
Hi,
Thanks for all the feedback and comments. I tried to address all them below.
> The crash.sh script seems to set LD_LIBRARY_PATH. Is that actually
> needed? I'd prefer something that doesn't need something like that,
> since being able to crash apps if you load a broken library isn't very
>
Alexandre Rebert writes:
> wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
> advised us to contact you before submitting ~1.2K bug reports to the
> Debian BTS using mainto...@bugs.debian.org (to avoid spamming
> debian-bugs-dist).
Interesting research, thanks a lot for your
On Tue, Jun 25, 2013 at 1:28 PM, Alexandre Rebert wrote:
> We found the bugs using Mayhem [1], an automatic bug finding system
> that we've been developing in David Brumley's research lab for a
> couple of years. We recently ran Mayhem on almost all ELF binaries of
> Debian Wheezy (~23K binaries)
Hi Alexandre,
Many thanks for this effort, this sounds really interesting.
[...]
> You can download the list of affected packages, with their maintainers
> [3], generated with dd-list, as well as a sample bug report for
> gcov-4.6 [4]. The bug report contains:
> 1) the bug report that will be m
]] Alexandre Rebert
Hi,
(Cc-ing you as I don't know if you're subscribed. Apologies for the
extra copy if you are.)
> I am a security researcher at Carnegie Mellon University, and my team
> has found thousands of crashes in binaries downloaded from debian
> wheeze packages. After contacting ow
Hi,
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages. After contacting ow...@bugs.debian.org, Don Armstrong
advised us to contact you before submitting ~1.2K bug reports to the
Debian BTS using m
74 matches
Mail list logo
