See also: wiki:TestedPrograms.

CVE found using Fusil

• 2007-05-22: CVE-2007-2754
  • Security hole in FreeType
  • Freetype TT_Load_Simple_Glyph() TTF File Integer Overflow Vulnerability
• 2007-05-11: CVE-2007-2650
  • ClamAV OLE2 Parser Denial of Service
  • ClamAV OLE2 Parser Large Property Size Processing Denial of Service Vulnerability
  • FIXED in version 0.90.3
• 2007-05-10: CVE-2007-2645
  • Libexif "exif_data_load_data_entry()" EXIF Image Handling Integer Overflow Vulnerability

ImageMagick

• ImageMagick: image manipulation on the command line
  • Report bug in the forum
• Version: last version (2007-05-07)
  • FIXED: Crash in EXIF parser with invalid IFD count
  • WON'T FIX: Bug report in TGA and XCF files

rpm

• rpm: package manipulation of Redhat, Fedora Core, Mandriva and other Linux distributions
• Version: last version (2007-05-10)
  • FIXED: Bug report #239557: patch to fix the bug

glibc

• glibc is library used by all programs on a computer :-)
  • Bugtracker
• Version: last version (2007-04-30)
  • FIXED: vfprintf() bug -- bug fixed in version 2.5.1

FreeType2

• FreeType2: Font library to render text supporting many font file format (eg. TTF and OTF)
• Version: last version (2007-04-28)
  • FIXED: cmap bug
  • FIXED: Negative number of points bug
• 2008-02-18: bug #22356: TrueType: crash in Ins_IUP() (closed 2h later)

ClamAV

• ClamAV: open source antivirus
  • Bugzilla
• Version: 0.90.2
  • FIXED: Loop in FAT of OLE2 document (fixed in 0.90.3)
  • FIXED: OLE2: Allocate too much memory with invalid file (fixed in 0.91)
  • FIXED: bitset_realloc() is not atomic (fixed in 0.91)
  • FIXED: OLE2: Long (slow) loop in ole2_walk_property_tree() with huge prop_index value (fixed in 0.91)

poppler (PDF)

• Poppler: library to diused by Kpdf and Evince
  • Bugzilla
• Version: 0.5.4
  • FIXED: Crash on fuzzed PDF at Parser.cc:192
• Version trunk (2007-05-11):
  • Crash on fuzzed PDF: recursive call of Parser::getObj()
• 2008-02-18 (poppler 0.6.0)
  • Bug 14549: Crash in Lexer::getObj() if xref is NULL (fixed)

libexif

• libexif is a library to read/write EXIF data
• libexif is used by nautilus, gwenview, gimp, exiftran and a lot of other programs!
• Version: 0.6.13
  • FIXED: Serious security bug in exif_data_load_data_entry() => patch
  • Crash in exif_entry_fix() when e->data is NULL

binutils (bfd)

• binutils are as, ld, nm, libbfd, etc.
  • Bugtracker
• Version 2.17 and CVS HEAD
  • FIXED: bfd_elf_string_from_elf_section() doesn't check shindex value => patch

Gimp

• Gimp 2.2.13
• FIXED: missing input validation in several file plug-ins (fixed in Gimp 2.2.16)

Tremor (Ogg/Vorbis)

• Tremor trunk (2007-11-01)
• Bug #1254

Gstreamer

• Gstreamer 0.10 (gst-plugins-good 0.10.6)
• Bug 510592 – Race condition in WAVE parser (fixed the 2008-01-19)
• Bug 510982 – gst_tag_demux_trim_buffer: invalid return value
• Bug 525665 – Crash on Ogg/Vorbis with chain=NULL (fixed)

PHP

• array_slice(&$offset, $offset) crash (fixed) in PHP 5.2.5
• count_chars() crashes if both arguments are the same reference: crash PHP 5.2.6
• levenshtein() crashs with invalid arguments: crash PHP 5.2.6

xterm

• xterm crashs with long PATH environment path with no ":" character (fixed in xterm patch 236)

vim

$ VIMRUNTIME=$(python -c 'print "a"*10000') vim
Erreur de segmentation
$ VIM=$(python -c 'print "a"*10000') vim
Erreur de segmentation

dpkg-query (apt/dpkg)

$ COLUMNS=10000000 dpkg-query -l
Souhait=inconnU/Installé/suppRimé/Purgé/H=à garder
| État=Non/Installé/fichier-Config/dépaqUeté/échec-conFig/H=semi-installé
|/ Err?=(aucune)/H=à garder/besoin Réinstallation/X=les deux (État,Err: majuscule=mauvais)
Erreur de segmentation

=> was a bug in vfprintf() from glic (see above)