Tux Machines

Security Leftovers

Posted by Roy Schestowitz on Oct 04, 2024

Free, Libre, and Open Source Software Leftovers
Mozilla: Firefox DevTools Newsletter, Thunderbird Monthly Development Digest, and Turning Off Firefox Surveillance

Google ☛ Effective Fuzzing: A Dav1d Case Study

↺ Effective Fuzzing: A Dav1d Case Study
Guest post by Nick Galloway, Senior Security Engineer, 20% time on Project Zero
Late in 2023, while working on a 20% project with Project Zero, I found an integer overflow in the dav1d AV1 video decoder. That integer overflow leads to an out-of-bounds write to memory. Dav1d 1.4.0 patched this, and it was assigned CVE-2024-1580. After the disclosure, I received some questions about how this issue was discovered, since dav1d is already being fuzzed by at least oss-fuzz. This blog post explains what happened. It’s a useful case study in how to construct fuzzers to exercise as much code as possible. But first, some background...
↺ dav1d
↺ patched
↺ CVE-2024-1580
↺ oss-fuzz
↺ dav1d
↺ patched
↺ CVE-2024-1580
↺ oss-fuzz

PowerDNS ☛ PowerDNS Recursor Security Advisory 2024-04

↺ PowerDNS Recursor Security Advisory 2024-04
These releases fix PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor.

LWN ☛ Security updates for Thursday

↺ Security updates for Thursday
Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15).
gemini.tuxmachines.org