I've also posted this to my blog: http://hboeck.de/archives/578-How-long-does-it-take-to-fix-a-crash-bug.html About one year ago, Sam Hocevar posted some results on tests with his fuzzing tool zzuf, which showed a large number of crashes in various applications, especially multimedia apps. http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities http://sam.zoy.org/zzuf/ Crash bugs on invalid input very often lead to security issues, thus this should be taken seriously. Now, I took the freedom to have a look how many of the issues found back then were fixed. I used the most current versions in gentoo linux (testing/~x86-system), which tend to be quite up-to-date. I also cross-checked the crashes for other apps, as they often use the same or similar code. Seems only vlc devs did their homework (Sam Hocevar is part of the vlc team). Interesting enough, even firefox seems to have a gif-crasher since a year. gstreamer crash by lol-ffplay.mpg lol-gstreamer.m2v lol-mplayer.m2v lol-mplayer.mpg lol-vlc.m2v lol-vlc.mpg endless loop by lol-ffplay.m2v lol-xine.mpg mplayer hang by lol-mplayer.wmv, crash by lol-ffplay.flac lol-mplayer.aac lol-mplayer.mpg lol-mplayer.ogg lol-ogg123.flac lol-vlc.aac lol-xine.aac xine crash by lol-mplayer.wmv lol-ffplay.m2v lol-ffplay.ogg lol-ffplay.wmv lol-gstreamer.avi lol-ogg123.flac lol-vlc.aac lol-xine.mpg firefox crash by lol-firefox.gif -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno@xxxxxxxxx
Attachment:
signature.asc
Description: This is a digitally signed message part.