develooper Front page | perl.perl5.porters | Postings from April 2014

Re: Mayhem heads up

Thread Previous | Thread Next
From:
David Steinbrunner
Date:
April 29, 2014 12:17
Subject:
Re: Mayhem heads up
Message ID:
CF850F82.63894%dsteinbrunner@pobox.com
On 6/28/13, 8:52 AM, "Reini Urban" <rurban@x-ray.at> wrote:

>See http://lists.debian.org/debian-devel/2013/06/msg00720.html
>
>Those perl packages are currentty affected:
>eperl, perl-byacc, perl5i
>See http://forallsecure.com/reports/dd-list.txt
>
>This is not really impressive, compared to the number of found asan bugs.
>
>But the mayhem paper at
>http://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf says:
>In this paper we present MAYHEM, a new system for automatically ļ¬nding
>exploitable bugs in binary (i.e., executable) programs. Every bug
>reported by MAYHEM is accompanied by a working shell-spawning exploit.
>The working
>exploits ensure soundness and that each bug report is security
>critical and actionable....
>
>Most found bugs are stack overflows and format strings exploitations.
>Looks like a better valgrind/memcheck to me, with the "advantage" to
>create reproducers.

With all the Coverity action going on it made me think of the MAYHEM
notice above that did not seem to get any attention on p5p beyond the
notice.  Did these issue just get silently taken care of?

--
David Steinbrunner




Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About