You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by Morgon Kanter <su...@google.com.INVALID> on 2020/03/16 20:21:36 UTC
Fuzzer results
Our fuzzer for guacenc has uncovered a number of integer overflows, stack
overflows, and direct memory leaks -- usually centered around Cairo. How
would you like us to report them? I can provide backtraces of the stack and
minimal test cases that should reproduce the issues.
Thanks,
-- Morgon
Re: Fuzzer results
Posted by Morgon Kanter <su...@google.com.INVALID>.
Having trouble with making my Drive folder public, so I just attached them
instead.
Fuzzer result #3 is an integer overflow in libguac, not just guacenc, so
it's probably more serious than the others.
The others are from guacenc. Possibly not as immediately urgent, but the
ones that bottom out in Cairo might be of interest with the idea that an
attacker could send an arbitrary PNG.
I don't have a fuzzer running for guacd itself, just guacenc. I could set
one up for guacd if there's interest. I'm sure it would find more
interesting results than the guacenc one did.
-- Morgon
On Tue, Mar 17, 2020 at 11:44 AM Morgon Kanter <su...@google.com> wrote:
> I don't have the expertise to know if they are issues with the upstream
> Cairo libs or not -- that's just where the memory allocations happen. I'm
> merely a dumb user of someone else's genius :-)
>
> I'll put them in a Google Drive folder of the format {stacktrace1.txt,
> sample1.guac} for each one. Will reply with the folder once it's ready.
>
> Cheers,
> -- Morgon
>
> On Mon, Mar 16, 2020 at 7:55 PM Nick Couchman <vn...@apache.org> wrote:
>
>> On Mon, Mar 16, 2020 at 4:21 PM Morgon Kanter <su...@google.com.invalid>
>> wrote:
>>
>> > Our fuzzer for guacenc has uncovered a number of integer overflows,
>> stack
>> > overflows, and direct memory leaks -- usually centered around Cairo. How
>> > would you like us to report them? I can provide backtraces of the stack
>> and
>> > minimal test cases that should reproduce the issues.
>> >
>> > Thanks,
>> > -- Morgon
>> >
>>
>> If the findings represent security issues (doubtful for something like
>> guacenc, but something to think about nonetheless), then please report
>> them
>> to the security list:
>>
>> http://guacamole.apache.org/faq/#security
>>
>> Otherwise, here is fine. Are the issues in the actual guacenc
>> implementation, or in the upstream cairo libraries? If the issues are in
>> the upstream cairo libraries then reporting them here won't really do any
>> good - they'll need to be reported upstream. Once we determine that there
>> actually is a bug in the Guacamole code you can open a JIRA issue for the
>> bug(s) and then we (you, us, whoever) can work on resolving them with
>> changes to the code.
>>
>> -Nick
>>
>
Re: Fuzzer results
Posted by Morgon Kanter <su...@google.com.INVALID>.
I don't have the expertise to know if they are issues with the upstream
Cairo libs or not -- that's just where the memory allocations happen. I'm
merely a dumb user of someone else's genius :-)
I'll put them in a Google Drive folder of the format {stacktrace1.txt,
sample1.guac} for each one. Will reply with the folder once it's ready.
Cheers,
-- Morgon
On Mon, Mar 16, 2020 at 7:55 PM Nick Couchman <vn...@apache.org> wrote:
> On Mon, Mar 16, 2020 at 4:21 PM Morgon Kanter <su...@google.com.invalid>
> wrote:
>
> > Our fuzzer for guacenc has uncovered a number of integer overflows, stack
> > overflows, and direct memory leaks -- usually centered around Cairo. How
> > would you like us to report them? I can provide backtraces of the stack
> and
> > minimal test cases that should reproduce the issues.
> >
> > Thanks,
> > -- Morgon
> >
>
> If the findings represent security issues (doubtful for something like
> guacenc, but something to think about nonetheless), then please report them
> to the security list:
>
> http://guacamole.apache.org/faq/#security
>
> Otherwise, here is fine. Are the issues in the actual guacenc
> implementation, or in the upstream cairo libraries? If the issues are in
> the upstream cairo libraries then reporting them here won't really do any
> good - they'll need to be reported upstream. Once we determine that there
> actually is a bug in the Guacamole code you can open a JIRA issue for the
> bug(s) and then we (you, us, whoever) can work on resolving them with
> changes to the code.
>
> -Nick
>
Re: Fuzzer results
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Mar 16, 2020 at 4:21 PM Morgon Kanter <su...@google.com.invalid>
wrote:
> Our fuzzer for guacenc has uncovered a number of integer overflows, stack
> overflows, and direct memory leaks -- usually centered around Cairo. How
> would you like us to report them? I can provide backtraces of the stack and
> minimal test cases that should reproduce the issues.
>
> Thanks,
> -- Morgon
>
If the findings represent security issues (doubtful for something like
guacenc, but something to think about nonetheless), then please report them
to the security list:
http://guacamole.apache.org/faq/#security
Otherwise, here is fine. Are the issues in the actual guacenc
implementation, or in the upstream cairo libraries? If the issues are in
the upstream cairo libraries then reporting them here won't really do any
good - they'll need to be reported upstream. Once we determine that there
actually is a bug in the Guacamole code you can open a JIRA issue for the
bug(s) and then we (you, us, whoever) can work on resolving them with
changes to the code.
-Nick