From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from postout2.mail.lrz.de (postout2.mail.lrz.de [129.187.255.138]) by sourceware.org (Postfix) with ESMTPS id 7C6A6396E076 for ; Wed, 9 Nov 2022 11:13:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7C6A6396E076 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=tum.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tum.de Received: from lxmhs52.srv.lrz.de (localhost [127.0.0.1]) by postout2.mail.lrz.de (Postfix) with ESMTP id 4N6j5C6ZJGzyT5; Wed, 9 Nov 2022 12:13:35 +0100 (CET) Authentication-Results: postout.lrz.de (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=tum.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tum.de; h= content-transfer-encoding:content-type:content-type:in-reply-to :subject:subject:from:from:references:content-language :user-agent:mime-version:date:date:message-id:received:received; s=tu-postout21; t=1667992415; bh=Z1ohOYFjKxDfqbbDOlylY8u1F6fSqA IwbkDgEyVBY80=; b=MxNtTh8DXfB6402yXqQ41o7cfOAVhJSFubNFEq4UdqQbg7 sa8wR1NiiV+pdKx1k6G7cRal1Tgvaw2vIquXEUNjinS3kagx+eZ+stlAHRR93+wo /Mju6IbwqtkB3qmWA/qgk9daHZZxHAUh3hFa27/PCEvzQN5DLHa9KuJ8LyyhNfdA Thf7Prsu/e+dJI7/TArZmGW2Maiho47mdfZu9HBpeehoLqRQQwxAd3P1luXw2wdr lf/kAnPXGxmqkQL6fV+oafh9OVvfvKhb6PvdBSPpwr4Mb+qB2wzQD8/DlT+pqGkQ YthcMHBc9YUqYE7vP26x+RBLQ7b7yZrheFhkkI8A== X-Virus-Scanned: by amavisd-new at lrz.de in lxmhs52.srv.lrz.de X-Spam-Score: -2.869 X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 Received: from postout2.mail.lrz.de ([127.0.0.1]) by lxmhs52.srv.lrz.de (lxmhs52.srv.lrz.de [127.0.0.1]) (amavisd-new, port 20024) with LMTP id cqUY1Uc-hhyV; Wed, 9 Nov 2022 12:13:35 +0100 (CET) Received: from [IPV6:2001:a61:2b57:ff01:bcad:b931:71a3:b23e] (unknown [IPv6:2001:a61:2b57:ff01:bcad:b931:71a3:b23e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by postout2.mail.lrz.de (Postfix) with ESMTPSA id 4N6j5B05K6zySj; Wed, 9 Nov 2022 12:13:33 +0100 (CET) Message-ID: <7b6ae72b-652d-5a94-da78-115d7f3c4a38@tum.de> Date: Wed, 9 Nov 2022 12:13:33 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2 Content-Language: en-US To: Nick Clifton Cc: =?UTF-8?Q?Marcel_B=c3=b6hme?= , Thorsten Holz , "Pretschner, Alexander" , "Hassler, Keno" , =?UTF-8?Q?Philipp_G=c3=b6rz?= , Binutils References: <99fa0211-c6d0-acd4-975b-852dff21219e@tum.de> <3f1a02fc-398f-cd89-32df-80dd1657a33f@redhat.com> From: Stephan Lipp Subject: Re: Automated vulnerability detection In-Reply-To: <3f1a02fc-398f-cd89-32df-80dd1657a33f@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi Nick, Thank you very much for your response! We are currently using an older version of Binutils to see how well these tools detect known vulnerabilities (CVEs). Thank you for pointing us to this reporting system. I think it also makes sense to see what was reported there for the version we use in our study. In case we find a new vulnerability, we will of course report it through your bug tracking system. Best regards, Stephan On 08.11.22 13:47, Nick Clifton wrote: > Hi Stephan, > >> Do you use static analysis tools or fuzzers to test Binutils (2.29)? > > Yes and no.  We - the GNU Biuntils project - do not use static analysers > or fuzzers directly.  But there are quite a few groups out there who do > use these tools to analyse the binutils sources and report problems that > they find.  We are always pleased to receive these reports and > investigate > the issues that they find. > > Aside - I assume that referring to version "2.29" in your email is a typo > and that you meant 2.39.  Version 2.29 is quite old now. > > >> We are happy to share any insights from our analysis which might be >> also helpful to you. Thank you very much in advance! > > If you do find bugs in the binutils sources we are always happy to > receive > them.  If you can, it really helps us if you are able to file bug reports > via the bur reporting system found here: > >   https://sourceware.org/bugzilla/enter_bug.cgi?product=binutils > > Cheers >   Nick >