Monday, March 23, 2015

mozjpeg findings update

20150323:  mozjpeg: b6029d31 SIGFPE on specially crafted jpeg

Saturday, March 14, 2015



010db139 -- SEGV #1 icns_read_be (size=2, inp=0x661000, outp=<synthetic pointer>) at icns_io.c:51
3454826d -- SEGV #1 icns_read_le (size=2, inp=<optimized out>, outp=<synthetic pointer>) at icns_io.c:101

Reported to maintainer Mathew Eis  March 14, 2015, 9:43 p.m.

Sunday, March 8, 2015

Fuzzing Update

Re: 9f74b0e8, c9be2aa7, d7273f72, 6889d18b
Closed with patch.

Re: 8afd955e [Crash, SEGV ] malloc in Area.C:223
Response received from vendor, wontfix.

Re: 3a41cb1c, 6bb4db60
Closed with patch. 3a41cb1c resolved in this patch. 6bb4db60 resolved in this patch.
Re: ab50ccf7
Closed in latest git checkout. Asking vendor for patch details.

Re: 485f75d6, bd644d4d
Closed with vendor release of 0.22

Re: 0cd10b14
Vendor working on fix.

Submitted new 0ad69d36, 24dfd181, 27eac1b7, 2b9f1f19, 3503093d, 3a5b6ff4, 3b2a6ca6, 40dd99c6, 42e898d9, 4fa145b4, 5570ae2a, 57dc6ada, 7c503fc7, 7d580ece, 87aebb39, 8d2e9b05, 9071d6d8, 91fe0b08, 92cee751, 99f38038, a921cb74, b1ee740e, b3445f4e, b6bd0cc0, b9eff3a0, bbb8391b, c3e9eae3, c7f0611a, cb3d04f9, d34f9134, d6ce68b4, dccd6129, ea388b76, f2315602, f7cede9e  on 3/8/2015

Submitted new a4ac94f0 to Debian QA team on 3/8/2015, Debian bug ID 780079;

Wednesday, December 24, 2014

New CVE ID: CVE-2014-8716

 I found this via the AFL fuzzer.

Saturday, December 29, 2012

sysidcfg in solaris 10 shared-ip zones

If you've tried to put a sysidcfg in shared-ip zones with multiple network interfaces, you've probably experienced some headaches.

I found that if I specified each interface like you would in a normal sysidcfg, it would drop to interactive input.

When I was just specifying one interface with network_interface=PRIMARY{etc etc}, everything worked fine. When I would switch to network_interface=e1000g0{primary hostname=server.local} , it would drop to interactive again.

The secret was just to use PRIMARY no matter how many interfaces I was configuring.

After some tinkering I was able to drop the whole network_interface{} stanza down to:


Friday, November 30, 2012

Verify backups before implementing changes

Going to make a change to a machine?

Verify that you have good colds before you go through.

Almost every change or upgrade plan I have starts off with:

  1. Day after colds: Verify backups for hosts {a,b,c,d,e,f,g,h} 
  2. Day of implementation:  Verify backups for hosts {a,b,c,d,e,f,g,h}

If that backup isn't good, either take a good backup immediately before preceding or reschedule your implementation for a window after the next full backup.

I've had this save me a time or two. A previously bulletproof backup decided to cook off the week of one of my upgrades.