Hello community,
here is the log from the commit of package afl for openSUSE:Factory checked in at 2015-06-02 10:11:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/afl (Old)
and /work/SRC/openSUSE:Factory/.afl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/afl/afl.changes 2015-05-19 00:21:21.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2015-06-02 10:11:50.000000000 +0200
@@ -1,0 +2,20 @@
+Tue May 26 10:59:53 UTC 2015 - astieger@suse.com
+
+- afl 1.80b:
+ - Made afl-cmin tolerant of whitespaces in filenames
+ - Added support for AFL_EXIT_WHEN_DONE
+
+-------------------------------------------------------------------
+Mon May 25 07:43:23 UTC 2015 - astieger@suse.com
+
+- afl 1.79b:
+ - Added support for dictionary levels, see testcases/README.testcases.
+ - Reworked the SQL dictionary to use levels.
+ - Added a note about Preeny.
+
+-------------------------------------------------------------------
+Tue May 19 07:26:27 UTC 2015 - astieger@suse.com
+
+- builds for i586 x86_64 only
+
+-------------------------------------------------------------------
Old:
----
afl-1.78b.tgz
New:
----
afl-1.80b.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ afl.spec ++++++
--- /var/tmp/diff_new_pack.b5lpOL/_old 2015-06-02 10:11:51.000000000 +0200
+++ /var/tmp/diff_new_pack.b5lpOL/_new 2015-06-02 10:11:51.000000000 +0200
@@ -17,7 +17,7 @@
Name: afl
-Version: 1.78b
+Version: 1.80b
Release: 0
Summary: American fuzzy lop is a security-oriented fuzzer
License: Apache-2.0
@@ -28,6 +28,7 @@
Patch1: afl-1.58b-fix-paths.patch
BuildRequires: gcc-c++
BuildRoot: %{_tmppath}/%{name}-%{version}-build
+ExclusiveArch: i586 x86_64
%description
American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. The compact synthesized corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive testing regimes down the road.
++++++ afl-1.78b.tgz -> afl-1.80b.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/Makefile new/afl-1.80b/Makefile
--- old/afl-1.78b/Makefile 2015-05-17 22:42:05.000000000 +0200
+++ new/afl-1.80b/Makefile 2015-05-26 07:20:29.000000000 +0200
@@ -14,7 +14,7 @@
#
PROGNAME = afl
-VERSION = 1.78b
+VERSION = 1.80b
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
@@ -104,8 +104,8 @@
.NOTPARALLEL: clean
clean:
- rm -f $(PROGS) as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.2.0.tar.bz2 afl-qemu-trace
- rm -rf out_dir qemu_mode/qemu-2.2.0
+ rm -f $(PROGS) as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.3.0.tar.bz2 afl-qemu-trace
+ rm -rf out_dir qemu_mode/qemu-2.3.0
$(MAKE) -C llvm_mode clean
install: all
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/afl-cmin new/afl-1.80b/afl-cmin
--- old/afl-1.78b/afl-cmin 2015-04-08 07:35:08.000000000 +0200
+++ new/afl-1.80b/afl-cmin 2015-05-24 05:01:18.000000000 +0200
@@ -297,18 +297,18 @@
if [ "$STDIN_FILE" = "" ]; then
- for fn in `ls "$IN_DIR"`; do
+ while read -r fn; do
CUR=$((CUR+1))
printf "\\r Processing file $CUR/$IN_COUNT... "
"$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
- done
+ done < <(ls "$IN_DIR")
else
- for fn in `ls "$IN_DIR"`; do
+ while read -r fn; do
CUR=$((CUR+1))
printf "\\r Processing file $CUR/$IN_COUNT... "
@@ -317,7 +317,7 @@
"$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" "$TRACE_DIR/.all_uniq"
TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`))
@@ -358,14 +358,14 @@
CUR=0
-for fn in `ls -rS "$IN_DIR"`; do
+while read -r fn; do
CUR=$((CUR+1))
printf "\\r Processing file $CUR/$IN_COUNT... "
sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list"
-done
+done < <(ls -rS "$IN_DIR")
echo
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/afl-fuzz.c new/afl-1.80b/afl-fuzz.c
--- old/afl-1.78b/afl-fuzz.c 2015-05-17 22:34:04.000000000 +0200
+++ new/afl-1.80b/afl-fuzz.c 2015-05-24 04:15:53.000000000 +0200
@@ -1355,7 +1355,8 @@
/* Read extras from a file, sort by size. */
-static void load_extras_file(u8* fname, u32* min_len, u32* max_len) {
+static void load_extras_file(u8* fname, u32* min_len, u32* max_len,
+ u32 dict_level) {
FILE* f;
u8 buf[MAX_LINE];
@@ -1399,6 +1400,16 @@
while (isalnum(*lptr) || *lptr == '_') lptr++;
+ /* If @number follows, parse that. */
+
+ if (*lptr == '@') {
+
+ lptr++;
+ if (atoi(lptr) > dict_level) continue;
+ while (isdigit(*lptr)) lptr++;
+
+ }
+
/* Skip whitespace and = signs. */
while (isspace(*lptr) || *lptr == '=') lptr++;
@@ -1485,16 +1496,26 @@
DIR* d;
struct dirent* de;
- u32 min_len = MAX_DICT_FILE, max_len = 0;
+ u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0;
+ u8* x;
+
+ /* If the name ends with @, extract level and continue. */
- ACTF("Loading extra dictionary from '%s'...", dir);
+ if ((x = strchr(dir, '@'))) {
+
+ *x = 0;
+ dict_level = atoi(x + 1);
+
+ }
+
+ ACTF("Loading extra dictionary from '%s' (level %u)...", dir, dict_level);
d = opendir(dir);
if (!d) {
if (errno == ENOTDIR) {
- load_extras_file(dir, &min_len, &max_len);
+ load_extras_file(dir, &min_len, &max_len, dict_level);
goto check_and_sort;
}
@@ -1502,6 +1523,8 @@
}
+ if (x) FATAL("Dictinary levels not supported for directories.");
+
while ((de = readdir(d))) {
struct stat st;
@@ -3694,7 +3717,13 @@
if (cycles_wo_finds < 3) strcpy(tmp, cYEL); else
/* No finds for a long time and no test cases to try. */
- if (cycles_wo_finds > 20 && !pending_not_fuzzed) strcpy(tmp, cLGN);
+
+ if (cycles_wo_finds > 20 && !pending_not_fuzzed) {
+
+ strcpy(tmp, cLGN);
+ if (getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 1;
+
+ }
/* Default: cautiously OK to stop? */
else strcpy(tmp, cLBL);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/docs/ChangeLog new/afl-1.80b/docs/ChangeLog
--- old/afl-1.78b/docs/ChangeLog 2015-05-17 22:44:25.000000000 +0200
+++ new/afl-1.80b/docs/ChangeLog 2015-05-26 07:21:17.000000000 +0200
@@ -17,6 +17,25 @@
to get on with the times.
--------------
+Version 1.80b:
+--------------
+
+ - Made afl-cmin tolerant of whitespaces in filenames. Suggested by
+ Jonathan Neuschafer and Ketil Froyn.
+
+ - Added support for AFL_EXIT_WHEN_DONE, as suggested by Michael Rash.
+
+--------------
+Version 1.79b:
+--------------
+
+ - Added support for dictionary levels, see testcases/README.testcases.
+
+ - Reworked the SQL dictionary to use levels.
+
+ - Added a note about Preeny.
+
+--------------
Version 1.78b:
--------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/docs/README new/afl-1.80b/docs/README
--- old/afl-1.78b/docs/README 2015-05-17 22:35:00.000000000 +0200
+++ new/afl-1.80b/docs/README 2015-05-20 22:50:29.000000000 +0200
@@ -385,7 +385,8 @@
- There is no direct support for fuzzing network services, background
daemons, or interactive apps that require UI interaction to work. You may
need to make simple code changes to make them behave in a more traditional
- way.
+ way. Preeny may offer a relatively simple option, too - see:
+ https://github.com/zardus/preeny
- AFL doesn't output human-readable coverage data. If you want to monitor
coverage, use afl-cov from Michael Rash: https://github.com/mrash/afl-cov
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/docs/env_variables.txt new/afl-1.80b/docs/env_variables.txt
--- old/afl-1.78b/docs/env_variables.txt 2015-04-28 06:53:57.000000000 +0200
+++ new/afl-1.80b/docs/env_variables.txt 2015-05-24 04:16:53.000000000 +0200
@@ -102,6 +102,11 @@
multi-threaded apps (but depriving you of a potentially useful signal
in more orderly programs).
+ - AFL_EXIT_WHEN_DONE causes afl-fuzz to terminate when all existing paths
+ have been fuzzed and there were no new finds for a while. This would be
+ normally indicated by the cycle counter in the UI turning green. May be
+ convenient for some types of automated jobs.
+
- When developing custom instrumentation on top of afl-fuzz, you can use
AFL_SKIP_BIN_CHECK to inhibit the checks for non-instrumented binaries
and shell scripts; and AFL_DUMB_FORKSRV in conjunction with the -n
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/docs/sister_projects.txt new/afl-1.80b/docs/sister_projects.txt
--- old/afl-1.78b/docs/sister_projects.txt 2015-05-08 22:14:00.000000000 +0200
+++ new/afl-1.80b/docs/sister_projects.txt 2015-05-20 22:49:46.000000000 +0200
@@ -52,6 +52,19 @@
http://llvm.org/docs/LibFuzzer.html
+----------------
+Network fuzzing:
+----------------
+
+Preeny (Yan Shoshitaishvili)
+----------------------------
+
+ Provides a fairly simple way to convince dynamically linked network-centric
+ programs to read from a file or not fork. Not AFL-specific, but described as
+ useful by many users. Some assembly required.
+
+ https://github.com/zardus/preeny
+
----------------------------------------
Crash triage and other helper utilities:
----------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/experimental/README.experiments new/afl-1.80b/experimental/README.experiments
--- old/afl-1.78b/experimental/README.experiments 1970-01-01 01:00:00.000000000 +0100
+++ new/afl-1.80b/experimental/README.experiments 2015-04-30 06:46:48.000000000 +0200
@@ -0,0 +1,39 @@
+Here's a quick overview of the stuff you can find in this directory:
+
+ - argv_fuzzing - a simple wrapper to allow cmdline to be fuzzed
+ (e.g., to test setuid programs).
+
+ - asan_cgroups - a contributed script to simplify fuzzing ASAN
+ binaries with robust memory limits on Linux.
+
+ - bash_shellshock - a simple hack used to find a bunch of
+ post-Shellshock bugs in bash.
+
+ - canvas_harness - a test harness used to find browser bugs with a
+ corpus generated using simple image parsing
+ binaries & afl-fuzz.
+
+ - clang_asm_normalize - a script that makes it easy to instrument
+ hand-written assembly, provided that you have clang.
+
+ - crash_triage - a very rudimentary example of how to annotate crashes
+ with additional gdb metadata.
+
+ - distributed_fuzzing - a sample script for synchronizing fuzzer instances
+ across multiple machines (see parallel_fuzzing.txt).
+
+ - instrumented_cmp - an experiment showing how a custom memcmp() or
+ strcmp() can be used to work around one of the
+ limitations of afl-fuzz.
+
+ - libpng_no_checksum - a sample patch for removing CRC checks in libpng.
+
+ - post_library - an example of how to build postprocessors for AFL.
+
+Note that the minimize_corpus.sh tool has graduated from the experimental/
+directory and is now available as ../afl-cmin. The LLVM mode has likewise
+graduated to ../llvm_mode/*.
+
+Most of the tools in this directory are meant chiefly as examples that need to
+be tweaked for your specific needs. They come with some basic documentation,
+but are not necessarily production-grade.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/experimental/experiments_readme.txt new/afl-1.80b/experimental/experiments_readme.txt
--- old/afl-1.78b/experimental/experiments_readme.txt 2015-04-30 06:46:48.000000000 +0200
+++ new/afl-1.80b/experimental/experiments_readme.txt 1970-01-01 01:00:00.000000000 +0100
@@ -1,39 +0,0 @@
-Here's a quick overview of the stuff you can find in this directory:
-
- - argv_fuzzing - a simple wrapper to allow cmdline to be fuzzed
- (e.g., to test setuid programs).
-
- - asan_cgroups - a contributed script to simplify fuzzing ASAN
- binaries with robust memory limits on Linux.
-
- - bash_shellshock - a simple hack used to find a bunch of
- post-Shellshock bugs in bash.
-
- - canvas_harness - a test harness used to find browser bugs with a
- corpus generated using simple image parsing
- binaries & afl-fuzz.
-
- - clang_asm_normalize - a script that makes it easy to instrument
- hand-written assembly, provided that you have clang.
-
- - crash_triage - a very rudimentary example of how to annotate crashes
- with additional gdb metadata.
-
- - distributed_fuzzing - a sample script for synchronizing fuzzer instances
- across multiple machines (see parallel_fuzzing.txt).
-
- - instrumented_cmp - an experiment showing how a custom memcmp() or
- strcmp() can be used to work around one of the
- limitations of afl-fuzz.
-
- - libpng_no_checksum - a sample patch for removing CRC checks in libpng.
-
- - post_library - an example of how to build postprocessors for AFL.
-
-Note that the minimize_corpus.sh tool has graduated from the experimental/
-directory and is now available as ../afl-cmin. The LLVM mode has likewise
-graduated to ../llvm_mode/*.
-
-Most of the tools in this directory are meant chiefly as examples that need to
-be tweaked for your specific needs. They come with some basic documentation,
-but are not necessarily production-grade.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/testcases/README.testcases new/afl-1.80b/testcases/README.testcases
--- old/afl-1.78b/testcases/README.testcases 2015-05-08 08:38:42.000000000 +0200
+++ new/afl-1.80b/testcases/README.testcases 2015-05-20 22:19:44.000000000 +0200
@@ -57,5 +57,15 @@
The fuzzer auto-selects the appropriate mode depending on whether the -x
parameter is a file or a directory.
+In the file mode, every name field can be optionally followed by @<num>, e.g.:
+
+ keyword_foo@1 = "foo"
+
+Such entries will be loaded only if the requested dictionary level is equal or
+higher than this number. The default level is zero; a higher value can be set
+by appending @<num> to the dictionary file name, like so:
+
+ -x path/to/dictionary.dct@2
+
Good examples of dictionaries can be found in _extras/xml.dict and
_extras/png.dict.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.78b/testcases/_extras/sql.dict new/afl-1.80b/testcases/_extras/sql.dict
--- old/afl-1.78b/testcases/_extras/sql.dict 2015-05-06 05:39:27.000000000 +0200
+++ new/afl-1.80b/testcases/_extras/sql.dict 2015-05-20 22:22:09.000000000 +0200
@@ -5,6 +5,12 @@
# Modeled based on SQLite documentation, contains some number of SQLite
# extensions. Other dialects of SQL may benefit from customized dictionaries.
#
+# If you append @1 to the file name when loading this dictionary, afl-fuzz
+# will also additionally load a selection of pragma keywords that are very
+# specific to SQLite (and are probably less interesting from the security
+# standpoint, because they are usually not allowed in non-privileged
+# contexts).
+#
# Created by Michal Zalewski